From 4909f45fe07e9aa41902311f58675f2e6b038959 Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Wed, 11 Aug 2021 00:31:31 +0200 Subject: [PATCH] configs: firefox+wayland example --- configs/firefox-with-net-wayland.cfg | 175 +++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) create mode 100644 configs/firefox-with-net-wayland.cfg diff --git a/configs/firefox-with-net-wayland.cfg b/configs/firefox-with-net-wayland.cfg new file mode 100644 index 0000000..b132018 --- /dev/null +++ b/configs/firefox-with-net-wayland.cfg @@ -0,0 +1,175 @@ +# Example config for nsjail + +name: "firefox-with-net" + +description: "This policy allows to run firefox inside a jail. Access to networking is" +description: "permitted with this setup (clone_newnet: false)." +description: "" +description: "The only permitted home directory is $HOME/.mozilla and $HOME/Documents." +description: "The rest of available on the FS files/dires are libs and X-related files/dirs." +description: "" +description: "Run as:" +description: "" +description: "./nsjail --config configs/firefox-with-net-wayland.cfg" +description: "" +description: "You can then go to https://uploadfiles.io/ and try to upload a file in order" +description: "to see how your local directory (also, all system directories) look like." + +mode: ONCE +hostname: "FIREFOX" +cwd: "/user" + +time_limit: 0 + +clone_newnet: false + +envar: "HOME=/user" +envar: "TMP=/tmp" +envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf" +envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf" +envar: "MOZ_ENABLE_WAYLAND=1" +envar: "XDG_RUNTIME_DIR=/user/run/" +envar: "WAYLAND_DISPLAY=wayland-0" + +rlimit_as: 4096 +rlimit_cpu: 1000 +rlimit_fsize: 1024 +rlimit_nofile: 512 + +uidmap { + inside_id: "9999999" +} + +gidmap { + inside_id: "9999999" +} + +mount { + dst: "/proc" + fstype: "proc" + rw: true +} + +mount { + src: "/lib" + dst: "/lib" + is_bind: true +} + +mount { + src: "/usr/lib" + dst: "/usr/lib" + is_bind: true +} + +mount { + src: "/lib64" + dst: "/lib64" + is_bind: true + mandatory: false +} + +mount { + src: "/lib32" + dst: "/lib32" + is_bind: true + mandatory: false +} + +mount { + src: "/usr/lib/firefox" + dst: "/usr/lib/firefox" + is_bind: true +} + +mount { + src: "/usr/bin/firefox" + dst: "/usr/bin/firefox" + is_bind: true +} + +mount { + src: "/usr/share" + dst: "/usr/share" + is_bind: true +} + +mount { + src_content: "\n\n/usr/share/fonts/tmp/fontconfig" + dst: "/etc/fonts/fonts.conf" +} + +mount { + src: "/dev/urandom" + dst: "/dev/urandom" + is_bind: true + rw: true +} + +mount { + src: "/dev/null" + dst: "/dev/null" + is_bind: true + rw: true +} + +mount { + src_content: "nameserver 8.8.8.8" + dst: "/etc/resolv.conf" +} + +mount { + dst: "/tmp" + fstype: "tmpfs" + rw: true + is_bind: false +} + +mount { + dst: "/dev/shm" + fstype: "tmpfs" + rw: true + is_bind: false +} + +mount { + dst: "/user" + fstype: "tmpfs" + rw: true +} + +mount { + prefix_src_env: "HOME" + src: "/Documents" + dst: "/user/Documents" + rw: true + is_bind: true + mandatory: false +} + +mount { + prefix_src_env: "HOME" + src: "/.mozilla" + dst: "/user/.mozilla" + is_bind: true + rw: true + mandatory: false +} + +mount { + src: "/tmp/.X11-unix/X0" + dst: "/tmp/.X11-unix/X0" + is_bind: true +} + +mount { + # Change it to your user id + src: "/run/user/1000/wayland-0" + dst: "/user/run/wayland-0" + is_bind: true + rw: true +} + +exec_bin { + path: "/usr/lib/firefox/firefox" +}