From 76eccc893d8164ea384fee2d7bf82e3dcb245ae2 Mon Sep 17 00:00:00 2001
From: jc_gargma <jc_gargma@iserlohn-fortress.net>
Date: Sat, 8 Apr 2023 15:36:00 -0700
Subject: Add restrict-namespace wherever possible. -Also commit the .inc files
 with shell none removed.

---
 profiles/poi.profile | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'profiles/poi.profile')

diff --git a/profiles/poi.profile b/profiles/poi.profile
index f9369dd..1835413 100644
--- a/profiles/poi.profile
+++ b/profiles/poi.profile
@@ -74,6 +74,9 @@ novideo
 ## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
 protocol unix,inet,inet6,netlink
 
+## restrict-namespaces - Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+restrict-namespaces
+
 ## seccomp - Blacklists a large swath of syscalls from being accessible.
 # QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason
 seccomp !name_to_handle_at,!chroot
-- 
cgit v1.2.1