1 files changed, 52 insertions, 0 deletions
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
new file mode 100644
index 000000000..714a3f2f4
--- /dev/null
+++ b/etc/profile-m-z/unbound.profile
@@ -0,0 +1,52 @@
+# Firejail profile for unbound
+# Description: Validating, recursive, caching DNS resolver
+# This file is overwritten after every install/update
+# Persistent local customizations
+include unbound.local
+# Persistent global definitions
+include globals.local
+noblacklist /sbin
+noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+whitelist /var/lib/unbound
+whitelist /var/run
+caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
+disable-mnt
+private
+private-dev
+private-tmp
+writable-var
+dbus-user none
+dbus-system none
+# mdwe can break modules/plugins
+memory-deny-write-execute

diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile new file mode 100644 index 000000000..714a3f2f4 --- /dev/null +++ b/etc/profile-m-z/unbound.profile
@@ -0,0 +1,52 @@
	1	# Firejail profile for unbound
	2	# Description: Validating, recursive, caching DNS resolver
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include unbound.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist /sbin
	10	noblacklist /usr/sbin
	11
	12	blacklist /tmp/.X11-unix
	13	blacklist ${RUNUSER}/wayland-*
	14
	15	include disable-common.inc
	16	include disable-devel.inc
	17	include disable-exec.inc
	18	include disable-interpreters.inc
	19	include disable-passwdmgr.inc
	20	include disable-programs.inc
	21	include disable-xdg.inc
	22
	23	include whitelist-usr-share-common.inc
	24
	25	whitelist /var/lib/unbound
	26	whitelist /var/run
	27
	28	caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
	29	ipc-namespace
	30	machine-id
	31	netfilter
	32	no3d
	33	nodvd
	34	nonewprivs
	35	nosound
	36	notv
	37	nou2f
	38	novideo
	39	protocol inet,inet6
	40	seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
	41
	42	disable-mnt
	43	private
	44	private-dev
	45	private-tmp
	46	writable-var
	47
	48	dbus-user none
	49	dbus-system none
	50
	51	# mdwe can break modules/plugins
	52	memory-deny-write-execute