name: "firefox-with-net" description: " This policy allows to run firefox inside a jail. Access to networking is permitted with thise setup (disable clone_newnet). The only permitted home directory is $HOME/.mozilla and $HOME/Documents. The rest of available FS-resources are system and X-related files/dirs. Run as: ./nsjail --config configs/firefox-with-net.cfg You can then go to https://uploadfiles.io/ and try to upload a file in order to see how your local directory (also, all system directories) look like. " mode: ONCE hostname: "FIREFOX" cwd: "/user" time_limit: 0 envar: "HOME=/user" envar: "DISPLAY=:0" rlimit_as: 4096 rlimit_cpu: 1000 rlimit_fsize: 1024 rlimit_nofile: 128 clone_newnet: false mount { dst: "/proc" fstype: "proc" } mount { src: "/lib" dst: "/lib" is_bind: true } mount { src: "/bin" dst: "/bin" is_bind: true } mount { src: "/sbin" dst: "/sbin" is_bind: true } mount { src: "/usr" dst: "/usr" is_bind: true } mount { src: "/lib64" dst: "/lib64" is_bind: true mandatory: false } mount { src: "/lib32" dst: "/lib32" is_bind: true mandatory: false } mount { src: "/usr/lib/firefox" dst: "/usr/lib/firefox" is_bind: true } mount { src: "/dev/urandom" dst: "/dev/urandom" is_bind: true rw: true } mount { src: "/run/resolvconf/resolv.conf" dst: "/etc/resolv.conf" is_bind: true mandatory: false } mount { src: "/run/resolv.conf" dst: "/etc/resolv.conf" is_bind: true mandatory: false } mount { dst: "/tmp" fstype: "tmpfs" rw: true is_bind: false } mount { dst: "/user" fstype: "tmpfs" rw: true } mount { prefix_src_env: "HOME" src: "/Documents" dst: "/user/Documents" rw: true is_bind: true mandatory: false } mount { prefix_src_env: "HOME" src: "/.mozilla" dst: "/user/.mozilla" is_bind: true rw: true mandatory: false } mount { dst: "/user/.cache" fstype: "tmpfs" rw: true } mount { src: "/tmp/.X11-unix/X0" dst: "/tmp/.X11-unix/X0" is_bind: true } seccomp_string: " POLICY example { KILL { ptrace, process_vm_readv, process_vm_writev } } USE example DEFAULT ALLOW " exec_bin { path: "/usr/bin/firefox" }