name: "chrome-with-net" description: "Don't use for anything serious - this is just a demo policy. See notes" description: "at the end of this description for more." description: "" description: "This policy allows to run Chrome inside a jail. Access to networking is" description: "permitted with this setup (clone_newnet: false)." description: "" description: "The only permitted home directory is $HOME/.mozilla and $HOME/Documents." description: "The rest of available on the FS files/dires are libs and X-related files/dirs." description: "" description: "Run as:" description: "" description: "./nsjail --config configs/chrome-with-net.cfg" description: "" description: "You can then go to https://uploadfiles.io/ and try to upload a file in order" description: "to see how your local directory (also, all system directories) look like." description: "" description: "Note: Using this profile for anything serious is *A VERY BAD* idea. Chrome" description: "provides excellent FS&syscall sandbox for Linux, as this profile disables" description: "this sandboxing with --no-sandbox and substitutes Chrome's syscall/ns policy" description: "with more relaxed namespacing." mode: ONCE hostname: "CHROME" cwd: "/user" time_limit: 0 envar: "HOME=/user" envar: "DISPLAY=:0" envar: "TMP=/tmp" rlimit_as: 4096 rlimit_cpu: 1000 rlimit_fsize: 1024 rlimit_nofile: 1024 clone_newnet: false mount { dst: "/proc" fstype: "proc" } mount { src: "/lib" dst: "/lib" is_bind: true } mount { src: "/usr/lib" dst: "/usr/lib" is_bind: true } mount { src: "/lib64" dst: "/lib64" is_bind: true mandatory: false } mount { src: "/lib32" dst: "/lib32" is_bind: true mandatory: false } mount { src: "/bin" dst: "/bin" is_bind: true } mount { src: "/usr/bin" dst: "/usr/bin" is_bind: true } mount { src: "/opt/google/chrome" dst: "/opt/google/chrome" is_bind: true } mount { src: "/usr/share" dst: "/usr/share" is_bind: true } mount { src: "/dev/urandom" dst: "/dev/urandom" is_bind: true rw: true } mount { src: "/dev/null" dst: "/dev/null" is_bind: true rw: true } mount { src: "/dev/fd/" dst: "/dev/fd/" is_bind: true rw: true } mount { src: "/etc/resolv.conf" dst: "/etc/resolv.conf" is_bind: true mandatory: false } mount { dst: "/tmp" fstype: "tmpfs" rw: true is_bind: false } mount { dst: "/dev/shm" fstype: "tmpfs" rw: true is_bind: false } mount { dst: "/user" fstype: "tmpfs" rw: true } mount { prefix_src_env: "HOME" src: "/Documents" dst: "/user/Documents" rw: true is_bind: true mandatory: false } mount { prefix_src_env: "HOME" src: "/.config/google-chrome" dst: "/user/.config/google-chrome" is_bind: true rw: true mandatory: false } mount { src: "/tmp/.X11-unix/X0" dst: "/tmp/.X11-unix/X0" is_bind: true } seccomp_string: " POLICY example {" seccomp_string: " KILL {" seccomp_string: " ptrace," seccomp_string: " process_vm_readv," seccomp_string: " process_vm_writev" seccomp_string: " }" seccomp_string: " }" seccomp_string: " USE example DEFAULT ALLOW" exec_bin { path: "/opt/google/chrome/google-chrome" arg: "--no-sandbox" }