| name: "firefox-with-cloned-net" |
| |
| description: "This policy allows to run firefox inside a jail on a separate eth interface." |
| description: "A separate networking context separates process from the global \"lo\", and" |
| description: "from global abstract socket namespace." |
| description: "" |
| description: "The only permitted home directory is $HOME/.mozilla and $HOME/Documents." |
| description: "The rest of available on the FS files/dires are libs and X-related files/dirs." |
| description: "" |
| description: "As this needs to be run as root, you will have to set-up correct uid&gid" |
| description: "mappings (here: jagger), name of your local interface (here: 'enp0s31f6')," |
| description: "and correct IPv4 addresses." |
| description: "" |
| description: "IPv6 should work out-of-the-box, given that your local IPv6 discovery is set" |
| description: "up correctly." |
| description: "" |
| description: "Run as:" |
| description: "" |
| description: "sudo ./nsjail --config configs/firefox-with-cloned-net.cfg" |
| description: "" |
| description: "You can then go to https://uploadfiles.io/ and try to upload a file in order" |
| description: "to see how your local directory (also, all system directories) look like." |
| |
| mode: ONCE |
| hostname: "FF-MACVTAP" |
| cwd: "/user" |
| |
| time_limit: 0 |
| |
| envar: "HOME=/user" |
| envar: "DISPLAY" |
| envar: "TMP=/tmp" |
| |
| rlimit_as: 4096 |
| rlimit_cpu: 1000 |
| rlimit_fsize: 1024 |
| rlimit_nofile: 512 |
| |
| uidmap { |
| inside_id: "9999999" |
| outside_id: "jagger" |
| } |
| |
| gidmap { |
| inside_id: "9999999" |
| outside_id: "jagger" |
| } |
| |
| mount { |
| dst: "/proc" |
| fstype: "proc" |
| rw: true |
| } |
| |
| mount { |
| src: "/lib" |
| dst: "/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/lib" |
| dst: "/usr/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/lib64" |
| dst: "/lib64" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/lib32" |
| dst: "/lib32" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/usr/lib/firefox" |
| dst: "/usr/lib/firefox" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/bin/firefox" |
| dst: "/usr/bin/firefox" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/share" |
| dst: "/usr/share" |
| is_bind: true |
| } |
| |
| mount { |
| src_content: "<?xml version=\"1.0\"?>\n<!DOCTYPE fontconfig SYSTEM \"fonts.dtd\">\n<fontconfig><dir>/usr/share/fonts</dir><cachedir>/tmp/fontconfig</cachedir></fontconfig>" |
| dst: "/etc/fonts/fonts.conf" |
| } |
| |
| mount { |
| src: "/dev/urandom" |
| dst: "/dev/urandom" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/dev/null" |
| dst: "/dev/null" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src_content: "nameserver 8.8.8.8" |
| dst: "/etc/resolv.conf" |
| } |
| |
| mount { |
| dst: "/tmp" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| mount { |
| dst: "/dev/shm" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| mount { |
| dst: "/user" |
| fstype: "tmpfs" |
| rw: true |
| } |
| |
| mount { |
| prefix_src_env: "HOME" |
| src: "/Documents" |
| dst: "/user/Documents" |
| rw: true |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| prefix_src_env: "HOME" |
| src: "/.mozilla" |
| dst: "/user/.mozilla" |
| is_bind: true |
| rw: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/tmp/.X11-unix/X0" |
| dst: "/tmp/.X11-unix/X0" |
| is_bind: true |
| } |
| |
| seccomp_string: "KILL {" |
| seccomp_string: " ptrace," |
| seccomp_string: " process_vm_readv," |
| seccomp_string: " process_vm_writev" |
| seccomp_string: "}" |
| seccomp_string: "DEFAULT ALLOW" |
| |
| macvlan_iface: "enp0s31f6" |
| macvlan_vs_ip: "192.168.10.223" |
| macvlan_vs_nm: "255.255.255.0" |
| macvlan_vs_gw: "192.168.10.1" |
| |
| exec_bin { |
| path: "/usr/lib/firefox/firefox" |
| } |