sandboxed firefox + readme
This commit is contained in:
parent
5aae8d2c00
commit
031ec03331
@ -281,6 +281,14 @@ $ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/geeq
|
||||
$ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/gv /home/jagger/Documents/doc.pdf
|
||||
</pre>
|
||||
|
||||
***
|
||||
|
||||
The [configs/firefox-with-net.cfg](https://github.com/google/nsjail/blob/master/configs/firefox-with-net.cfg) config file will allow you to run firefox in a sandboxed environment:
|
||||
|
||||
<pre>
|
||||
$ ./nsjail --config configs/firefox-with-net.cfg
|
||||
</pre>
|
||||
|
||||
***
|
||||
### More info
|
||||
|
||||
|
159
configs/firefox-with-net.cfg
Normal file
159
configs/firefox-with-net.cfg
Normal file
@ -0,0 +1,159 @@
|
||||
name: "firefox-with-net"
|
||||
description: "
|
||||
This policy allows to run firefox inside a jail. Access to the
|
||||
networking is permitted.
|
||||
|
||||
The only permitted home directory is $HOME/.mozilla and $HOME/Documents.
|
||||
The rest of available FS-resources are are system and X-related files.dires.
|
||||
You'll also have to change all references to /home/jagger to make them point
|
||||
to your local home directory.
|
||||
|
||||
Run it as:
|
||||
|
||||
./nsjail --config configs/firefox-with-net.cfg
|
||||
|
||||
You can then go to https://uploadfiles.io/ and try to upload a file in order
|
||||
to see how your local directory (also, all system directories) look like
|
||||
"
|
||||
|
||||
mode: ONCE
|
||||
hostname: "FIREFOX"
|
||||
cwd: "/home/jagger"
|
||||
|
||||
time_limit: 0
|
||||
|
||||
envar: "HOME=/home/jagger"
|
||||
envar: "DISPLAY=:0"
|
||||
envar: "XAUTHORITY=/home/jagger/.Xauthority"
|
||||
|
||||
rlimit_as: 4096
|
||||
rlimit_cpu: 1000
|
||||
rlimit_fsize: 1024
|
||||
rlimit_nofile: 128
|
||||
|
||||
clone_newnet: false
|
||||
|
||||
mount {
|
||||
dst: "/proc"
|
||||
fstype: "proc"
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/lib"
|
||||
dst: "/lib"
|
||||
is_bind: true
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/bin"
|
||||
dst: "/bin"
|
||||
is_bind: true
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/sbin"
|
||||
dst: "/sbin"
|
||||
is_bind: true
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/usr"
|
||||
dst: "/usr"
|
||||
is_bind: true
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/lib64"
|
||||
dst: "/lib64"
|
||||
is_bind: true
|
||||
mandatory: false
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/lib32"
|
||||
dst: "/lib32"
|
||||
is_bind: true
|
||||
mandatory: false
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/usr/lib/firefox"
|
||||
dst: "/usr/lib/firefox"
|
||||
is_bind: true
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/dev/urandom"
|
||||
dst: "/dev/urandom"
|
||||
is_bind: true
|
||||
is_ro: false
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/run/resolvconf/resolv.conf"
|
||||
dst: "/etc/resolv.conf"
|
||||
is_bind: true
|
||||
mandatory: false
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/run/resolv.conf"
|
||||
dst: "/etc/resolv.conf"
|
||||
is_bind: true
|
||||
mandatory: false
|
||||
}
|
||||
|
||||
mount {
|
||||
dst: "/tmp"
|
||||
fstype: "tmpfs"
|
||||
is_ro: false
|
||||
is_bind: false
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/home/jagger/Documents"
|
||||
dst: "/home/jagger/Documents"
|
||||
fstype: "tmpfs"
|
||||
is_ro: false
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/home/jagger/.mozilla"
|
||||
dst: "/home/jagger/.mozilla"
|
||||
is_bind: true
|
||||
is_ro: false
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/home/jagger/.Xauthority"
|
||||
dst: "/home/jagger/.Xauthority"
|
||||
is_bind: true
|
||||
}
|
||||
|
||||
mount {
|
||||
dst: "/home/jagger/.cache"
|
||||
fstype: "tmpfs"
|
||||
is_ro: false
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/tmp/.X11-unix/X0"
|
||||
dst: "/tmp/.X11-unix/X0"
|
||||
is_ro: false
|
||||
is_bind: true
|
||||
}
|
||||
|
||||
seccomp_string: "
|
||||
POLICY example {
|
||||
KILL {
|
||||
ptrace,
|
||||
process_vm_readv,
|
||||
process_vm_writev
|
||||
}
|
||||
}
|
||||
USE example DEFAULT ALLOW
|
||||
"
|
||||
|
||||
exec_bin {
|
||||
path: "/usr/bin/firefox"
|
||||
}
|
Loading…
Reference in New Issue
Block a user