From 6da539894c7ecbcf43d3e9910c90f25ea5eb662d Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Wed, 26 Jun 2019 18:50:46 +0000
Subject: Hardening a few profiles (#2800)

* Harden curl.profile

* Harden dnscrypt-proxy.profile

* Harden unbound.profile

* Harden unbound.profile
---
 etc/curl.profile           | 5 ++++-
 etc/dnscrypt-proxy.profile | 5 +++++
 etc/unbound.profile        | 6 ++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/etc/curl.profile b/etc/curl.profile
index 76beee46a..d8282b972 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -17,8 +17,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
+ipc-namespace
+machine-id
 netfilter
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -27,7 +30,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol inet,inet6
 seccomp
 shell none
 
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index ae248f2e8..169b23f5f 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -13,19 +13,24 @@ blacklist /tmp/.X11-unix
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
+ipc-namespace
+machine-id
 no3d
+nodbus
 nodvd
 nonewprivs
 nosound
 notv
 nou2f
 novideo
+protocol inet,inet6
 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
 
 disable-mnt
diff --git a/etc/unbound.profile b/etc/unbound.profile
index e152ee7ea..7d1c36d2f 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -13,6 +13,7 @@ blacklist /tmp/.X11-unix
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -22,13 +23,18 @@ whitelist /var/lib/unbound
 whitelist /var/run
 
 caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+ipc-namespace
+machine-id
+netfilter
 no3d
+nodbus
 nodvd
 nonewprivs
 nosound
 notv
 nou2f
 novideo
+protocol inet,inet6
 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
 
 disable-mnt
-- 
cgit v1.2.3-70-g09d2