2 files changed, 37 insertions, 23 deletions

diff --git a/README.md b/README.md
index 39ce41e22..21ee88979 100644
--- a/README.md
+++ b/README.md
@@ -306,31 +306,33 @@ No include .local found in /etc/firejail/noprofile.profile
 Warning: multiple caps in /etc/firejail/transmission-daemon.profile
 
 Stats:
-    profiles                    1196
-    include local profile       1195   (include profile-name.local)
-    include globals             1169   (include globals.local)
-    blacklist ~/.ssh            1067   (include disable-common.inc)
-    seccomp                     1087
-    capabilities                1190
-    noexec                      1075   (include disable-exec.inc)
-    noroot                      995
-    memory-deny-write-execute   269
-    apparmor                    713
-    private-bin                 695
-    private-dev                 1045
-    private-etc                 542
-    private-lib                 70
-    private-tmp                 918
-    whitelist home directory    575
-    whitelist var               858   (include whitelist-var-common.inc)
-    whitelist run/user          1164   (include whitelist-runuser-common.inc
+    profiles                    1205
+    include local profile       1204   (include profile-name.local)
+    include globals             1178   (include globals.local)
+    blacklist ~/.ssh            1076   (include disable-common.inc)
+    seccomp                     1095
+    capabilities                1199
+    noexec                      1084   (include disable-exec.inc)
+    noroot                      1002
+    memory-deny-write-execute   272
+    restrict-namespaces         962
+    apparmor                    720
+    private-bin                 704
+    private-dev                 1055
+    private-etc                 546
+    private-lib                 71
+    private-tmp                 929
+    whitelist home directory    581
+    whitelist var               867   (include whitelist-var-common.inc)
+    whitelist run/user          1173   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         630   (include whitelist-usr-share-common.inc
-    net none                    404
+    whitelist usr/share         637   (include whitelist-usr-share-common.inc
+    net none                    410
     dbus-user none              677
-    dbus-user filter            123
-    dbus-system none            837
+    dbus-user filter            137
+    dbus-system none            848
     dbus-system filter          12
+
 ```
 
 ### New profiles:
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 9deb72f7e..310319c69 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -25,6 +25,7 @@
 static int cnt_profiles = 0;
 static int cnt_apparmor = 0;
 static int cnt_seccomp = 0;
+static int cnt_restrict_namespaces = 0;
 static int cnt_caps = 0;
 static int cnt_dbus_system_none = 0;
 static int cnt_dbus_user_none = 0;
@@ -69,6 +70,7 @@ static int arg_whitelisthome = 0;
 static int arg_noroot = 0;
 static int arg_print_blacklist = 0;
 static int arg_print_whitelist = 0;
+static int arg_restrict_namespaces = 0;
 
 static char *profile = NULL;
 
@@ -91,6 +93,7 @@ static void usage(void) {
         printf("   --print-whitelist - print all --private and --whitelist for a profile\n");
         printf("   --seccomp - print profiles without seccomp\n");
         printf("   --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n");
+        printf("   --restrict-namespaces - print profiles without \"restrict-namespaces\"\n");
         printf("   --whitelist-home - print profiles whitelisting home directory\n");
         printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
         printf("   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n");
@@ -152,6 +155,8 @@ static void process_file(char *fname) {
 
                 if (strncmp(ptr, "seccomp", 7) == 0)
                         cnt_seccomp++;
+                if (strncmp(ptr, "restrict-namespaces", 19) == 0)
+                        cnt_restrict_namespaces++;
                 else if (strncmp(ptr, "caps", 4) == 0)
                         cnt_caps++;
                 else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
@@ -242,6 +247,8 @@ int main(int argc, char **argv) {
                         arg_caps = 1;
                 else if (strcmp(argv[i], "--seccomp") == 0)
                         arg_seccomp = 1;
+                else if (strcmp(argv[i], "--restrict-namespaces") == 0)
+                        arg_restrict_namespaces = 1;
                 else if (strcmp(argv[i], "--memory-deny-write-execute") == 0)
                         arg_mdwx = 1;
                 else if (strcmp(argv[i], "--noexec") == 0)
@@ -291,7 +298,7 @@ int main(int argc, char **argv) {
         for (i = start; i < argc; i++) {
                 cnt_profiles++;
 
-                // watch seccomp
+                int restrict_namespaces = cnt_restrict_namespaces;
                 int seccomp = cnt_seccomp;
                 int caps = cnt_caps;
                 int apparmor = cnt_apparmor;
@@ -334,6 +341,8 @@ int main(int argc, char **argv) {
                         cnt_whitelistrunuser = whitelistrunuser + 1;
                 if (cnt_seccomp > (seccomp + 1))
                         cnt_seccomp = seccomp + 1;
+                if (cnt_restrict_namespaces > (restrict_namespaces + 1))
+                        cnt_seccomp = restrict_namespaces + 1;
                 if (cnt_dbus_user_none > (dbususernone + 1))
                         cnt_dbus_user_none = dbususernone + 1;
                 if (cnt_dbus_user_filter > (dbususerfilter + 1))
@@ -353,6 +362,8 @@ int main(int argc, char **argv) {
                         printf("No caps found in %s\n", argv[i]);
                 if (arg_seccomp && seccomp == cnt_seccomp)
                         printf("No seccomp found in %s\n", argv[i]);
+                if (arg_restrict_namespaces && restrict_namespaces == cnt_restrict_namespaces)
+                        printf("No restrict-namespaces found in %s\n", argv[i]);
                 if (arg_noexec && noexec == cnt_noexec)
                         printf("No include disable-exec.inc found in %s\n", argv[i]);
                 if (arg_noroot && noroot == cnt_noroot)
@@ -397,6 +408,7 @@ int main(int argc, char **argv) {
         printf("    noexec\t\t\t%d   (include disable-exec.inc)\n", cnt_noexec);
         printf("    noroot\t\t\t%d\n", cnt_noroot);
         printf("    memory-deny-write-execute\t%d\n", cnt_mdwx);
+        printf("    restrict-namespaces\t\t%d\n", cnt_restrict_namespaces);
         printf("    apparmor\t\t\t%d\n", cnt_apparmor);
         printf("    private-bin\t\t\t%d\n", cnt_privatebin);
         printf("    private-dev\t\t\t%d\n", cnt_privatedev);