diff options
Diffstat (limited to 'etc/sandbox.conf')
-rw-r--r-- | etc/sandbox.conf | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/etc/sandbox.conf b/etc/sandbox.conf new file mode 100644 index 0000000..d6ae4bf --- /dev/null +++ b/etc/sandbox.conf @@ -0,0 +1,80 @@ +# Sandbox main configuration file + +# Note that configuration parser is fairly basic, so try to keep things simple. + +# +# BASIC Section +# + +# Basic sandbox configuration. Sandbox will use values here if not already set +# in the environment. Assignment works like bash variable assignment (ie, last +# value assigned to the variable is used). + +# SANDBOX_VERBOSE +# +# Determine if sandbox print access violations, or if debugging is enabled, +# it will also print allowed operations. Default is "yes" +#SANDBOX_VERBOSE="yes" + +# SANDBOX_DEBUG +# +# In addition to the normal log, a debug log is also written containing all +# operations caught by sandbox. Default is "no" +#SANDBOX_DEBUG="no" + +# SANDBOX_BEEP +# +# The amount of beeps sandbox will issue when it exits with access violations +# after printing the normal log. Default is "3" +#SANDBOX_BEEP=3 + +# NOCOLOR +# +# Determine the use of color in the output. Default is "false" (ie, use color) +#NOCOLOR="false" + + +# +# ACCESS Section +# + +# The next section contain rules for access. It works a bit different from the +# previous section in that values assigned to variables stack. Also since these +# do NOT get overridded by values already set in the environment, but rather +# those get added. +# +# If you want values that only get set if one of the variables are not already +# present in the environment, place a file in /etc/sandbox.d/ (replace /etc +# with what sysconfdir was configured to). +# +# Another difference from above, is that these support simple variable name +# substitution. Variable names must be in the form of '${variable}' (without +# the ''). It is very basic, so no command substitution, etc is supported. +# +# The values consists of the respective paths seperated by a colon (:) +# +# SANDBOX_DENY - all access to respective paths are denied +# +# SANDBOX_READ - can read respective paths +# +# SANDBOX_WRITE - can write to respective paths +# +# SANDBOX_PREDICT - respective paths are not writable, but no access violation +# will be issued in the case of a write +# + +# Needed for stdout, stdin and stderr +SANDBOX_WRITE="/dev/fd:/proc/self/fd" +# Common device nodes +SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full" +# Console device nodes +SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts" +# Device filesystems +SANDBOX_WRITE="/dev/pts/:/dev/shm" +# Tempory storage +SANDBOX_WRITE="/tmp/:/var/tmp/" +# Needed for shells +SANDBOX_WRITE="${HOME}/.bash_history" + +# Usually writes in /home should not cause violations +SANDBOX_PREDICT="${HOME}" |