New config for xchat2

diff --git a/configs/xchat-with-net.cfg b/configs/xchat-with-net.cfg
new file mode 100644 (file)
index 0000000..3ab35cd
--- /dev/null
+++ b/configs/xchat-with-net.cfg
@@ -0,0 +1,143 @@
+name: "xchat-with-net"
+
+description: "This policy allows to run xchat inside a jail. Access to networking is"
+description: "permitted with this setup (clone_newnet: false)."
+description: ""
+description: "The only permitted home directory is $HOME/.xchat2 and $HOME/Documents."
+description: "The rest of available on the FS files/dires are libs and X-related files/dirs."
+description: ""
+description: "Run as:"
+description: "./nsjail --config configs/xchat-with-net.cfg --daemon -l /tmp/xchat.log"
+
+mode: ONCE
+hostname: "XCHAT"
+cwd: "/user"
+
+time_limit: 0
+
+envar: "HOME=/user"
+envar: "DISPLAY=:0"
+envar: "TMP=/tmp"
+envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf"
+envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf"
+
+rlimit_as: 4096
+rlimit_cpu: 1000000000
+rlimit_fsize: 4096
+rlimit_nofile: 128
+
+clone_newnet: false
+
+mount {
+       dst: "/proc"
+       fstype: "proc"
+}
+
+mount {
+       src: "/lib"
+       dst: "/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/usr/lib"
+       dst: "/usr/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/lib64"
+       dst: "/lib64"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/lib32"
+       dst: "/lib32"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+    src_content: "<?xml version=\"1.0\"?>\n<!DOCTYPE fontconfig SYSTEM \"fonts.dtd\">\n<fontconfig><dir>/usr/share/fonts</dir><cachedir>/tmp/fontconfig</cachedir></fontconfig>"
+    dst: "/etc/fonts/fonts.conf"
+}
+
+mount {
+       src: "/usr/share"
+       dst: "/usr/share"
+       is_bind: true
+}
+
+mount {
+       src: "/dev/urandom"
+       dst: "/dev/urandom"
+       is_bind: true
+       rw: true
+}
+
+mount {
+       src: "/etc/resolv.conf"
+       dst: "/etc/resolv.conf"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       dst: "/tmp"
+       fstype: "tmpfs"
+       rw: true
+       is_bind: false
+}
+
+mount {
+       dst: "/dev/shm"
+       fstype: "tmpfs"
+       rw: true
+       is_bind: false
+}
+
+mount {
+       dst: "/user"
+       fstype: "tmpfs"
+       rw: true
+}
+
+mount {
+       prefix_src_env: "HOME"
+       src: "/Documents"
+       dst: "/user/Documents"
+       rw: true
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       prefix_src_env: "HOME"
+       src: "/.xchat2"
+       dst: "/user/.xchat2"
+       is_bind: true
+       rw: true
+       mandatory: false
+}
+
+mount {
+       src: "/tmp/.X11-unix/X0"
+       dst: "/tmp/.X11-unix/X0"
+       is_bind: true
+}
+
+seccomp_string: "POLICY example {"
+seccomp_string: "      KILL {"
+seccomp_string: "              ptrace,"
+seccomp_string: "              process_vm_readv,"
+seccomp_string: "              process_vm_writev"
+seccomp_string: "      }"
+seccomp_string: "}"
+seccomp_string: "USE example DEFAULT ALLOW"
+
+exec_bin {
+        path: "/usr/bin/xchat"
+               exec_fd: true
+}