| # Example config for nsjail |
| |
| name: "firefox-with-net" |
| |
| description: "This policy allows to run firefox inside a jail. Access to networking is" |
| description: "permitted with this setup (clone_newnet: false)." |
| description: "" |
| description: "The only permitted home directory is $HOME/.mozilla and $HOME/Documents." |
| description: "The rest of available on the FS files/dires are libs and X-related files/dirs." |
| description: "" |
| description: "Run as:" |
| description: "" |
| description: "./nsjail --config configs/firefox-with-net-wayland.cfg" |
| description: "" |
| description: "You can then go to https://uploadfiles.io/ and try to upload a file in order" |
| description: "to see how your local directory (also, all system directories) look like." |
| |
| mode: ONCE |
| hostname: "FIREFOX" |
| cwd: "/user" |
| |
| time_limit: 0 |
| |
| clone_newnet: false |
| |
| envar: "HOME=/user" |
| envar: "TMP=/tmp" |
| envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf" |
| envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf" |
| envar: "MOZ_ENABLE_WAYLAND=1" |
| envar: "XDG_RUNTIME_DIR=/user/run/" |
| envar: "WAYLAND_DISPLAY" |
| |
| rlimit_as: 4096 |
| rlimit_cpu: 1000 |
| rlimit_fsize: 1024 |
| rlimit_nofile: 512 |
| |
| uidmap { |
| inside_id: "9999999" |
| } |
| |
| gidmap { |
| inside_id: "9999999" |
| } |
| |
| mount { |
| dst: "/proc" |
| fstype: "proc" |
| rw: true |
| } |
| |
| mount { |
| src: "/lib" |
| dst: "/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/lib" |
| dst: "/usr/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/lib64" |
| dst: "/lib64" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/lib32" |
| dst: "/lib32" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/usr/lib/firefox" |
| dst: "/usr/lib/firefox" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/bin/firefox" |
| dst: "/usr/bin/firefox" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/share" |
| dst: "/usr/share" |
| is_bind: true |
| } |
| |
| mount { |
| src_content: "<?xml version=\"1.0\"?>\n<!DOCTYPE fontconfig SYSTEM \"fonts.dtd\">\n<fontconfig><dir>/usr/share/fonts</dir><cachedir>/tmp/fontconfig</cachedir></fontconfig>" |
| dst: "/etc/fonts/fonts.conf" |
| } |
| |
| mount { |
| src: "/dev/urandom" |
| dst: "/dev/urandom" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/dev/null" |
| dst: "/dev/null" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src_content: "nameserver 8.8.8.8" |
| dst: "/etc/resolv.conf" |
| } |
| |
| mount { |
| dst: "/tmp" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| mount { |
| dst: "/dev/shm" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| mount { |
| dst: "/user" |
| fstype: "tmpfs" |
| rw: true |
| } |
| |
| mount { |
| prefix_src_env: "HOME" |
| src: "/Documents" |
| dst: "/user/Documents" |
| rw: true |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| prefix_src_env: "HOME" |
| src: "/.mozilla" |
| dst: "/user/.mozilla" |
| is_bind: true |
| rw: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/tmp/.X11-unix/X0" |
| dst: "/tmp/.X11-unix/X0" |
| is_bind: true |
| } |
| |
| mount { |
| # Change it to your user id |
| src: "/run/user/1000/wayland-0" |
| dst: "/user/run/wayland-0" |
| is_bind: true |
| rw: true |
| } |
| |
| exec_bin { |
| path: "/usr/lib/firefox/firefox" |
| } |