new config + readme

2017-05-27 20:47:42 +02:00 · 2017-05-27 20:47:42 +02:00 · e671167b9c
commit e671167b9c
parent f2b0d039aa
2 changed files with 117 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -267,6 +267,12 @@ uid=999999 gid=999998 euid=4294965959 groups=999998,65534
 [2017-05-27T18:45:40+0200] PID: 16579 exited with status: 0, (PIDs left: 0)
 </pre>

+You might also want to try using _https://github.com/google/nsjail/blob/master/configs/home-documents-with-xorg-no-net.cfg_. You'll have to modify referreces to _/home/jagger_ to whatever your home directory is, though. After that, you can use it as follows:
+
+<pre>
+./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/geeqie /home/jagger/Documents/doc.pdf
+</pre>
+
 ***
 ### More info

--- a/configs/home-documents-with-xorg-no-net.cfg
+++ b/configs/home-documents-with-xorg-no-net.cfg
@ -0,0 +1,111 @@
+name: "documents-with-xorg"
+description: "
+This policy allows to run many Xorg based tool, which are allowed
+to access $HOME/Documents directory only. Example of use would be:
+
+./nsjail --config configs/documents-with-xorg.cfg -- \\
+   /usr/bin/geeqie /home/jagger/Documents/
+
+As nsjail configs don't allow to use variables or envvars, you'll have
+to modify paths referring to '/home/jagger' to whatever your home
+directory is. Also, this policy doesn't allow to access networking"
+
+mode: ONCE
+hostname: "NSJAIL"
+cwd: "/"
+
+time_limit: 1000
+
+envar: "DISPLAY=:0"
+envar: "XAUTHORITY=/home/jagger/.Xauthority"
+
+rlimit_as: 512
+rlimit_cpu: 1000
+rlimit_fsize: 0
+rlimit_nofile: 16
+
+mount {
+	src: "/lib"
+	dst: "/lib"
+	is_bind: true
+}
+
+mount {
+	src: "/bin"
+	dst: "/bin"
+	is_bind: true
+}
+
+mount {
+	src: "/sbin"
+	dst: "/sbin"
+	is_bind: true
+}
+
+mount {
+	src: "/usr"
+	dst: "/usr"
+	is_bind: true
+}
+
+mount {
+	src: "/lib64"
+	dst: "/lib64"
+	is_bind: true
+	mandatory: false
+}
+
+mount {
+	src: "/lib32"
+	dst: "/lib32"
+	is_bind: true
+	mandatory: false
+}
+
+mount {
+	dst: "/tmp"
+	fstype: "tmpfs"
+	is_ro: false
+	is_bind: false
+}
+
+mount {
+	src: "/home/jagger/Documents"
+	dst: "/home/jagger/Documents"
+	is_bind: true
+}
+
+mount {
+	src: "/tmp/.X11-unix/X0"
+	dst: "/tmp/.X11-unix/X0"
+	is_ro: false
+	is_bind: true
+}
+
+mount {
+	src: "/home/jagger/.Xauthority"
+	dst: "/home/jagger/.Xauthority"
+	is_bind: true
+}
+
+mount {
+	src: "/etc/passwd"
+	dst: "/etc/passwd"
+	is_bind: true
+}
+
+seccomp_string: "
+	POLICY example {
+		KILL {
+			ptrace,
+			process_vm_readv,
+			process_vm_writev
+		}
+	}
+	USE example DEFAULT ALLOW
+"
+
+exec_bin {
+	path: "/bin/bash"
+	arg: "-i"
+}