new config + readme

diff --git a/README.md b/README.md
index 93ea9727243c753c6c38b9bbfdf83fd4e7aa0c4f..02d3e5e99c458e4f061068903ad1ec47203cf2a3 100644 (file)
--- a/README.md
+++ b/README.md
@@ -267,6 +267,12 @@ uid=999999 gid=999998 euid=4294965959 groups=999998,65534
 [2017-05-27T18:45:40+0200] PID: 16579 exited with status: 0, (PIDs left: 0)
 </pre>
 
+You might also want to try using _https://github.com/google/nsjail/blob/master/configs/home-documents-with-xorg-no-net.cfg_. You'll have to modify referreces to _/home/jagger_ to whatever your home directory is, though. After that, you can use it as follows:
+
+<pre>
+./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/geeqie /home/jagger/Documents/doc.pdf
+</pre>
+
 ***
 ### More info
 

diff --git a/configs/home-documents-with-xorg-no-net.cfg b/configs/home-documents-with-xorg-no-net.cfg
new file mode 100644 (file)
index 0000000..27d30e4
--- /dev/null
+++ b/configs/home-documents-with-xorg-no-net.cfg
@@ -0,0 +1,111 @@
+name: "documents-with-xorg"
+description: "
+This policy allows to run many Xorg based tool, which are allowed
+to access $HOME/Documents directory only. Example of use would be:
+
+./nsjail --config configs/documents-with-xorg.cfg -- \\
+   /usr/bin/geeqie /home/jagger/Documents/
+
+As nsjail configs don't allow to use variables or envvars, you'll have
+to modify paths referring to '/home/jagger' to whatever your home
+directory is. Also, this policy doesn't allow to access networking"
+
+mode: ONCE
+hostname: "NSJAIL"
+cwd: "/"
+
+time_limit: 1000
+
+envar: "DISPLAY=:0"
+envar: "XAUTHORITY=/home/jagger/.Xauthority"
+
+rlimit_as: 512
+rlimit_cpu: 1000
+rlimit_fsize: 0
+rlimit_nofile: 16
+
+mount {
+       src: "/lib"
+       dst: "/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/bin"
+       dst: "/bin"
+       is_bind: true
+}
+
+mount {
+       src: "/sbin"
+       dst: "/sbin"
+       is_bind: true
+}
+
+mount {
+       src: "/usr"
+       dst: "/usr"
+       is_bind: true
+}
+
+mount {
+       src: "/lib64"
+       dst: "/lib64"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/lib32"
+       dst: "/lib32"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       dst: "/tmp"
+       fstype: "tmpfs"
+       is_ro: false
+       is_bind: false
+}
+
+mount {
+       src: "/home/jagger/Documents"
+       dst: "/home/jagger/Documents"
+       is_bind: true
+}
+
+mount {
+       src: "/tmp/.X11-unix/X0"
+       dst: "/tmp/.X11-unix/X0"
+       is_ro: false
+       is_bind: true
+}
+
+mount {
+       src: "/home/jagger/.Xauthority"
+       dst: "/home/jagger/.Xauthority"
+       is_bind: true
+}
+
+mount {
+       src: "/etc/passwd"
+       dst: "/etc/passwd"
+       is_bind: true
+}
+
+seccomp_string: "
+       POLICY example {
+               KILL {
+                       ptrace,
+                       process_vm_readv,
+                       process_vm_writev
+               }
+       }
+       USE example DEFAULT ALLOW
+"
+
+exec_bin {
+       path: "/bin/bash"
+       arg: "-i"
+}