sandboxed firefox + readme

diff --git a/README.md b/README.md
index 7803284d873860319b8746aa8cf22dddfa0878c5..3cd8e9c314ec6bf777b1703e7cd7a9bed2bfd2c7 100644 (file)
--- a/README.md
+++ b/README.md
@@ -281,6 +281,14 @@ $ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/geeq
 $ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/gv /home/jagger/Documents/doc.pdf
 </pre>
 
+***
+
+The [configs/firefox-with-net.cfg](https://github.com/google/nsjail/blob/master/configs/firefox-with-net.cfg) config file will allow you to run firefox in a  sandboxed environment:
+
+<pre>
+$ ./nsjail --config configs/firefox-with-net.cfg
+</pre>
+
 ***
 ### More info
 

diff --git a/configs/firefox-with-net.cfg b/configs/firefox-with-net.cfg
new file mode 100644 (file)
index 0000000..e3315ce
--- /dev/null
+++ b/configs/firefox-with-net.cfg
@@ -0,0 +1,159 @@
+name: "firefox-with-net"
+description: "
+This policy allows to run firefox inside a jail. Access to the 
+networking is permitted.
+
+The only permitted home directory is $HOME/.mozilla and $HOME/Documents.
+The rest of available FS-resources are are system and X-related files.dires.
+You'll also have to change all references to /home/jagger to make them point
+to your local home directory.
+
+Run it as:
+
+./nsjail --config configs/firefox-with-net.cfg
+
+You can then go to https://uploadfiles.io/ and try to upload a file in order
+to see how your local directory (also, all system directories) look like
+"
+
+mode: ONCE
+hostname: "FIREFOX"
+cwd: "/home/jagger"
+
+time_limit: 0
+
+envar: "HOME=/home/jagger"
+envar: "DISPLAY=:0"
+envar: "XAUTHORITY=/home/jagger/.Xauthority"
+
+rlimit_as: 4096
+rlimit_cpu: 1000
+rlimit_fsize: 1024
+rlimit_nofile: 128
+
+clone_newnet: false
+
+mount {
+       dst: "/proc"
+       fstype: "proc"
+}
+
+mount {
+       src: "/lib"
+       dst: "/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/bin"
+       dst: "/bin"
+       is_bind: true
+}
+
+mount {
+       src: "/sbin"
+       dst: "/sbin"
+       is_bind: true
+}
+
+mount {
+       src: "/usr"
+       dst: "/usr"
+       is_bind: true
+}
+
+mount {
+       src: "/lib64"
+       dst: "/lib64"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/lib32"
+       dst: "/lib32"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/usr/lib/firefox"
+       dst: "/usr/lib/firefox"
+       is_bind: true
+}
+
+mount {
+       src: "/dev/urandom"
+       dst: "/dev/urandom"
+       is_bind: true
+       is_ro: false
+}
+
+mount {
+       src: "/run/resolvconf/resolv.conf"
+       dst: "/etc/resolv.conf"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/run/resolv.conf"
+       dst: "/etc/resolv.conf"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       dst: "/tmp"
+       fstype: "tmpfs"
+       is_ro: false
+       is_bind: false
+}
+
+mount {
+       src: "/home/jagger/Documents"
+       dst: "/home/jagger/Documents"
+       fstype: "tmpfs"
+       is_ro: false
+}
+
+mount {
+       src: "/home/jagger/.mozilla"
+       dst: "/home/jagger/.mozilla"
+       is_bind: true
+       is_ro: false
+}
+
+mount {
+       src: "/home/jagger/.Xauthority"
+       dst: "/home/jagger/.Xauthority"
+       is_bind: true
+}
+
+mount {
+       dst: "/home/jagger/.cache"
+       fstype: "tmpfs"
+       is_ro: false
+}
+
+mount {
+       src: "/tmp/.X11-unix/X0"
+       dst: "/tmp/.X11-unix/X0"
+       is_ro: false
+       is_bind: true
+}
+
+seccomp_string: "
+       POLICY example {
+               KILL {
+                       ptrace,
+                       process_vm_readv,
+                       process_vm_writev
+               }
+       }
+       USE example DEFAULT ALLOW
+"
+
+exec_bin {
+        path: "/usr/bin/firefox"
+}