# Example config for nsjail

name: "znc-with-net"

description: "This policy allows to run znc a jail. "
description: "Networking is permitted with this setup (clone_newnet: false). "
description: ""
description: "The only permitted home directory is $HOME/.znc."
description: ""
description: "Run as: nsjail --config configs/znc-with-net.cfg"

mode: ONCE
hostname: "ZNC"
cwd: "/home/znc"
daemon: true

time_limit: 0

envar: "HOME=/home/znc"
envar: "TMP=/tmp"

log_fd: 2

rlimit_as: 4096
rlimit_cpu_type: INF
rlimit_fsize: 4096
rlimit_nofile: 128

clone_newnet: false

mount {
	dst: "/proc"
	fstype: "proc"
}

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
}

mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	mandatory: false
}

mount {
	src: "/lib32"
	dst: "/lib32"
	is_bind: true
	mandatory: false
}

mount {
	src: "/usr/share"
	dst: "/usr/share"
	is_bind: true
}

mount {
	src: "/dev/urandom"
	dst: "/dev/urandom"
	is_bind: true
	rw: true
}

mount {
	src: "/dev/null"
	dst: "/dev/null"
	is_bind: true
	rw: true
}

mount {
	src: "/etc/resolv.conf"
	dst: "/etc/resolv.conf"
	is_bind: true
	mandatory: false
}

mount {
	src: "/etc/ssl"
	dst: "/etc/ssl"
	is_bind: true
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
	is_bind: false
}

mount {
	dst: "/dev/shm"
	fstype: "tmpfs"
	rw: true
	is_bind: false
}

mount {
	dst: "/home/znc"
	fstype: "tmpfs"
	rw: true
	is_bind: false
}

mount {
	prefix_src_env: "HOME"
	src: "/.znc"
	dst: "/home/znc/.znc"
	rw: true
	is_bind: true
	mandatory: true
}

seccomp_string: "KILL_PROCESS {"
seccomp_string: "	ptrace,"
seccomp_string: "	process_vm_readv,"
seccomp_string: "	process_vm_writev"
seccomp_string: "}"
seccomp_string: "DEFAULT ALLOW"

exec_bin {
	path: "/usr/bin/znc"
	arg: "-f"
	exec_fd: true
}