19 files changed, 93 insertions, 19 deletions
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc
new file mode 100644
index 000000000..81a8883f3
--- /dev/null
+++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 62857a3e2..68512e37b 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -29,7 +29,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 6b7b59be4..66f38b358 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index bb35c9447..88943760a 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 1009f345b..4a08fca9b 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -35,7 +35,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index 35d969e6d..edb85048b 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index dec0daef2..b5f98b411 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index 8d391b90f..59d762f55 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
-private-bin jumpnbump-menu,python3*
+private-bin env,jumpnbump-menu,python3*
 # Redirect
 include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index b9bc8f219..9726ff6fe 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -27,7 +27,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 16dc97d0c..5b5902563 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -37,7 +37,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 12c7ea3d0..c2c22f42d 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -25,7 +25,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 253465991..68362cbc8 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -28,7 +28,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 323849e35..d48065c4b 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index df54fb9ba..d0fb0d43e 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -26,7 +26,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index a7ebaf2af..19e586db4 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -28,7 +28,6 @@ ipc-namespace
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 4e16df553..96541ae25 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${HOME}/.tremulous
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
 tracelog
 disable-mnt
-private-bin tremded,tremulous,tremulous-wrapper
+private-bin env,sh,tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index 5659ec69c..2f818b733 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/warsow-2.1
 noblacklist ${HOME}/.local/share/warsow-2.1
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -34,19 +37,18 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 6ffe9ece9..7c2b38d1d 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -32,7 +32,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 7628313e0..44197b547 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-interpreters.inc
+#include disable-proc.inc
 #include disable-programs.inc
 #include disable-shell.inc
 #include disable-write-mnt.inc

diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc new file mode 100644 index 000000000..81a8883f3 --- /dev/null +++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include disable-proc.local
		4
		5	blacklist /proc/acpi
		6	blacklist /proc/asound
		7	blacklist /proc/bootconfig
		8	blacklist /proc/buddyinfo
		9	blacklist /proc/cgroups
		10	blacklist /proc/cmdline
		11	blacklist /proc/config.gz
		12	blacklist /proc/consoles
		13	#blacklist /proc/cpuinfo
		14	blacklist /proc/crypto
		15	blacklist /proc/devices
		16	blacklist /proc/diskstats
		17	blacklist /proc/dma
		18	#blacklist /proc/driver
		19	blacklist /proc/dynamic_debug
		20	blacklist /proc/execdomains
		21	blacklist /proc/fb
		22	#blacklist /proc/filesystems
		23	blacklist /proc/fs
		24	blacklist /proc/i8k
		25	blacklist /proc/interrupts
		26	blacklist /proc/iomem
		27	blacklist /proc/ioports
		28	blacklist /proc/irq
		29	blacklist /proc/kallsyms
		30	blacklist /proc/kcore
		31	blacklist /proc/keys
		32	blacklist /proc/key-users
		33	blacklist /proc/kmsg
		34	blacklist /proc/kpagecgroup
		35	blacklist /proc/kpagecount
		36	blacklist /proc/kpageflags
		37	blacklist /proc/latency_stats
		38	#blacklist /proc/loadavg
		39	blacklist /proc/locks
		40	blacklist /proc/mdstat
		41	#blacklist /proc/meminfo
		42	blacklist /proc/misc
		43	#blacklist /proc/modules
		44	#blacklist /proc/mounts
		45	blacklist /proc/mtrr
		46	#blacklist /proc/net
		47	blacklist /proc/partitions
		48	blacklist /proc/pressure
		49	blacklist /proc/sched_debug
		50	blacklist /proc/schedstat
		51	blacklist /proc/scsi
		52	#blacklist /proc/self
		53	blacklist /proc/slabinfo
		54	blacklist /proc/softirqs
		55	blacklist /proc/spl
		56	#blacklist /proc/stat
		57	blacklist /proc/swaps
		58	#blacklist /proc/sys
		59	blacklist /proc/sysrq-trigger
		60	blacklist /proc/sysvipc
		61	#blacklist /proc/thread-self
		62	blacklist /proc/timer_list
		63	blacklist /proc/tty
		64	#blacklist /proc/uptime
		65	#blacklist /proc/version
		66	blacklist /proc/version_signature
		67	blacklist /proc/vmallocinfo
		68	#blacklist /proc/vmstat
		69	#blacklist /proc/zoneinfo
		70
		71	blacklist /proc/sys/abi
		72	blacklist /proc/sys/crypto
		73	blacklist /proc/sys/debug
		74	blacklist /proc/sys/dev
		75	blacklist /proc/sys/fs
		76	blacklist /proc/sys/net
		77	blacklist /proc/sys/user
		78	blacklist /proc/sys/vm
		79
		80	noblacklist /proc/sys/kernel/osrelease
		81	noblacklist /proc/sys/kernel/yama
		82	blacklist /proc/sys//


diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile index 62857a3e2..68512e37b 100644 --- a/etc/profile-a-l/alienarena.profile +++ b/etc/profile-a-l/alienarena.profile
@@ -29,7 +29,6 @@ caps.drop all
29	netfilter	29	netfilter
30	nodvd	30	nodvd
31	nogroups	31	nogroups
32	noinput
33	nonewprivs	32	nonewprivs
34	noroot	33	noroot
35	notv	34	notv


diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index 6b7b59be4..66f38b358 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile
@@ -29,7 +29,6 @@ caps.drop all
29	net none	29	net none
30	nodvd	30	nodvd
31	nogroups	31	nogroups
32	noinput
33	nonewprivs	32	nonewprivs
34	noroot	33	noroot
35	notv	34	notv


diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile index bb35c9447..88943760a 100644 --- a/etc/profile-a-l/frozen-bubble.profile +++ b/etc/profile-a-l/frozen-bubble.profile
@@ -30,7 +30,6 @@ caps.drop all
30	net none	30	net none
31	nodvd	31	nodvd
32	nogroups	32	nogroups
33	noinput
34	nonewprivs	33	nonewprivs
35	noroot	34	noroot
36	notv	35	notv


diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile index 1009f345b..4a08fca9b 100644 --- a/etc/profile-a-l/funnyboat.profile +++ b/etc/profile-a-l/funnyboat.profile
@@ -35,7 +35,6 @@ ipc-namespace
35	netfilter	35	netfilter
36	nodvd	36	nodvd
37	nogroups	37	nogroups
38	noinput
39	nonewprivs	38	nonewprivs
40	noroot	39	noroot
41	notv	40	notv


diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile index 35d969e6d..edb85048b 100644 --- a/etc/profile-a-l/gl-117.profile +++ b/etc/profile-a-l/gl-117.profile
@@ -29,7 +29,6 @@ caps.drop all
29	net none	29	net none
30	nodvd	30	nodvd
31	nogroups	31	nogroups
32	noinput
33	nonewprivs	32	nonewprivs
34	noroot	33	noroot
35	notv	34	notv


diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile index dec0daef2..b5f98b411 100644 --- a/etc/profile-a-l/glaxium.profile +++ b/etc/profile-a-l/glaxium.profile
@@ -29,7 +29,6 @@ caps.drop all
29	net none	29	net none
30	nodvd	30	nodvd
31	nogroups	31	nogroups
32	noinput
33	nonewprivs	32	nonewprivs
34	noroot	33	noroot
35	notv	34	notv


diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile index 8d391b90f..59d762f55 100644 --- a/etc/profile-a-l/jumpnbump-menu.profile +++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
10	# Allow python (blacklisted by disable-interpreters.inc)	10	# Allow python (blacklisted by disable-interpreters.inc)
11	include allow-python3.inc	11	include allow-python3.inc
12		12
13	private-bin jumpnbump-menu,python3*	13	private-bin env,jumpnbump-menu,python3*
14		14
15	# Redirect	15	# Redirect
16	include jumpnbump.profile	16	include jumpnbump.profile


diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index b9bc8f219..9726ff6fe 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile
@@ -27,7 +27,6 @@ caps.drop all
27	net none	27	net none
28	nodvd	28	nodvd
29	nogroups	29	nogroups
30	noinput
31	nonewprivs	30	nonewprivs
32	noroot	31	noroot
33	notv	32	notv


diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index 16dc97d0c..5b5902563 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile
@@ -37,7 +37,6 @@ caps.drop all
37	net none	37	net none
38	nodvd	38	nodvd
39	nogroups	39	nogroups
40	noinput
41	nonewprivs	40	nonewprivs
42	noroot	41	noroot
43	notv	42	notv


diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile index 12c7ea3d0..c2c22f42d 100644 --- a/etc/profile-m-z/open-invaders.profile +++ b/etc/profile-m-z/open-invaders.profile
@@ -25,7 +25,6 @@ caps.drop all
25	net none	25	net none
26	nodvd	26	nodvd
27	nogroups	27	nogroups
28	noinput
29	nonewprivs	28	nonewprivs
30	noroot	29	noroot
31	notv	30	notv


diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile index 253465991..68362cbc8 100644 --- a/etc/profile-m-z/openclonk.profile +++ b/etc/profile-m-z/openclonk.profile
@@ -28,7 +28,6 @@ ipc-namespace
28	netfilter	28	netfilter
29	nodvd	29	nodvd
30	nogroups	30	nogroups
31	noinput
32	nonewprivs	31	nonewprivs
33	noroot	32	noroot
34	notv	33	notv


diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 323849e35..d48065c4b 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile
@@ -30,7 +30,6 @@ caps.drop all
30	net none	30	net none
31	nodvd	31	nodvd
32	nogroups	32	nogroups
33	noinput
34	nonewprivs	33	nonewprivs
35	noroot	34	noroot
36	notv	35	notv


diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile index df54fb9ba..d0fb0d43e 100644 --- a/etc/profile-m-z/teeworlds.profile +++ b/etc/profile-m-z/teeworlds.profile
@@ -26,7 +26,6 @@ ipc-namespace
26	netfilter	26	netfilter
27	nodvd	27	nodvd
28	nogroups	28	nogroups
29	noinput
30	nonewprivs	29	nonewprivs
31	noroot	30	noroot
32	notv	31	notv


diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile index a7ebaf2af..19e586db4 100644 --- a/etc/profile-m-z/torcs.profile +++ b/etc/profile-m-z/torcs.profile
@@ -28,7 +28,6 @@ ipc-namespace
28	net none	28	net none
29	nodvd	29	nodvd
30	nogroups	30	nogroups
31	noinput
32	nonewprivs	31	nonewprivs
33	noroot	32	noroot
34	notv	33	notv


diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile index 4e16df553..96541ae25 100644 --- a/etc/profile-m-z/tremulous.profile +++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
8		8
9	noblacklist ${HOME}/.tremulous	9	noblacklist ${HOME}/.tremulous
10		10
		11	# Allow /bin/sh (blacklisted by disable-shell.inc)
		12	include allow-bin-sh.inc
		13
11	include disable-common.inc	14	include disable-common.inc
12	include disable-devel.inc	15	include disable-devel.inc
13	include disable-exec.inc	16	include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
41	tracelog	44	tracelog
42		45
43	disable-mnt	46	disable-mnt
44	private-bin tremded,tremulous,tremulous-wrapper	47	private-bin env,sh,tremded,tremulous,tremulous-wrapper
45	private-cache	48	private-cache
46	private-dev	49	private-dev
47	private-tmp	50	private-tmp


diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile index 5659ec69c..2f818b733 100644 --- a/etc/profile-m-z/warsow.profile +++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
11	noblacklist ${HOME}/.cache/warsow-2.1	11	noblacklist ${HOME}/.cache/warsow-2.1
12	noblacklist ${HOME}/.local/share/warsow-2.1	12	noblacklist ${HOME}/.local/share/warsow-2.1
13		13
		14	# Allow /bin/sh (blacklisted by disable-shell.inc)
		15	include allow-bin-sh.inc
		16
14	include disable-common.inc	17	include disable-common.inc
15	include disable-devel.inc	18	include disable-devel.inc
16	include disable-exec.inc	19	include disable-exec.inc
@@ -34,19 +37,18 @@ ipc-namespace
34	netfilter	37	netfilter
35	nodvd	38	nodvd
36	nogroups	39	nogroups
37	noinput
38	nonewprivs	40	nonewprivs
39	noroot	41	noroot
40	notv	42	notv
41	nou2f	43	nou2f
42	novideo	44	novideo
43	protocol unix,inet,inet6	45	protocol unix,inet,inet6,netlink
44	seccomp	46	seccomp
45	shell none	47	shell none
46	tracelog	48	tracelog
47		49
48	disable-mnt	50	disable-mnt
49	private-bin warsow	51	private-bin basename,bash,dirname,sed,sh,uname,warsow
50	private-cache	52	private-cache
51	private-dev	53	private-dev
52	private-tmp	54	private-tmp


diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index 6ffe9ece9..7c2b38d1d 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile
@@ -32,7 +32,6 @@ caps.drop all
32	netfilter	32	netfilter
33	nodvd	33	nodvd
34	nogroups	34	nogroups
35	noinput
36	nonewprivs	35	nonewprivs
37	noroot	36	noroot
38	notv	37	notv


diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 7628313e0..44197b547 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
116	#include disable-devel.inc	116	#include disable-devel.inc
117	#include disable-exec.inc	117	#include disable-exec.inc
118	#include disable-interpreters.inc	118	#include disable-interpreters.inc
		119	#include disable-proc.inc
119	#include disable-programs.inc	120	#include disable-programs.inc
120	#include disable-shell.inc	121	#include disable-shell.inc
121	#include disable-write-mnt.inc	122	#include disable-write-mnt.inc