name: "imagemagick-convert"

description: "This policy allows to run ImageMagick's convert inside a jail."
description: "Your $HOME's Documents will be mapped as /user/Documents"
description: ""
description: "Run as:"
description: ""
description: "./nsjail --config imagemagick-convert.cfg -- /usr/bin/convert \\"
description: "	jpg:/user/Documents/input.jpg png:/user/Documents/output.png"

mode: ONCE
hostname: "IM-CONVERT"
cwd: "/user"

time_limit: 120

envar: "HOME=/user"
envar: "TMP=/tmp"

rlimit_as: 2048
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 64

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
}

mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	mandatory: false
}

mount {
	src: "/lib32"
	dst: "/lib32"
	is_bind: true
	mandatory: false
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
	is_bind: false
}

mount {
	dst: "/user"
	fstype: "tmpfs"
	rw: true
}

mount {
	prefix_src_env: "HOME"
	src: "/Documents"
	dst: "/user/Documents"
	rw: true
	is_bind: true
	mandatory: false
}

seccomp_string: "POLICY imagemagick_convert {"
seccomp_string: "  ALLOW {"
seccomp_string: "    read, write, open, openat, close, newstat, newfstat,"
seccomp_string: "    newlstat, lseek, mmap, mprotect, munmap, brk,"
seccomp_string: "    rt_sigaction, rt_sigprocmask, pwrite64, access,"
seccomp_string: "    getpid, execveat, getdents, unlink, fchmod,"
seccomp_string: "    getrlimit, getrusage, sysinfo, times, futex,"
seccomp_string: "    arch_prctl, sched_getaffinity, set_tid_address,"
seccomp_string: "    clock_gettime, set_robust_list, exit_group,"
seccomp_string: "    clone, getcwd, pread64, readlink, prlimit64"
seccomp_string: "  }"
seccomp_string: "}"
seccomp_string: "USE imagemagick_convert DEFAULT KILL"

exec_bin {
	path: "/usr/bin/convert"
	exec_fd: true
}