+++ /dev/null
-name: "chrome-with-net"
-description: "
-Don't use for anything serious - this is just a demo policy. See notes
-at the end of this description for more.
-
-This policy allows to run Chrome inside a jail. Access to networking is
-permitted with this setup (clone_newnet: false).
-
-The only permitted home directory is $HOME/.mozilla and $HOME/Documents.
-The rest of available on the FS files/dires are libs and X-related files/dirs.
-
-Run as:
-
-./nsjail --config configs/chrome-with-net.cfg
-
-You can then go to https://uploadfiles.io/ and try to upload a file in order
-to see how your local directory (also, all system directories) look like.
-
-Note: Using this profile for anything serious is *A VERY BAD* idea. Chrome
-provides excellent FS&syscall sandbox for Linux, as this profile disables
-this sandboxing with --no-sandbox and substitutes Chrome's syscall/ns policy
-with more relaxed namespacing.
-"
-
-mode: ONCE
-hostname: "CHROME"
-cwd: "/user"
-
-time_limit: 0
-
-envar: "HOME=/user"
-envar: "DISPLAY=:0"
-envar: "TMP=/tmp"
-
-rlimit_as: 4096
-rlimit_cpu: 1000
-rlimit_fsize: 1024
-rlimit_nofile: 1024
-
-clone_newnet: false
-
-mount {
- dst: "/proc"
- fstype: "proc"
-}
-
-mount {
- src: "/lib"
- dst: "/lib"
- is_bind: true
-}
-
-mount {
- src: "/usr/lib"
- dst: "/usr/lib"
- is_bind: true
-}
-
-mount {
- src: "/lib64"
- dst: "/lib64"
- is_bind: true
- mandatory: false
-}
-
-mount {
- src: "/lib32"
- dst: "/lib32"
- is_bind: true
- mandatory: false
-}
-
-mount {
- src: "/bin"
- dst: "/bin"
- is_bind: true
-}
-
-mount {
- src: "/usr/bin"
- dst: "/usr/bin"
- is_bind: true
-}
-
-mount {
- src: "/opt/google/chrome"
- dst: "/opt/google/chrome"
- is_bind: true
-}
-
-mount {
- src: "/usr/share"
- dst: "/usr/share"
- is_bind: true
-}
-
-mount {
- src: "/dev/urandom"
- dst: "/dev/urandom"
- is_bind: true
- rw: true
-}
-
-mount {
- src: "/dev/null"
- dst: "/dev/null"
- is_bind: true
- rw: true
-}
-
-mount {
- src: "/dev/fd/"
- dst: "/dev/fd/"
- is_bind: true
- rw: true
-}
-
-mount {
- src: "/etc/resolv.conf"
- dst: "/etc/resolv.conf"
- is_bind: true
- mandatory: false
-}
-
-mount {
- dst: "/tmp"
- fstype: "tmpfs"
- rw: true
- is_bind: false
-}
-
-mount {
- dst: "/dev/shm"
- fstype: "tmpfs"
- rw: true
- is_bind: false
-}
-
-mount {
- dst: "/user"
- fstype: "tmpfs"
- rw: true
-}
-
-mount {
- prefix_src_env: "HOME"
- src: "/Documents"
- dst: "/user/Documents"
- rw: true
- is_bind: true
- mandatory: false
-}
-
-mount {
- prefix_src_env: "HOME"
- src: "/.config/google-chrome"
- dst: "/user/.config/google-chrome"
- is_bind: true
- rw: true
- mandatory: false
-}
-
-mount {
- src: "/tmp/.X11-unix/X0"
- dst: "/tmp/.X11-unix/X0"
- is_bind: true
-}
-
-seccomp_string: "
- POLICY example {
- KILL {
- ptrace,
- process_vm_readv,
- process_vm_writev
- }
- }
- USE example DEFAULT ALLOW
-"
-
-exec_bin {
- path: "/opt/google/chrome/google-chrome"
- arg: "--no-sandbox"
-}
--- /dev/null
+name: "chrome-with-net"
+description: "
+Don't use for anything serious - this is just a demo policy. See notes
+at the end of this description for more.
