# Sandbox main configuration file # Note that configuration parser is fairly basic, so try to keep things simple. # # BASIC Section # # Basic sandbox configuration. Sandbox will use values here if not already set # in the environment. Assignment works like bash variable assignment (ie, last # value assigned to the variable is used). # SANDBOX_VERBOSE # # Determine if sandbox print access violations, or if debugging is enabled, # it will also print allowed operations. Default is "yes" #SANDBOX_VERBOSE="yes" # SANDBOX_DEBUG # # In addition to the normal log, a debug log is also written containing all # operations caught by sandbox. Default is "no" #SANDBOX_DEBUG="no" # SANDBOX_BEEP # # The amount of beeps sandbox will issue when it exits with access violations # after printing the normal log. Default is "3" #SANDBOX_BEEP=3 # NOCOLOR # # Determine the use of color in the output. Default is "false" (ie, use color) #NOCOLOR="false" # # ACCESS Section # # The next section contain rules for access. It works a bit different from the # previous section in that values assigned to variables stack. Also since these # do NOT get overridded by values already set in the environment, but rather # those get added. # # If you want values that only get set if one of the variables are not already # present in the environment, place a file in /etc/sandbox.d/ (replace /etc # with what sysconfdir was configured to). # # Another difference from above, is that these support simple variable name # substitution. Variable names must be in the form of '${variable}' (without # the ''). It is very basic, so no command substitution, etc is supported. # # The values consists of the respective paths seperated by a colon (:) # # SANDBOX_DENY - all access to respective paths are denied # # SANDBOX_READ - can read respective paths # # SANDBOX_WRITE - can write to respective paths # # SANDBOX_PREDICT - respective paths are not writable, but no access violation # will be issued in the case of a write # # Needed for stdout, stdin and stderr SANDBOX_WRITE="/dev/fd:/proc/self/fd" # Common device nodes SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full" # Console device nodes SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts" # Device filesystems SANDBOX_WRITE="/dev/pts/:/dev/shm" # Tempory storage SANDBOX_WRITE="/tmp/:/var/tmp/" # Needed for shells SANDBOX_WRITE="${HOME}/.bash_history"