aboutsummaryrefslogtreecommitdiff
blob: d6ae4bf14f06208185af074c370caef8917d1635 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Sandbox main configuration file

# Note that configuration parser is fairly basic, so try to keep things simple.

#
# BASIC Section
#

# Basic sandbox configuration. Sandbox will use values here if not already set
# in the environment.  Assignment works like bash variable assignment (ie, last
# value assigned to the variable is used).

# SANDBOX_VERBOSE
#
#  Determine if sandbox print access violations, or if debugging is enabled,
#  it will also print allowed operations.  Default is "yes"
#SANDBOX_VERBOSE="yes"

# SANDBOX_DEBUG
#
#  In addition to the normal log, a debug log is also written containing all
#  operations caught by sandbox.  Default is "no"
#SANDBOX_DEBUG="no"

# SANDBOX_BEEP
#
#  The amount of beeps sandbox will issue when it exits with access violations
#  after printing the normal log.  Default is "3"
#SANDBOX_BEEP=3

# NOCOLOR
#
#  Determine the use of color in the output.  Default is "false" (ie, use color)
#NOCOLOR="false"


#
# ACCESS Section
#

# The next section contain rules for access.  It works a bit different from the
# previous section in that values assigned to variables stack.  Also since these
# do NOT get overridded by values already set in the environment, but rather
# those get added.
#
# If you want values that only get set if one of the variables are not already
# present in the environment, place a file in /etc/sandbox.d/ (replace /etc
# with what sysconfdir was configured to).
#
# Another difference from above, is that these support simple variable name
# substitution.  Variable names must be in the form of '${variable}' (without
# the '').  It is very basic, so no command substitution, etc is supported.
#
# The values consists of the respective paths seperated by a colon (:)
#
# SANDBOX_DENY - all access to respective paths are denied
#
# SANDBOX_READ - can read respective paths
#
# SANDBOX_WRITE - can write to respective paths
#
# SANDBOX_PREDICT - respective paths are not writable, but no access violation
#                   will be issued in the case of a write
#

# Needed for stdout, stdin and stderr
SANDBOX_WRITE="/dev/fd:/proc/self/fd"
# Common device nodes
SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full"
# Console device nodes
SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
# Device filesystems
SANDBOX_WRITE="/dev/pts/:/dev/shm"
# Tempory storage
SANDBOX_WRITE="/tmp/:/var/tmp/"
# Needed for shells
SANDBOX_WRITE="${HOME}/.bash_history"

# Usually writes in /home should not cause violations
SANDBOX_PREDICT="${HOME}"