From 76eccc893d8164ea384fee2d7bf82e3dcb245ae2 Mon Sep 17 00:00:00 2001
From: jc_gargma <jc_gargma@iserlohn-fortress.net>
Date: Sat, 8 Apr 2023 15:36:00 -0700
Subject: Add restrict-namespace wherever possible. -Also commit the .inc files
 with shell none removed.

---
 profiles/abook.profile             | 1 +
 profiles/antichamber.profile       | 1 +
 profiles/calcurse.profile          | 1 +
 profiles/digikam.local             | 1 +
 profiles/generic-game.inc          | 2 +-
 profiles/generic-java-game.inc     | 2 +-
 profiles/generic-wine-game.inc     | 2 +-
 profiles/kmymoney.profile          | 1 +
 profiles/konqueror.profile         | 1 +
 profiles/kristall.profile          | 1 +
 profiles/lgogdownloader.profile    | 1 +
 profiles/monero-wallet-gui.profile | 1 +
 profiles/poi.profile               | 3 +++
 profiles/toxic.profile             | 1 +
 14 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/profiles/abook.profile b/profiles/abook.profile
index 9d3baa2..d2fb562 100644
--- a/profiles/abook.profile
+++ b/profiles/abook.profile
@@ -32,6 +32,7 @@ notv
 nou2f
 novideo
 protocol unix
+restrict-namespaces
 seccomp
 tracelog
 
diff --git a/profiles/antichamber.profile b/profiles/antichamber.profile
index f6ee5eb..d2d387c 100644
--- a/profiles/antichamber.profile
+++ b/profiles/antichamber.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.local/share/AlexanderBruce/Antichamber
 # # Something to do with the game being 32 bit
 #seccomp !name_to_handle_at
 ignore seccomp
+ignore restrict-namespaces
 
 ignore memory-deny-write-execute
 
diff --git a/profiles/calcurse.profile b/profiles/calcurse.profile
index 061e9b1..12aed0c 100644
--- a/profiles/calcurse.profile
+++ b/profiles/calcurse.profile
@@ -38,6 +38,7 @@ notv
 nou2f
 novideo
 protocol unix
+restrict-namespaces
 seccomp
 tracelog
 
diff --git a/profiles/digikam.local b/profiles/digikam.local
index 1658d72..fed5ac5 100644
--- a/profiles/digikam.local
+++ b/profiles/digikam.local
@@ -8,5 +8,6 @@ protocol unix
 # # due to syscall name_to_handle_at
 ignore seccomp !chroot
 seccomp !name_to_handle_at
+restrict-namespaces
 
 private-dev
diff --git a/profiles/generic-game.inc b/profiles/generic-game.inc
index 554f910..df5b445 100644
--- a/profiles/generic-game.inc
+++ b/profiles/generic-game.inc
@@ -30,8 +30,8 @@ notv
 nou2f
 novideo
 protocol unix
+restrict-namespaces
 seccomp
-shell none
 tracelog
 
 disable-mnt
diff --git a/profiles/generic-java-game.inc b/profiles/generic-java-game.inc
index b92ef76..0b7d281 100644
--- a/profiles/generic-java-game.inc
+++ b/profiles/generic-java-game.inc
@@ -3,7 +3,7 @@
 include generic-java-game.local
 
 # # # Examples for creating profiles
-# See slay-the-spire-profile
+# See slay-the-spire.profile
 # See starsector.profile
 
 # # Java games require the ? folder to store data
diff --git a/profiles/generic-wine-game.inc b/profiles/generic-wine-game.inc
index fe72355..b89997d 100644
--- a/profiles/generic-wine-game.inc
+++ b/profiles/generic-wine-game.inc
@@ -45,8 +45,8 @@ notv
 nou2f
 novideo
 protocol unix
+restrict-namespaces
 seccomp
-shell none
 tracelog
 
 disable-mnt
diff --git a/profiles/kmymoney.profile b/profiles/kmymoney.profile
index f41ca2a..a32c368 100644
--- a/profiles/kmymoney.profile
+++ b/profiles/kmymoney.profile
@@ -50,6 +50,7 @@ notv
 nou2f
 novideo
 protocol unix
+restrict-namespaces
 # # seccomp breaks integrated file manager on kde applications
 # # due to syscall name_to_handle_at
 seccomp !name_to_handle_at
diff --git a/profiles/konqueror.profile b/profiles/konqueror.profile
index 8f61675..48b76b8 100644
--- a/profiles/konqueror.profile
+++ b/profiles/konqueror.profile
@@ -55,6 +55,7 @@ noroot
 notv
 nou2f
 protocol unix,inet,inet6,netlink
+restrict-namespaces
 # # seccomp breaks integrated file manager on kde applications
 # # due to syscall name_to_handle_at
 seccomp !name_to_handle_at
diff --git a/profiles/kristall.profile b/profiles/kristall.profile
index 70bb8b0..e9bacb5 100644
--- a/profiles/kristall.profile
+++ b/profiles/kristall.profile
@@ -40,6 +40,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
+restrict-namespaces
 seccomp !name_to_handle_at
 tracelog
 
diff --git a/profiles/lgogdownloader.profile b/profiles/lgogdownloader.profile
index a473973..0ba9930 100644
--- a/profiles/lgogdownloader.profile
+++ b/profiles/lgogdownloader.profile
@@ -40,6 +40,7 @@ nosound
 notv
 novideo
 protocol inet,inet6
+restrict-namespaces
 seccomp
 tracelog
 
diff --git a/profiles/monero-wallet-gui.profile b/profiles/monero-wallet-gui.profile
index 99be289..8b3b1e3 100644
--- a/profiles/monero-wallet-gui.profile
+++ b/profiles/monero-wallet-gui.profile
@@ -36,6 +36,7 @@ nosound
 notv
 nou2f
 novideo
+restrict-namespaces
 protocol unix,inet,inet6
 seccomp
 tracelog
diff --git a/profiles/poi.profile b/profiles/poi.profile
index f9369dd..1835413 100644
--- a/profiles/poi.profile
+++ b/profiles/poi.profile
@@ -74,6 +74,9 @@ novideo
 ## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
 protocol unix,inet,inet6,netlink
 
+## restrict-namespaces - Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+restrict-namespaces
+
 ## seccomp - Blacklists a large swath of syscalls from being accessible.
 # QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason
 seccomp !name_to_handle_at,!chroot
diff --git a/profiles/toxic.profile b/profiles/toxic.profile
index c0439bf..cda5522 100644
--- a/profiles/toxic.profile
+++ b/profiles/toxic.profile
@@ -38,6 +38,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
+restrict-namespaces
 seccomp
 tracelog
 
-- 
cgit v1.2.1