aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'etc/sandbox.conf')
-rw-r--r--etc/sandbox.conf80
1 files changed, 80 insertions, 0 deletions
diff --git a/etc/sandbox.conf b/etc/sandbox.conf
new file mode 100644
index 0000000..d6ae4bf
--- /dev/null
+++ b/etc/sandbox.conf
@@ -0,0 +1,80 @@
+# Sandbox main configuration file
+
+# Note that configuration parser is fairly basic, so try to keep things simple.
+
+#
+# BASIC Section
+#
+
+# Basic sandbox configuration. Sandbox will use values here if not already set
+# in the environment. Assignment works like bash variable assignment (ie, last
+# value assigned to the variable is used).
+
+# SANDBOX_VERBOSE
+#
+# Determine if sandbox print access violations, or if debugging is enabled,
+# it will also print allowed operations. Default is "yes"
+#SANDBOX_VERBOSE="yes"
+
+# SANDBOX_DEBUG
+#
+# In addition to the normal log, a debug log is also written containing all
+# operations caught by sandbox. Default is "no"
+#SANDBOX_DEBUG="no"
+
+# SANDBOX_BEEP
+#
+# The amount of beeps sandbox will issue when it exits with access violations
+# after printing the normal log. Default is "3"
+#SANDBOX_BEEP=3
+
+# NOCOLOR
+#
+# Determine the use of color in the output. Default is "false" (ie, use color)
+#NOCOLOR="false"
+
+
+#
+# ACCESS Section
+#
+
+# The next section contain rules for access. It works a bit different from the
+# previous section in that values assigned to variables stack. Also since these
+# do NOT get overridded by values already set in the environment, but rather
+# those get added.
+#
+# If you want values that only get set if one of the variables are not already
+# present in the environment, place a file in /etc/sandbox.d/ (replace /etc
+# with what sysconfdir was configured to).
+#
+# Another difference from above, is that these support simple variable name
+# substitution. Variable names must be in the form of '${variable}' (without
+# the ''). It is very basic, so no command substitution, etc is supported.
+#
+# The values consists of the respective paths seperated by a colon (:)
+#
+# SANDBOX_DENY - all access to respective paths are denied
+#
+# SANDBOX_READ - can read respective paths
+#
+# SANDBOX_WRITE - can write to respective paths
+#
+# SANDBOX_PREDICT - respective paths are not writable, but no access violation
+# will be issued in the case of a write
+#
+
+# Needed for stdout, stdin and stderr
+SANDBOX_WRITE="/dev/fd:/proc/self/fd"
+# Common device nodes
+SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full"
+# Console device nodes
+SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
+# Device filesystems
+SANDBOX_WRITE="/dev/pts/:/dev/shm"
+# Tempory storage
+SANDBOX_WRITE="/tmp/:/var/tmp/"
+# Needed for shells
+SANDBOX_WRITE="${HOME}/.bash_history"
+
+# Usually writes in /home should not cause violations
+SANDBOX_PREDICT="${HOME}"