From af9d4294d9f13402fd1d1765f46e70d1c21f84a4 Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Tue, 1 Oct 2019 08:27:17 +0200 Subject: [PATCH] configs: new config for znc --- configs/znc-with-net.cfg | 133 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 configs/znc-with-net.cfg diff --git a/configs/znc-with-net.cfg b/configs/znc-with-net.cfg new file mode 100644 index 0000000..9c5e164 --- /dev/null +++ b/configs/znc-with-net.cfg @@ -0,0 +1,133 @@ +name: "znc-with-net" + +description: "This policy allows to run znc a jail. " +description: "Networking is "permitted with this setup (clone_newnet: false). " +description: "" +description: "The only permitted home directory is $HOME/.znc." +description: "" +description: "Run as: nsjail --config configs/znc-with-net.cfg" + +mode: ONCE +hostname: "ZNC" +cwd: "/home/znc" +daemon: true +log_fd: 2 + +time_limit: 0 + +envar: "HOME=/home/znc" +envar: "TMP=/tmp" + +rlimit_as: 4096 +rlimit_cpu_type: INF +rlimit_fsize: 4096 +rlimit_nofile: 128 + +clone_newnet: false + +mount { + dst: "/proc" + fstype: "proc" +} + +mount { + src: "/lib" + dst: "/lib" + is_bind: true +} + +mount { + src: "/usr/lib" + dst: "/usr/lib" + is_bind: true +} + +mount { + src: "/lib64" + dst: "/lib64" + is_bind: true + mandatory: false +} + +mount { + src: "/lib32" + dst: "/lib32" + is_bind: true + mandatory: false +} + +mount { + src: "/usr/share" + dst: "/usr/share" + is_bind: true +} + +mount { + src: "/dev/urandom" + dst: "/dev/urandom" + is_bind: true + rw: true +} + +mount { + src: "/dev/null" + dst: "/dev/null" + is_bind: true + rw: true +} + +mount { + src: "/etc/resolv.conf" + dst: "/etc/resolv.conf" + is_bind: true + mandatory: false +} + +mount { + src: "/etc/ssl" + dst: "/etc/ssl" + is_bind: true +} + +mount { + dst: "/tmp" + fstype: "tmpfs" + rw: true + is_bind: false +} + +mount { + dst: "/dev/shm" + fstype: "tmpfs" + rw: true + is_bind: false +} + +mount { + dst: "/home/znc" + fstype: "tmpfs" + rw: true + is_bind: false +} + +mount { + prefix_src_env: "HOME" + src: "/.znc" + dst: "/home/znc/.znc" + rw: true + is_bind: true + mandatory: true +} + +seccomp_string: "KILL {" +seccomp_string: " ptrace," +seccomp_string: " process_vm_readv," +seccomp_string: " process_vm_writev" +seccomp_string: "}" +seccomp_string: "DEFAULT ALLOW" + +exec_bin { + path: "/usr/bin/znc" + arg: "-f" + exec_fd: true +} -- 2.34.1