diff options
Diffstat (limited to 'etc/unbound.profile')
-rw-r--r-- | etc/unbound.profile | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/etc/unbound.profile b/etc/unbound.profile index c1cb86893..afc903e88 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -5,19 +5,30 @@ include /etc/firejail/unbound.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /tmp/.X11-unix | ||
9 | |||
8 | noblacklist /sbin | 10 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
10 | 13 | ||
11 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
15 | 18 | ||
19 | caps | ||
20 | # caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource | ||
16 | no3d | 21 | no3d |
17 | nodvd | 22 | nodvd |
23 | nonewprivs | ||
18 | nosound | 24 | nosound |
19 | notv | 25 | notv |
26 | novideo | ||
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 27 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
21 | 28 | ||
29 | disable-mnt | ||
22 | private | 30 | private |
23 | private-dev | 31 | private-dev |
32 | |||
33 | # mdwe can break modules/plugins | ||
34 | # memory-deny-write-execute | ||