name: "documents-with-xorg"
description: "
This policy allows to run many Xorg based tool, which are allowed
to access $HOME/Documents directory only. Example of use would be:

./nsjail --config configs/documents-with-xorg.cfg -- \\
   /usr/bin/geeqie /home/jagger/Documents/

As nsjail configs don't allow to use variables or envvars, you'll have
to modify paths referring to '/home/jagger' to whatever your home
directory is. Also, this policy doesn't allow to access networking"

mode: ONCE
hostname: "NSJAIL"
cwd: "/"

time_limit: 1000

envar: "DISPLAY=:0"

rlimit_as: 512
rlimit_cpu: 1000
rlimit_fsize: 0
rlimit_nofile: 16

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
}

mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
}

mount {
	src: "/sbin"
	dst: "/sbin"
	is_bind: true
}

mount {
	src: "/usr"
	dst: "/usr"
	is_bind: true
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	mandatory: false
}

mount {
	src: "/lib32"
	dst: "/lib32"
	is_bind: true
	mandatory: false
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	is_ro: false
	is_bind: false
}

mount {
	src: "/home/jagger/Documents"
	dst: "/home/jagger/Documents"
	is_bind: true
}

mount {
	src: "/tmp/.X11-unix/X0"
	dst: "/tmp/.X11-unix/X0"
	is_ro: false
	is_bind: true
}

mount {
	src: "/etc/passwd"
	dst: "/etc/passwd"
	is_bind: true
}

seccomp_string: "
	POLICY example {
		KILL {
			ptrace,
			process_vm_readv,
			process_vm_writev
		}
	}
	USE example DEFAULT ALLOW
"