From fe45ca43c468a21e225a05beda867f93db88f897 Mon Sep 17 00:00:00 2001
From: "Austin S. Hemmelgarn" <ahferroin7@gmail.com>
Date: Wed, 15 Feb 2017 07:52:22 -0500
Subject: Update unbound profile to block 3D acceleration.

There is no legitimate reason for a caching DNS resolver to need 3D acceleration.  Unbound adheres to this already, so any attempts to access GPU hardware from it are by definition either bugs or the result of an exploit, so let's just block access to the GPU.
---
 etc/unbound.profile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/etc/unbound.profile b/etc/unbound.profile
index af8d7b374..0bd46b7f4 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -13,5 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc
 private
 private-dev
 nosound
+no3d
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
 
-- 
cgit v1.2.3-54-g00ecf