# Example config for nsjail name: "firefox-with-cloned-net" description: "This policy allows to run firefox inside a jail on a separate eth interface." description: "A separate networking context separates process from the global \"lo\", and" description: "from global abstract socket namespace." description: "" description: "The only permitted home directory is $HOME/.mozilla and $HOME/Documents." description: "The rest of available on the FS files/dires are libs and X-related files/dirs." description: "" description: "As this needs to be run as root, you will have to set-up correct uid&gid" description: "mappings (here: jagger), name of your local interface (here: 'enp0s31f6')," description: "and correct IPv4 addresses." description: "" description: "IPv6 should work out-of-the-box, given that your local IPv6 discovery is set" description: "up correctly." description: "" description: "Run as:" description: "" description: "sudo ./nsjail --config configs/firefox-with-cloned-net.cfg" description: "" description: "You can then go to https://uploadfiles.io/ and try to upload a file in order" description: "to see how your local directory (also, all system directories) look like." mode: ONCE hostname: "FF-MACVTAP" cwd: "/user" time_limit: 0 envar: "HOME=/user" envar: "DISPLAY" envar: "TMP=/tmp" envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf" envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf" rlimit_as: 4096 rlimit_cpu: 1000 rlimit_fsize: 1024 rlimit_nofile: 512 uidmap { inside_id: "9999999" outside_id: "jagger" } gidmap { inside_id: "9999999" outside_id: "jagger" } mount { dst: "/proc" fstype: "proc" rw: true } mount { src: "/lib" dst: "/lib" is_bind: true } mount { src: "/usr/lib" dst: "/usr/lib" is_bind: true } mount { src: "/lib64" dst: "/lib64" is_bind: true mandatory: false } mount { src: "/lib32" dst: "/lib32" is_bind: true mandatory: false } mount { src: "/usr/lib/firefox" dst: "/usr/lib/firefox" is_bind: true } mount { src: "/usr/bin/firefox" dst: "/usr/bin/firefox" is_bind: true } mount { src: "/usr/share" dst: "/usr/share" is_bind: true } mount { src_content: "\n\n/usr/share/fonts/tmp/fontconfig" dst: "/etc/fonts/fonts.conf" } mount { src: "/dev/urandom" dst: "/dev/urandom" is_bind: true rw: true } mount { src: "/dev/null" dst: "/dev/null" is_bind: true rw: true } mount { src_content: "nameserver 8.8.8.8" dst: "/etc/resolv.conf" } mount { dst: "/tmp" fstype: "tmpfs" rw: true is_bind: false } mount { dst: "/dev/shm" fstype: "tmpfs" rw: true is_bind: false } mount { dst: "/user" fstype: "tmpfs" rw: true } mount { prefix_src_env: "HOME" src: "/Documents" dst: "/user/Documents" rw: true is_bind: true mandatory: false } mount { prefix_src_env: "HOME" src: "/.mozilla" dst: "/user/.mozilla" is_bind: true rw: true mandatory: false } mount { src: "/tmp/.X11-unix/X0" dst: "/tmp/.X11-unix/X0" is_bind: true } seccomp_string: "KILL_PROCESS {" seccomp_string: " ptrace," seccomp_string: " process_vm_readv," seccomp_string: " process_vm_writev" seccomp_string: "}" seccomp_string: "DEFAULT ALLOW" macvlan_iface: "enp0s31f6" macvlan_vs_ip: "192.168.10.223" macvlan_vs_nm: "255.255.255.0" macvlan_vs_gw: "192.168.10.1" exec_bin { path: "/usr/lib/firefox/firefox" }