add configs/imagemagick-convert.cfg

diff --git a/configs/imagemagick-convert.cfg b/configs/imagemagick-convert.cfg
new file mode 100644 (file)
index 0000000..0383f57
--- /dev/null
+++ b/configs/imagemagick-convert.cfg
@@ -0,0 +1,89 @@
+name: "imagemagick-convert"
+description: "
+This policy allows to run ImageMagick's convert inside a jail.
+Your $HOME's Documents will be mapped as /user/Documents
+
+Run as:
+
+./nsjail --config imagemagick-convert.cfg -- /usr/bin/convert \\
+       jpg:/user/Documents/input.jpg png:/user/Documents/output.png
+"
+
+mode: ONCE
+hostname: "IM-CONVERT"
+cwd: "/user"
+
+time_limit: 120
+
+envar: "HOME=/user"
+envar: "TMP=/tmp"
+
+rlimit_as: 1024
+rlimit_cpu: 1000
+rlimit_fsize: 1024
+rlimit_nofile: 16
+
+mount {
+       src: "/lib"
+       dst: "/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/usr/lib"
+       dst: "/usr/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/lib64"
+       dst: "/lib64"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/lib32"
+       dst: "/lib32"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/usr/bin/convert"
+       dst: "/usr/bin/convert"
+       is_bind: true
+}
+
+mount {
+       dst: "/tmp"
+       fstype: "tmpfs"
+       rw: true
+       is_bind: false
+}
+
+mount {
+       dst: "/user"
+       fstype: "tmpfs"
+       rw: true
+}
+
+mount {
+       prefix_src_env: "HOME"
+       src: "/Documents"
+       dst: "/user/Documents"
+       rw: true
+       is_bind: true
+       mandatory: false
+}
+
+seccomp_string: "
+       POLICY example {
+               KILL {
+                       ptrace,
+                       process_vm_readv,
+                       process_vm_writev
+               }
+       }
+       USE example DEFAULT ALLOW
+"