Add restrict-namespace wherever possible.

-Also commit the .inc files with shell none removed.
author: jc_gargma <jc_gargma@iserlohn-fortress.net> 2023-04-08 15:36:00 -0700
committer: jc_gargma <jc_gargma@iserlohn-fortress.net> 2023-04-08 15:36:00 -0700
commit: 76eccc893d8164ea384fee2d7bf82e3dcb245ae2 (patch)
tree: 07a51708838fb2e0f61714ba702ec779e0372233 /profiles/poi.profile
parent: shell none no longer exists. (diff)
download: firejail-profiles-76eccc893d8164ea384fee2d7bf82e3dcb245ae2.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/profiles/poi.profile b/profiles/poi.profile
index f9369dd..1835413 100644
--- a/profiles/poi.profile
+++ b/profiles/poi.profile
@@ -74,6 +74,9 @@ novideo
 ## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
 protocol unix,inet,inet6,netlink
 
+## restrict-namespaces - Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+restrict-namespaces
+
 ## seccomp - Blacklists a large swath of syscalls from being accessible.
 # QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason
 seccomp !name_to_handle_at,!chroot
author	jc_gargma <jc_gargma@iserlohn-fortress.net>	2023-04-08 15:36:00 -0700
committer	jc_gargma <jc_gargma@iserlohn-fortress.net>	2023-04-08 15:36:00 -0700
commit	76eccc893d8164ea384fee2d7bf82e3dcb245ae2 (patch)
tree	07a51708838fb2e0f61714ba702ec779e0372233 /profiles/poi.profile
parent	shell none no longer exists. (diff)
download	firejail-profiles-76eccc893d8164ea384fee2d7bf82e3dcb245ae2.tar.xz