From 031ec03331f6649aec6c632f9e9b6d40239927c0 Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Sat, 27 May 2017 21:43:56 +0200 Subject: [PATCH] sandboxed firefox + readme --- README.md | 8 ++ configs/firefox-with-net.cfg | 159 +++++++++++++++++++++++++++++++++++ 2 files changed, 167 insertions(+) create mode 100644 configs/firefox-with-net.cfg diff --git a/README.md b/README.md index 7803284..3cd8e9c 100644 --- a/README.md +++ b/README.md @@ -281,6 +281,14 @@ $ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/geeq $ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/gv /home/jagger/Documents/doc.pdf +*** + +The [configs/firefox-with-net.cfg](https://github.com/google/nsjail/blob/master/configs/firefox-with-net.cfg) config file will allow you to run firefox in a sandboxed environment: + +
+$ ./nsjail --config configs/firefox-with-net.cfg
+
+ *** ### More info diff --git a/configs/firefox-with-net.cfg b/configs/firefox-with-net.cfg new file mode 100644 index 0000000..e3315ce --- /dev/null +++ b/configs/firefox-with-net.cfg @@ -0,0 +1,159 @@ +name: "firefox-with-net" +description: " +This policy allows to run firefox inside a jail. Access to the +networking is permitted. + +The only permitted home directory is $HOME/.mozilla and $HOME/Documents. +The rest of available FS-resources are are system and X-related files.dires. +You'll also have to change all references to /home/jagger to make them point +to your local home directory. + +Run it as: + +./nsjail --config configs/firefox-with-net.cfg + +You can then go to https://uploadfiles.io/ and try to upload a file in order +to see how your local directory (also, all system directories) look like +" + +mode: ONCE +hostname: "FIREFOX" +cwd: "/home/jagger" + +time_limit: 0 + +envar: "HOME=/home/jagger" +envar: "DISPLAY=:0" +envar: "XAUTHORITY=/home/jagger/.Xauthority" + +rlimit_as: 4096 +rlimit_cpu: 1000 +rlimit_fsize: 1024 +rlimit_nofile: 128 + +clone_newnet: false + +mount { + dst: "/proc" + fstype: "proc" +} + +mount { + src: "/lib" + dst: "/lib" + is_bind: true +} + +mount { + src: "/bin" + dst: "/bin" + is_bind: true +} + +mount { + src: "/sbin" + dst: "/sbin" + is_bind: true +} + +mount { + src: "/usr" + dst: "/usr" + is_bind: true +} + +mount { + src: "/lib64" + dst: "/lib64" + is_bind: true + mandatory: false +} + +mount { + src: "/lib32" + dst: "/lib32" + is_bind: true + mandatory: false +} + +mount { + src: "/usr/lib/firefox" + dst: "/usr/lib/firefox" + is_bind: true +} + +mount { + src: "/dev/urandom" + dst: "/dev/urandom" + is_bind: true + is_ro: false +} + +mount { + src: "/run/resolvconf/resolv.conf" + dst: "/etc/resolv.conf" + is_bind: true + mandatory: false +} + +mount { + src: "/run/resolv.conf" + dst: "/etc/resolv.conf" + is_bind: true + mandatory: false +} + +mount { + dst: "/tmp" + fstype: "tmpfs" + is_ro: false + is_bind: false +} + +mount { + src: "/home/jagger/Documents" + dst: "/home/jagger/Documents" + fstype: "tmpfs" + is_ro: false +} + +mount { + src: "/home/jagger/.mozilla" + dst: "/home/jagger/.mozilla" + is_bind: true + is_ro: false +} + +mount { + src: "/home/jagger/.Xauthority" + dst: "/home/jagger/.Xauthority" + is_bind: true +} + +mount { + dst: "/home/jagger/.cache" + fstype: "tmpfs" + is_ro: false +} + +mount { + src: "/tmp/.X11-unix/X0" + dst: "/tmp/.X11-unix/X0" + is_ro: false + is_bind: true +} + +seccomp_string: " + POLICY example { + KILL { + ptrace, + process_vm_readv, + process_vm_writev + } + } + USE example DEFAULT ALLOW +" + +exec_bin { + path: "/usr/bin/firefox" +}