nsjail/configs/firefox-with-net.cfg

name: "firefox-with-net"
description: "
This policy allows to run firefox inside a jail. Access to the 
networking is permitted.

The only permitted home directory is $HOME/.mozilla and $HOME/Documents.
The rest of available FS-resources are are system and X-related files.dires.
You'll also have to change all references to /home/jagger to make them point
to your local home directory.

Run it as:

./nsjail --config configs/firefox-with-net.cfg

You can then go to https://uploadfiles.io/ and try to upload a file in order
to see how your local directory (also, all system directories) look like
"

mode: ONCE
hostname: "FIREFOX"
cwd: "/home/jagger"

time_limit: 0

envar: "HOME=/home/jagger"
envar: "DISPLAY=:0"

rlimit_as: 4096
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 128

clone_newnet: false

mount {
	dst: "/proc"
	fstype: "proc"
}

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
}

mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
}

mount {
	src: "/sbin"
	dst: "/sbin"
	is_bind: true
}

mount {
	src: "/usr"
	dst: "/usr"
	is_bind: true
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	mandatory: false
}

mount {
	src: "/lib32"
	dst: "/lib32"
	is_bind: true
	mandatory: false
}

mount {
	src: "/usr/lib/firefox"
	dst: "/usr/lib/firefox"
	is_bind: true
}

mount {
	src: "/dev/urandom"
	dst: "/dev/urandom"
	is_bind: true
	is_ro: false
}

mount {
	src: "/run/resolvconf/resolv.conf"
	dst: "/etc/resolv.conf"
	is_bind: true
	mandatory: false
}

mount {
	src: "/run/resolv.conf"
	dst: "/etc/resolv.conf"
	is_bind: true
	mandatory: false
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	is_ro: false
	is_bind: false
}

mount {
	dst: "/home/jagger/"
	fstype: "tmpfs"
	is_ro: false
}

mount {
	src: "/home/jagger/Documents"
	dst: "/home/jagger/Documents"
	is_ro: false
	is_bind: true
	mandatory: false
}

mount {
	src: "/home/jagger/.mozilla"
	dst: "/home/jagger/.mozilla"
	is_bind: true
	is_ro: false
	mandatory: false
}

mount {
	dst: "/home/jagger/.cache"
	fstype: "tmpfs"
	is_ro: false
}

mount {
	src: "/tmp/.X11-unix/X0"
	dst: "/tmp/.X11-unix/X0"
	is_ro: false
	is_bind: true
}

seccomp_string: "
	POLICY example {
		KILL {
			ptrace,
			process_vm_readv,
			process_vm_writev
		}
	}
	USE example DEFAULT ALLOW
"

exec_bin {
        path: "/usr/bin/firefox"
}
sandboxed firefox + readme 2017-05-28 03:43:56 +08:00			`name: "firefox-with-net"`
			`description: "`
			`This policy allows to run firefox inside a jail. Access to the`
			`networking is permitted.`

			`The only permitted home directory is $HOME/.mozilla and $HOME/Documents.`
			`The rest of available FS-resources are are system and X-related files.dires.`
			`You'll also have to change all references to /home/jagger to make them point`
			`to your local home directory.`

			`Run it as:`

			`./nsjail --config configs/firefox-with-net.cfg`

			`You can then go to https://uploadfiles.io/ and try to upload a file in order`
			`to see how your local directory (also, all system directories) look like`
			`"`

			`mode: ONCE`
			`hostname: "FIREFOX"`
			`cwd: "/home/jagger"`

			`time_limit: 0`

			`envar: "HOME=/home/jagger"`
			`envar: "DISPLAY=:0"`

			`rlimit_as: 4096`
			`rlimit_cpu: 1000`
			`rlimit_fsize: 1024`
			`rlimit_nofile: 128`

			`clone_newnet: false`

			`mount {`
			`dst: "/proc"`
			`fstype: "proc"`
			`}`

			`mount {`
			`src: "/lib"`
			`dst: "/lib"`
			`is_bind: true`
			`}`

			`mount {`
			`src: "/bin"`
			`dst: "/bin"`
			`is_bind: true`
			`}`

			`mount {`
			`src: "/sbin"`
			`dst: "/sbin"`
			`is_bind: true`
			`}`

			`mount {`
			`src: "/usr"`
			`dst: "/usr"`
			`is_bind: true`
			`}`

			`mount {`
			`src: "/lib64"`
			`dst: "/lib64"`
			`is_bind: true`
			`mandatory: false`
			`}`

			`mount {`
			`src: "/lib32"`
			`dst: "/lib32"`
			`is_bind: true`
			`mandatory: false`
			`}`

			`mount {`
			`src: "/usr/lib/firefox"`
			`dst: "/usr/lib/firefox"`
			`is_bind: true`
			`}`

			`mount {`
			`src: "/dev/urandom"`
			`dst: "/dev/urandom"`
			`is_bind: true`
			`is_ro: false`
			`}`

			`mount {`
			`src: "/run/resolvconf/resolv.conf"`
			`dst: "/etc/resolv.conf"`
			`is_bind: true`
			`mandatory: false`
			`}`

			`mount {`
			`src: "/run/resolv.conf"`
			`dst: "/etc/resolv.conf"`
			`is_bind: true`
			`mandatory: false`
			`}`

			`mount {`
			`dst: "/tmp"`
			`fstype: "tmpfs"`
			`is_ro: false`
			`is_bind: false`
			`}`

configs: sandboxed firefox + readme - improvements 2017-05-28 04:01:46 +08:00			`mount {`
			`dst: "/home/jagger/"`
			`fstype: "tmpfs"`
			`is_ro: false`
			`}`

sandboxed firefox + readme 2017-05-28 03:43:56 +08:00			`mount {`
			`src: "/home/jagger/Documents"`
			`dst: "/home/jagger/Documents"`
			`is_ro: false`
configs: sandboxed firefox + readme - improvements 2017-05-28 04:01:46 +08:00			`is_bind: true`
			`mandatory: false`
sandboxed firefox + readme 2017-05-28 03:43:56 +08:00			`}`

			`mount {`
			`src: "/home/jagger/.mozilla"`
			`dst: "/home/jagger/.mozilla"`
			`is_bind: true`
			`is_ro: false`
configs: sandboxed firefox + readme - improvements 2017-05-28 04:01:46 +08:00			`mandatory: false`
sandboxed firefox + readme 2017-05-28 03:43:56 +08:00			`}`

			`mount {`
			`dst: "/home/jagger/.cache"`
			`fstype: "tmpfs"`
			`is_ro: false`
			`}`

			`mount {`
			`src: "/tmp/.X11-unix/X0"`
			`dst: "/tmp/.X11-unix/X0"`
			`is_ro: false`
			`is_bind: true`
			`}`

			`seccomp_string: "`
			`POLICY example {`
			`KILL {`
			`ptrace,`
			`process_vm_readv,`
			`process_vm_writev`
			`}`
			`}`
			`USE example DEFAULT ALLOW`
			`"`

			`exec_bin {`
			`path: "/usr/bin/firefox"`
			`}`