| # Example config for nsjail |
| |
| name: "chrome-with-net" |
| |
| description: "Don't use for anything serious - this is just a demo policy. See notes" |
| description: "at the end of this description for more." |
| description: "" |
| description: "This policy allows to run Chrome inside a jail. Access to networking is" |
| description: "permitted with this setup (clone_newnet: false)." |
| description: "" |
| description: "The only permitted home directory is $HOME/.mozilla and $HOME/Documents." |
| description: "The rest of available on the FS files/dires are libs and X-related files/dirs." |
| description: "" |
| description: "Run as:" |
| description: "" |
| description: "./nsjail --config configs/chrome-with-net.cfg" |
| description: "" |
| description: "You can then go to https://uploadfiles.io/ and try to upload a file in order" |
| description: "to see how your local directory (also, all system directories) look like." |
| description: "" |
| description: "Note: Using this profile for anything serious is *A VERY BAD* idea. Chrome" |
| description: "provides excellent FS&syscall sandbox for Linux, as this profile disables" |
| description: "this sandboxing with --no-sandbox and substitutes Chrome's syscall/ns policy" |
| description: "with more relaxed namespacing." |
| |
| mode: ONCE |
| hostname: "CHROME" |
| cwd: "/user" |
| |
| time_limit: 0 |
| |
| envar: "HOME=/user" |
| envar: "DISPLAY" |
| envar: "TMP=/tmp" |
| |
| rlimit_as: 4096 |
| rlimit_cpu: 1000 |
| rlimit_fsize: 1024 |
| rlimit_nofile: 1024 |
| |
| clone_newnet: false |
| |
| mount { |
| dst: "/proc" |
| fstype: "proc" |
| } |
| |
| mount { |
| src: "/lib" |
| dst: "/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/lib" |
| dst: "/usr/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/lib64" |
| dst: "/lib64" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/lib32" |
| dst: "/lib32" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/bin" |
| dst: "/bin" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/bin" |
| dst: "/usr/bin" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/opt/google/chrome" |
| dst: "/opt/google/chrome" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/share" |
| dst: "/usr/share" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/dev/urandom" |
| dst: "/dev/urandom" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/dev/null" |
| dst: "/dev/null" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/dev/fd/" |
| dst: "/dev/fd/" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/etc/resolv.conf" |
| dst: "/etc/resolv.conf" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| dst: "/tmp" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| mount { |
| dst: "/dev/shm" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| mount { |
| dst: "/user" |
| fstype: "tmpfs" |
| rw: true |
| } |
| |
| mount { |
| prefix_src_env: "HOME" |
| src: "/Documents" |
| dst: "/user/Documents" |
| rw: true |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| prefix_src_env: "HOME" |
| src: "/.config/google-chrome" |
| dst: "/user/.config/google-chrome" |
| is_bind: true |
| rw: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/tmp/.X11-unix/X0" |
| dst: "/tmp/.X11-unix/X0" |
| is_bind: true |
| } |
| |
| seccomp_string: " KILL_PROCESS {" |
| seccomp_string: " ptrace," |
| seccomp_string: " process_vm_readv," |
| seccomp_string: " process_vm_writev" |
| seccomp_string: " }" |
| seccomp_string: " DEFAULT ALLOW" |
| |
| exec_bin { |
| path: "/opt/google/chrome/google-chrome" |
| arg: "--no-sandbox" |
| } |