From: Robert Swiecki <robert@swiecki.net>
Date: Thu, 7 Dec 2017 13:39:19 +0000 (+0100)
Subject: New config for xchat2
X-Git-Tag: 2.4~9
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=86b6789bede190e9d03410dcdb794e72c512358c;p=platform%2Fupstream%2Fnsjail.git

New config for xchat2
---

diff --git a/configs/xchat-with-net.cfg b/configs/xchat-with-net.cfg
new file mode 100644
index 0000000..3ab35cd
--- /dev/null
+++ b/configs/xchat-with-net.cfg
@@ -0,0 +1,143 @@
+name: "xchat-with-net"
+
+description: "This policy allows to run xchat inside a jail. Access to networking is"
+description: "permitted with this setup (clone_newnet: false)."
+description: ""
+description: "The only permitted home directory is $HOME/.xchat2 and $HOME/Documents."
+description: "The rest of available on the FS files/dires are libs and X-related files/dirs."
+description: ""
+description: "Run as:"
+description: "./nsjail --config configs/xchat-with-net.cfg --daemon -l /tmp/xchat.log"
+
+mode: ONCE
+hostname: "XCHAT"
+cwd: "/user"
+
+time_limit: 0
+
+envar: "HOME=/user"
+envar: "DISPLAY=:0"
+envar: "TMP=/tmp"
+envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf"
+envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf"
+
+rlimit_as: 4096
+rlimit_cpu: 1000000000
+rlimit_fsize: 4096
+rlimit_nofile: 128
+
+clone_newnet: false
+
+mount {
+	dst: "/proc"
+	fstype: "proc"
+}
+
+mount {
+	src: "/lib"
+	dst: "/lib"
+	is_bind: true
+}
+
+mount {
+	src: "/usr/lib"
+	dst: "/usr/lib"
+	is_bind: true
+}
+
+mount {
+	src: "/lib64"
+	dst: "/lib64"
+	is_bind: true
+	mandatory: false
+}
+
+mount {
+	src: "/lib32"
+	dst: "/lib32"
+	is_bind: true
+	mandatory: false
+}
+
+mount {
+    src_content: "<?xml version=\"1.0\"?>\n<!DOCTYPE fontconfig SYSTEM \"fonts.dtd\">\n<fontconfig><dir>/usr/share/fonts</dir><cachedir>/tmp/fontconfig</cachedir></fontconfig>"
+    dst: "/etc/fonts/fonts.conf"
+}
+
+mount {
+	src: "/usr/share"
+	dst: "/usr/share"
+	is_bind: true
+}
+
+mount {
+	src: "/dev/urandom"
+	dst: "/dev/urandom"
+	is_bind: true
+	rw: true
+}
+
+mount {
+	src: "/etc/resolv.conf"
+	dst: "/etc/resolv.conf"
+	is_bind: true
+	mandatory: false
+}
+
+mount {
+	dst: "/tmp"
+	fstype: "tmpfs"
+	rw: true
+	is_bind: false
+}
+
+mount {
+	dst: "/dev/shm"
+	fstype: "tmpfs"
+	rw: true
+	is_bind: false
+}
+
+mount {
+	dst: "/user"
+	fstype: "tmpfs"
+	rw: true
+}
+
+mount {
+	prefix_src_env: "HOME"
+	src: "/Documents"
+	dst: "/user/Documents"
+	rw: true
+	is_bind: true
+	mandatory: false
+}
+
+mount {
+	prefix_src_env: "HOME"
+	src: "/.xchat2"
+	dst: "/user/.xchat2"
+	is_bind: true
+	rw: true
+	mandatory: false
+}
+
+mount {
+	src: "/tmp/.X11-unix/X0"
+	dst: "/tmp/.X11-unix/X0"
+	is_bind: true
+}
+
+seccomp_string: "POLICY example {"
+seccomp_string: "	KILL {"
+seccomp_string: "		ptrace,"
+seccomp_string: "		process_vm_readv,"
+seccomp_string: "		process_vm_writev"
+seccomp_string: "	}"
+seccomp_string: "}"
+seccomp_string: "USE example DEFAULT ALLOW"
+
+exec_bin {
+        path: "/usr/bin/xchat"
+		exec_fd: true
+}