From de28b4d709a7e0ca59441fa18d346df3197fda91 Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Thu, 22 Jun 2017 01:37:18 +0200 Subject: [PATCH] configs: demo policy for chrome --- configs/chrome-with-net.cfg | 183 ++++++++++++++++++++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 configs/chrome-with-net.cfg diff --git a/configs/chrome-with-net.cfg b/configs/chrome-with-net.cfg new file mode 100644 index 0000000..1414cb4 --- /dev/null +++ b/configs/chrome-with-net.cfg @@ -0,0 +1,183 @@ +name: "chrome-with-net" +description: " +Don't use for anything serious - this is just a demo policy. See notes +at the end of this description for more. + +This policy allows to run Chrome inside a jail. Access to networking is +permitted with this setup (clone_newnet: false). + +The only permitted home directory is $HOME/.mozilla and $HOME/Documents. +The rest of available on the FS files/dires are libs and X-related files/dirs. + +Run as: + +./nsjail --config configs/chrome-with-net.cfg + +You can then go to https://uploadfiles.io/ and try to upload a file in order +to see how your local directory (also, all system directories) look like. + +Note: Using this profile for anything serious is *A VERY BAD* idea. Chrome +provides excellent FS&syscall sandbox for Linux, as this profile disables +this sandboxing with --no-sandbox and substitutes Chrome's syscall/ns policy +with more relaxed namespacing. +" + +mode: ONCE +hostname: "CHROME" +cwd: "/user" + +time_limit: 0 + +envar: "HOME=/user" +envar: "DISPLAY=:0" +envar: "TMP=/tmp" + +rlimit_as: 4096 +rlimit_cpu: 1000 +rlimit_fsize: 1024 +rlimit_nofile: 1024 + +clone_newnet: false + +mount { + dst: "/proc" + fstype: "proc" +} + +mount { + src: "/lib" + dst: "/lib" + is_bind: true +} + +mount { + src: "/usr/lib" + dst: "/usr/lib" + is_bind: true +} + +mount { + src: "/lib64" + dst: "/lib64" + is_bind: true + mandatory: false +} + +mount { + src: "/lib32" + dst: "/lib32" + is_bind: true + mandatory: false +} + +mount { + src: "/bin" + dst: "/bin" + is_bind: true +} + +mount { + src: "/usr/bin" + dst: "/usr/bin" + is_bind: true +} + +mount { + src: "/opt/google/chrome" + dst: "/opt/google/chrome" + is_bind: true +} + +mount { + src: "/usr/share" + dst: "/usr/share" + is_bind: true +} + +mount { + src: "/dev/urandom" + dst: "/dev/urandom" + is_bind: true + rw: true +} + +mount { + src: "/dev/null" + dst: "/dev/null" + is_bind: true + rw: true +} + +mount { + src: "/dev/fd/" + dst: "/dev/fd/" + is_bind: true + rw: true +} + +mount { + src: "/etc/resolv.conf" + dst: "/etc/resolv.conf" + is_bind: true + mandatory: false +} + +mount { + dst: "/tmp" + fstype: "tmpfs" + rw: true + is_bind: false +} + +mount { + dst: "/dev/shm" + fstype: "tmpfs" + rw: true + is_bind: false +} + +mount { + dst: "/user" + fstype: "tmpfs" + rw: true +} + +mount { + prefix_src_env: "HOME" + src: "/Documents" + dst: "/user/Documents" + rw: true + is_bind: true + mandatory: false +} + +mount { + prefix_src_env: "HOME" + src: "/.config/google-chrome" + dst: "/user/.config/google-chrome" + is_bind: true + rw: true + mandatory: false +} + +mount { + src: "/tmp/.X11-unix/X0" + dst: "/tmp/.X11-unix/X0" + is_bind: true +} + +seccomp_string: " + POLICY example { + KILL { + ptrace, + process_vm_readv, + process_vm_writev + } + } + USE example DEFAULT ALLOW +" + +exec_bin { + path: "/opt/google/chrome/google-chrome" + arg: "--no-sandbox" +}