configs: firefox+wayland example

diff --git a/configs/firefox-with-net-wayland.cfg b/configs/firefox-with-net-wayland.cfg
new file mode 100644 (file)
index 0000000..b132018
--- /dev/null
+++ b/configs/firefox-with-net-wayland.cfg
@@ -0,0 +1,175 @@
+# Example config for nsjail
+
+name: "firefox-with-net"
+
+description: "This policy allows to run firefox inside a jail. Access to networking is"
+description: "permitted with this setup (clone_newnet: false)."
+description: ""
+description: "The only permitted home directory is $HOME/.mozilla and $HOME/Documents."
+description: "The rest of available on the FS files/dires are libs and X-related files/dirs."
+description: ""
+description: "Run as:"
+description: ""
+description: "./nsjail --config configs/firefox-with-net-wayland.cfg"
+description: ""
+description: "You can then go to https://uploadfiles.io/ and try to upload a file in order"
+description: "to see how your local directory (also, all system directories) look like."
+
+mode: ONCE
+hostname: "FIREFOX"
+cwd: "/user"
+
+time_limit: 0
+
+clone_newnet: false
+
+envar: "HOME=/user"
+envar: "TMP=/tmp"
+envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf"
+envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf"
+envar: "MOZ_ENABLE_WAYLAND=1"
+envar: "XDG_RUNTIME_DIR=/user/run/"
+envar: "WAYLAND_DISPLAY=wayland-0"
+
+rlimit_as: 4096
+rlimit_cpu: 1000
+rlimit_fsize: 1024
+rlimit_nofile: 512
+
+uidmap {
+       inside_id: "9999999"
+}
+
+gidmap {
+       inside_id: "9999999"
+}
+
+mount {
+       dst: "/proc"
+       fstype: "proc"
+       rw: true
+}
+
+mount {
+       src: "/lib"
+       dst: "/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/usr/lib"
+       dst: "/usr/lib"
+       is_bind: true
+}
+
+mount {
+       src: "/lib64"
+       dst: "/lib64"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/lib32"
+       dst: "/lib32"
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       src: "/usr/lib/firefox"
+       dst: "/usr/lib/firefox"
+       is_bind: true
+}
+
+mount {
+       src: "/usr/bin/firefox"
+       dst: "/usr/bin/firefox"
+       is_bind: true
+}
+
+mount {
+       src: "/usr/share"
+       dst: "/usr/share"
+       is_bind: true
+}
+
+mount {
+       src_content: "<?xml version=\"1.0\"?>\n<!DOCTYPE fontconfig SYSTEM \"fonts.dtd\">\n<fontconfig><dir>/usr/share/fonts</dir><cachedir>/tmp/fontconfig</cachedir></fontconfig>"
+       dst: "/etc/fonts/fonts.conf"
+}
+
+mount {
+       src: "/dev/urandom"
+       dst: "/dev/urandom"
+       is_bind: true
+       rw: true
+}
+
+mount {
+       src: "/dev/null"
+       dst: "/dev/null"
+       is_bind: true
+       rw: true
+}
+
+mount {
+       src_content: "nameserver 8.8.8.8"
+       dst: "/etc/resolv.conf"
+}
+
+mount {
+       dst: "/tmp"
+       fstype: "tmpfs"
+       rw: true
+       is_bind: false
+}
+
+mount {
+       dst: "/dev/shm"
+       fstype: "tmpfs"
+       rw: true
+       is_bind: false
+}
+
+mount {
+       dst: "/user"
+       fstype: "tmpfs"
+       rw: true
+}
+
+mount {
+       prefix_src_env: "HOME"
+       src: "/Documents"
+       dst: "/user/Documents"
+       rw: true
+       is_bind: true
+       mandatory: false
+}
+
+mount {
+       prefix_src_env: "HOME"
+       src: "/.mozilla"
+       dst: "/user/.mozilla"
+       is_bind: true
+       rw: true
+       mandatory: false
+}
+
+mount {
+       src: "/tmp/.X11-unix/X0"
+       dst: "/tmp/.X11-unix/X0"
+       is_bind: true
+}
+
+mount {
+       # Change it to your user id
+       src: "/run/user/1000/wayland-0"
+       dst: "/user/run/wayland-0"
+       is_bind: true
+       rw: true
+}
+
+exec_bin {
+       path: "/usr/lib/firefox/firefox"
+}