# Example config for nsjail

name: "documents-with-xorg"

description: "This policy allows to run many X-org based tool, which are allowed"
description: "to access $HOME/Documents directory only. An example of use is:"
description: ""
description: "./nsjail --config configs/documents-with-xorg.cfg -- \\"
description: "   /usr/bin/geeqie /user/Documents/"
description: ""
description: "What is more, this policy doesn't allow to access networking."

mode: ONCE
hostname: "NSJAIL"
cwd: "/user"

time_limit: 1000

envar: "DISPLAY"
envar: "HOME=/user"
envar: "TMP=/tmp"

rlimit_as: 2048
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 16

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	mandatory: false
}

mount {
	src: "/lib32"
	dst: "/lib32"
	is_bind: true
	mandatory: false
}

mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
}

mount {
	src: "/usr/bin"
	dst: "/usr/bin"
	is_bind: true
}

mount {
	src: "/usr/share"
	dst: "/usr/share"
	is_bind: true
}

mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
}

mount {
	src: "/usr/lib64"
	dst: "/usr/lib64"
	is_bind: true
	mandatory: false
}

mount {
	src: "/usr/lib32"
	dst: "/usr/lib32"
	is_bind: true
	mandatory: false
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
}

mount {
	dst: "/dev/shm"
	fstype: "tmpfs"
	rw: true
}

mount {
	dst: "/user"
	fstype: "tmpfs"
	rw: true
}

mount {
	prefix_src_env: "HOME"
	src: "/Documents"
	dst: "/user/Documents"
	is_bind: true
}

mount {
	src: "/tmp/.X11-unix"
	dst: "/tmp/.X11-unix"
	is_bind: true
	rw: true
}

mount {
	src: "/dev/null"
	dst: "/dev/null"
	is_bind: true
	rw: true
}

mount {
	src: "/dev/random"
	dst: "/dev/random"
	is_bind: true
	rw: true
}

mount {
	src: "/dev/urandom"
	dst: "/dev/urandom"
	is_bind: true
	rw: true
}

mount {
	src: "/etc/passwd"
	dst: "/etc/passwd"
	is_bind: true
}

seccomp_string: "KILL_PROCESS {"
seccomp_string: "	ptrace,"
seccomp_string: "	process_vm_readv,"
seccomp_string: "	process_vm_writev"
seccomp_string: "}"
seccomp_string: "DEFAULT ALLOW"