| # Example config for nsjail |
| |
| name: "documents-with-xorg" |
| |
| description: "This policy allows to run many X-org based tool, which are allowed" |
| description: "to access $HOME/Documents directory only. An example of use is:" |
| description: "" |
| description: "./nsjail --config configs/documents-with-xorg.cfg -- \\" |
| description: " /usr/bin/geeqie /user/Documents/" |
| description: "" |
| description: "What is more, this policy doesn't allow to access networking." |
| |
| mode: ONCE |
| hostname: "NSJAIL" |
| cwd: "/user" |
| |
| time_limit: 1000 |
| |
| envar: "DISPLAY" |
| envar: "HOME=/user" |
| envar: "TMP=/tmp" |
| |
| rlimit_as: 2048 |
| rlimit_cpu: 1000 |
| rlimit_fsize: 1024 |
| rlimit_nofile: 16 |
| |
| mount { |
| src: "/lib" |
| dst: "/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/lib64" |
| dst: "/lib64" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/lib32" |
| dst: "/lib32" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/bin" |
| dst: "/bin" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/bin" |
| dst: "/usr/bin" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/share" |
| dst: "/usr/share" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/lib" |
| dst: "/usr/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr/lib64" |
| dst: "/usr/lib64" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/usr/lib32" |
| dst: "/usr/lib32" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| dst: "/tmp" |
| fstype: "tmpfs" |
| rw: true |
| } |
| |
| mount { |
| dst: "/dev/shm" |
| fstype: "tmpfs" |
| rw: true |
| } |
| |
| mount { |
| dst: "/user" |
| fstype: "tmpfs" |
| rw: true |
| } |
| |
| mount { |
| prefix_src_env: "HOME" |
| src: "/Documents" |
| dst: "/user/Documents" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/tmp/.X11-unix" |
| dst: "/tmp/.X11-unix" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/dev/null" |
| dst: "/dev/null" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/dev/random" |
| dst: "/dev/random" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/dev/urandom" |
| dst: "/dev/urandom" |
| is_bind: true |
| rw: true |
| } |
| |
| mount { |
| src: "/etc/passwd" |
| dst: "/etc/passwd" |
| is_bind: true |
| } |
| |
| seccomp_string: "KILL_PROCESS {" |
| seccomp_string: " ptrace," |
| seccomp_string: " process_vm_readv," |
| seccomp_string: " process_vm_writev" |
| seccomp_string: "}" |
| seccomp_string: "DEFAULT ALLOW" |