diff --git a/README.md b/README.md index 93ea972..02d3e5e 100644 --- a/README.md +++ b/README.md @@ -267,6 +267,12 @@ uid=999999 gid=999998 euid=4294965959 groups=999998,65534 [2017-05-27T18:45:40+0200] PID: 16579 exited with status: 0, (PIDs left: 0) +You might also want to try using _https://github.com/google/nsjail/blob/master/configs/home-documents-with-xorg-no-net.cfg_. You'll have to modify referreces to _/home/jagger_ to whatever your home directory is, though. After that, you can use it as follows: + +
+./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/geeqie /home/jagger/Documents/doc.pdf
+
+ *** ### More info diff --git a/configs/home-documents-with-xorg-no-net.cfg b/configs/home-documents-with-xorg-no-net.cfg new file mode 100644 index 0000000..27d30e4 --- /dev/null +++ b/configs/home-documents-with-xorg-no-net.cfg @@ -0,0 +1,111 @@ +name: "documents-with-xorg" +description: " +This policy allows to run many Xorg based tool, which are allowed +to access $HOME/Documents directory only. Example of use would be: + +./nsjail --config configs/documents-with-xorg.cfg -- \\ + /usr/bin/geeqie /home/jagger/Documents/ + +As nsjail configs don't allow to use variables or envvars, you'll have +to modify paths referring to '/home/jagger' to whatever your home +directory is. Also, this policy doesn't allow to access networking" + +mode: ONCE +hostname: "NSJAIL" +cwd: "/" + +time_limit: 1000 + +envar: "DISPLAY=:0" +envar: "XAUTHORITY=/home/jagger/.Xauthority" + +rlimit_as: 512 +rlimit_cpu: 1000 +rlimit_fsize: 0 +rlimit_nofile: 16 + +mount { + src: "/lib" + dst: "/lib" + is_bind: true +} + +mount { + src: "/bin" + dst: "/bin" + is_bind: true +} + +mount { + src: "/sbin" + dst: "/sbin" + is_bind: true +} + +mount { + src: "/usr" + dst: "/usr" + is_bind: true +} + +mount { + src: "/lib64" + dst: "/lib64" + is_bind: true + mandatory: false +} + +mount { + src: "/lib32" + dst: "/lib32" + is_bind: true + mandatory: false +} + +mount { + dst: "/tmp" + fstype: "tmpfs" + is_ro: false + is_bind: false +} + +mount { + src: "/home/jagger/Documents" + dst: "/home/jagger/Documents" + is_bind: true +} + +mount { + src: "/tmp/.X11-unix/X0" + dst: "/tmp/.X11-unix/X0" + is_ro: false + is_bind: true +} + +mount { + src: "/home/jagger/.Xauthority" + dst: "/home/jagger/.Xauthority" + is_bind: true +} + +mount { + src: "/etc/passwd" + dst: "/etc/passwd" + is_bind: true +} + +seccomp_string: " + POLICY example { + KILL { + ptrace, + process_vm_readv, + process_vm_writev + } + } + USE example DEFAULT ALLOW +" + +exec_bin { + path: "/bin/bash" + arg: "-i" +}