From e736d554385f7ffe31694b8ace5b0c1c9358f640 Mon Sep 17 00:00:00 2001
From: Robert Swiecki <robert@swiecki.net>
Date: Sat, 24 Jun 2023 21:04:29 +0200
Subject: [PATCH] configs/telegram: a new config for the telegram-desktop

---
 configs/telegram.cfg | 150 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 150 insertions(+)
 create mode 100644 configs/telegram.cfg

diff --git a/configs/telegram.cfg b/configs/telegram.cfg
new file mode 100644
index 0000000..365f45b
--- /dev/null
+++ b/configs/telegram.cfg
@@ -0,0 +1,150 @@
+# Example config for nsjail
+
+name: "telegram-with-net"
+
+description: "This policy allows to run telegram inside a jail. Access to networking is"
+description: "permitted with this setup (clone_newnet: false)."
+description: ""
+description: "The only permitted home directory is $HOME/.local/share/TelegramDesktop/"
+description: "The rest of available on the FS files/dires are libs and wayland-related files/dirs."
+description: ""
+description: "Run as:"
+description: "./nsjail --config configs/telegram.cfg"
+
+mode: ONCE
+hostname: "TELEGRAM"
+cwd: "/user"
+daemon: true
+
+time_limit: 0
+max_cpus: 2
+
+envar: "HOME=/user"
+envar: "WAYLAND_DISPLAY"
+envar: "TMP=/tmp"
+envar: "LANG"
+envar: "XDG_RUNTIME_DIR=/run/user/1000"
+envar: "QT_QPA_PLATFORM=wayland"
+
+rlimit_as: 4096
+rlimit_cpu_type: INF
+rlimit_fsize: 4096
+rlimit_nofile: 128
+
+clone_newnet: false
+
+mount {
+	dst: "/proc"
+	fstype: "proc"
+}
+
+mount {
+	src: "/lib"
+	dst: "/lib"
+	is_bind: true
+}
+
+mount {
+	src: "/usr/lib"
+	dst: "/usr/lib"
+	is_bind: true
+}
+
+mount {
+	src: "/lib64"
+	dst: "/lib64"
+	is_bind: true
+	mandatory: false
+}
+
+mount {
+	src: "/lib32"
+	dst: "/lib32"
+	is_bind: true
+	mandatory: false
+}
+
+mount {
+	src: "/usr/share"
+	dst: "/usr/share"
+	is_bind: true
+}
+
+mount {
+	src: "/dev/urandom"
+	dst: "/dev/urandom"
+	is_bind: true
+	rw: true
+}
+
+mount {
+	src_content: "nameserver 8.8.8.8"
+	dst: "/etc/resolv.conf"
+}
+
+mount {
+	dst: "/tmp"
+	fstype: "tmpfs"
+	rw: true
+	is_bind: false
+}
+
+mount {
+	dst: "/dev/shm"
+	fstype: "tmpfs"
+	rw: true
+	is_bind: false
+}
+
+mount {
+	dst: "/user"
+	fstype: "tmpfs"
+	rw: true
+}
+
+mount {
+	prefix_src_env: "HOME"
+	src: "/.local/share/TelegramDesktop/"
+	dst: "/user/.local/share/TelegramDesktop/"
+	is_bind: true
+	rw: true
+	mandatory: false
+}
+
+mount {
+	dst: "/run/user/1000"
+	fstype: "tmpfs"
+	rw: true
+	is_bind: false
+}
+
+mount {
+	src: "/run/user/1000/wayland-0"
+	dst: "/run/user/1000/wayland-0"
+	is_bind: true
+	rw: false
+	mandatory: true
+}
+
+mount {
+	src: "/run/user/1000/pulse/native"
+	dst: "/run/user/1000/pulse/native"
+	is_bind: true
+	rw: false
+	mandatory: false
+}
+
+seccomp_string: "KILL_PROCESS {			"
+seccomp_string: "	ptrace,				"
+seccomp_string: "	process_vm_readv,	"
+seccomp_string: "	process_vm_writev	"
+seccomp_string: "},						"
+seccomp_string: "ERRNO(1) {				"
+seccomp_string: "	sched_setaffinity	"
+seccomp_string: "}						"
+seccomp_string: "DEFAULT ALLOW			"
+
+exec_bin {
+        path: "/usr/bin/telegram-desktop"
+        exec_fd: true
+}