+
+This policy allows to run Chrome inside a jail. Access to networking is
+permitted with this setup (clone_newnet: false).
+
+The only permitted home directory is $HOME/.mozilla and $HOME/Documents.
+The rest of available on the FS files/dires are libs and X-related files/dirs.
+
+Run as:
+
+./nsjail --config configs/chrome-with-net.cfg
+
+You can then go to https://uploadfiles.io/ and try to upload a file in order
+to see how your local directory (also, all system directories) look like.
+
+Note: Using this profile for anything serious is *A VERY BAD* idea. Chrome
+provides excellent FS&syscall sandbox for Linux, as this profile disables
+this sandboxing with --no-sandbox and substitutes Chrome's syscall/ns policy
+with more relaxed namespacing.
+"
+
+mode: ONCE
+hostname: "CHROME"
+cwd: "/user"
+
+time_limit: 0
+
+envar: "HOME=/user"
+envar: "DISPLAY=:0"
+envar: "TMP=/tmp"
+
+rlimit_as: 4096
+rlimit_cpu: 1000
+rlimit_fsize: 1024
+rlimit_nofile: 1024
+
+clone_newnet: false
+
+mount {
+ dst: "/proc"
+ fstype: "proc"
+}
+
+mount {
+ src: "/lib"
+ dst: "/lib"
+ is_bind: true
+}
+
+mount {
+ src: "/usr/lib"
+ dst: "/usr/lib"
+ is_bind: true
+}
+
+mount {
+ src: "/lib64"
+ dst: "/lib64"
+ is_bind: true
+ mandatory: false
+}
+
+mount {
+ src: "/lib32"
+ dst: "/lib32"
+ is_bind: true
+ mandatory: false
+}
+
+mount {
+ src: "/bin"
+ dst: "/bin"
+ is_bind: true
+}
+
+mount {
+ src: "/usr/bin"
+ dst: "/usr/bin"
+ is_bind: true
+}
+
+mount {
+ src: "/opt/google/chrome"
+ dst: "/opt/google/chrome"
+ is_bind: true
+}
+
+mount {
+ src: "/usr/share"
+ dst: "/usr/share"
+ is_bind: true
+}
+
+mount {
+ src: "/dev/urandom"
+ dst: "/dev/urandom"
+ is_bind: true
+ rw: true
+}
+
+mount {
+ src: "/dev/null"
+ dst: "/dev/null"
+ is_bind: true
+ rw: true
+}
+
+mount {
+ src: "/dev/fd/"
+ dst: "/dev/fd/"
+ is_bind: true
+ rw: true
+}
+
+mount {
+ src: "/etc/resolv.conf"
+ dst: "/etc/resolv.conf"
+ is_bind: true
+ mandatory: false
+}
+
+mount {
+ dst: "/tmp"
+ fstype: "tmpfs"
+ rw: true
+ is_bind: false
+}
+
+mount {
+ dst: "/dev/shm"
+ fstype: "tmpfs"
+ rw: true
+ is_bind: false
+}
+
+mount {
+ dst: "/user"
+ fstype: "tmpfs"
+ rw: true
+}
+
+mount {
+ prefix_src_env: "HOME"
+ src: "/Documents"
+ dst: "/user/Documents"
+ rw: true
+ is_bind: true
+ mandatory: false
+}
+
+mount {
+ prefix_src_env: "HOME"
+ src: "/.config/google-chrome"
+ dst: "/user/.config/google-chrome"
+ is_bind: true
+ rw: true
+ mandatory: false
+}
+
+mount {
+ src: "/tmp/.X11-unix/X0"
+ dst: "/tmp/.X11-unix/X0"
+ is_bind: true
+}
+
+seccomp_string: "
+ POLICY example {
+ KILL {
+ ptrace,
+ process_vm_readv,
+ process_vm_writev
+ }
+ }
+ USE example DEFAULT ALLOW
+"
+
+exec_bin {
+ path: "/opt/google/chrome/google-chrome"
+ arg: "--no-sandbox"
+}
projects / platform / upstream / nsjail.git / commitdiff