configs: demo policy for chrome

diff --git a/configs/chrome-with-net.cfg b/configs/chrome-with-net.cfg
new file mode 100644 (file)
index 0000000..1414cb4
--- /dev/null
+++ b/configs/chrome-with-net.cfg
@@ -0,0 +1,183 @@
+name: "chrome-with-net"
+description: "
+Don't use for anything serious - this is just a demo policy. See notes
+at the end of this description for more.
+
+This policy allows to run Chrome inside a jail. Access to networking is
+permitted with this setup (clone_newnet: false).
+
+The only permitted home directory is $HOME/.mozilla and $HOME/Documents.
+The rest of available on the FS files/dires are libs and X-related files/dirs.
+
+Run as:
+
+./nsjail --config configs/chrome-with-net.cfg
+
+You can then go to https://uploadfiles.io/ and try to upload a file in order
+to see how your local directory (also, all system directories) look like.
+
+Note: Using this profile for anything serious is *A VERY BAD* idea. Chrome
+provides excellent FS&syscall sandbox for Linux, as this profile disables
+this sandboxing with --no-sandbox and substitutes Chrome's syscall/ns policy
+with more relaxed namespacing.
+"
+
+mode: ONCE
+hostname: "CHROME"
+cwd: "/user"
+
+time_limit: 0
+
+envar: "HOME=/user"
+envar: "DISPLAY=:0"
+envar: "TMP=/tmp"
+
+rlimit_as: 4096
+rlimit_cpu: 1000
+rlimit_fsize: 1024
+rlimit_nofile: 1024
+
+clone_newnet: false
+
+mount {
+       dst: "/proc"
+       fstype: "proc"
+}
+
+mount {
+       src: "/lib"
+       dst: "/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/usr/lib"
+       dst: "/usr/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/lib64"
+       dst: "/lib64"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/lib32"
+       dst: "/lib32"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/bin"
+       dst: "/bin"
+       is_bind: true
+}
+
+mount {
+       src: "/usr/bin"
+       dst: "/usr/bin"
+       is_bind: true
+}
+
+mount {
+       src: "/opt/google/chrome"
+       dst: "/opt/google/chrome"
+       is_bind: true
+}
+
+mount {
+       src: "/usr/share"
+       dst: "/usr/share"
+       is_bind: true
+}
+
+mount {
+       src: "/dev/urandom"
+       dst: "/dev/urandom"
+       is_bind: true
+       rw: true
+}
+
+mount {
+       src: "/dev/null"
+       dst: "/dev/null"
+       is_bind: true
+       rw: true
+}
+
+mount {
+       src: "/dev/fd/"
+       dst: "/dev/fd/"
+       is_bind: true
+       rw: true
+}
+
+mount {
+       src: "/etc/resolv.conf"
+       dst: "/etc/resolv.conf"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       dst: "/tmp"
+       fstype: "tmpfs"
+       rw: true
+       is_bind: false
+}
+
+mount {
+       dst: "/dev/shm"
+       fstype: "tmpfs"
+       rw: true
+       is_bind: false
+}
+
+mount {
+       dst: "/user"
+       fstype: "tmpfs"
+       rw: true
+}
+
+mount {
+       prefix_src_env: "HOME"
+       src: "/Documents"
+       dst: "/user/Documents"
+       rw: true
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       prefix_src_env: "HOME"
+       src: "/.config/google-chrome"
+       dst: "/user/.config/google-chrome"
+       is_bind: true
+       rw: true
+       mandatory: false
+}
+
+mount {
+       src: "/tmp/.X11-unix/X0"
+       dst: "/tmp/.X11-unix/X0"
+       is_bind: true
+}
+
+seccomp_string: "
+       POLICY example {
+               KILL {
+                       ptrace,
+                       process_vm_readv,
+                       process_vm_writev
+               }
+       }
+       USE example DEFAULT ALLOW
+"
+
+exec_bin {
+        path: "/opt/google/chrome/google-chrome"
+           arg: "--no-sandbox"
+}