| name: "xchat-with-net" |
| |
| description: "This policy allows to run xchat inside a jail. Access to networking is" |
| description: "permitted with this setup (clone_newnet: false)." |
| description: "" |
| description: "The only permitted home directory is $HOME/.xchat2 and $HOME/Documents." |
| description: "The rest of available on the FS files/dires are libs and X-related files/dirs." |
| description: "" |
| description: "Run as:" |
| description: "./nsjail --config configs/xchat-with-net.cfg --daemon -l /tmp/xchat.log" |
| |
| mode: ONCE |
| hostname: "XCHAT" |
| cwd: "/user" |
| |
| time_limit: 0 |
| |
| envar: "HOME=/user" |
| envar: "DISPLAY" |
| envar: "TMP=/tmp" |
| envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf" |
| envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf" |
| envar: "LANG" |
| |
| rlimit_as: 4096 |
| rlimit_cpu_type: INF |
| rlimit_fsize: 4096 |
| rlimit_nofile: 128 |
| |
| clone_newnet: false |
| |
| mount { |
| dst: "/proc" |
| fstype: "proc" |
| } |
| |
| mount { |
| src: "/lib" |
| dst: "/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/lib" |
| dst: "/usr/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/lib64" |
| dst: "/lib64" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/lib32" |
| dst: "/lib32" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src_content: "<?xml version=\"1.0\"?>\n<!DOCTYPE fontconfig SYSTEM \"fonts.dtd\">\n<fontconfig><dir>/usr/share/fonts</dir><cachedir>/tmp/fontconfig</cachedir></fontconfig>" |
| dst: "/etc/fonts/fonts.conf" |
| } |
| |
| mount { |
| src: "/usr/share" |
| dst: "/usr/share" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/dev/urandom" |
| dst: "/dev/urandom" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/etc/resolv.conf" |
| dst: "/etc/resolv.conf" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| dst: "/tmp" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| mount { |
| dst: "/dev/shm" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| mount { |
| dst: "/user" |
| fstype: "tmpfs" |
| rw: true |
| } |
| |
| mount { |
| prefix_src_env: "HOME" |
| src: "/Documents" |
| dst: "/user/Documents" |
| rw: true |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| prefix_src_env: "HOME" |
| src: "/.xchat2" |
| dst: "/user/.xchat2" |
| is_bind: true |
| rw: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/tmp/.X11-unix/X0" |
| dst: "/tmp/.X11-unix/X0" |
| is_bind: true |
| } |
| |
| seccomp_string: "KILL {" |
| seccomp_string: " ptrace," |
| seccomp_string: " process_vm_readv," |
| seccomp_string: " process_vm_writev" |
| seccomp_string: "}" |
| seccomp_string: "DEFAULT ALLOW" |
| |
| exec_bin { |
| path: "/usr/bin/xchat" |
| exec_fd: true |
| } |