├── .gitignore ├── COPYING ├── README.md ├── aa-profiles ├── home.sandboxing.bash ├── home.sandboxing.bash-dev ├── home.sandboxing.bash-hide-net ├── home.sandboxing.chromium ├── home.sandboxing.chromium-tmp ├── home.sandboxing.deluge ├── home.sandboxing.discord ├── home.sandboxing.eom-ro ├── home.sandboxing.firefox ├── home.sandboxing.firefox-private ├── home.sandboxing.firefox-tmp ├── home.sandboxing.okular-ro ├── home.sandboxing.okular-rw └── home.sandboxing.thunderbird ├── add_aa_profiles.sh ├── add_links.sh ├── firefox-hardening ├── local-settings.js └── systemwide_user.js ├── gen ├── .gitignore ├── .ocamlformat ├── Makefile ├── dune-project ├── sandboxing_gen.opam └── src │ ├── aa.ml │ ├── bwrap.ml │ ├── commands.ml │ ├── config.ml │ ├── dune │ ├── gen.ml │ ├── profile.ml │ ├── profile_components.ml │ ├── profiles.ml │ ├── runner.ml │ └── seccomp_bpf.ml ├── runners ├── archive-handling.c ├── bash-dev.c ├── bash-hide-home-hide-net.c ├── bash-hide-home.c ├── bash-hide-net.c ├── bash-loose-hide-home.c ├── bash.c ├── chromium-tmp.c ├── chromium.c ├── deluge.c ├── discord.c ├── eom-ro.c ├── firefox-private-arch.c ├── firefox-private.c ├── firefox-tmp.c ├── firefox.c ├── make-workspace.c ├── okular-ro.c ├── okular-rw.c └── thunderbird.c ├── scripts ├── bash-dev.sh ├── bash-hide-net.sh ├── bash.sh ├── chromium-tmp.sh ├── chromium.sh ├── deluge.sh ├── discord.sh ├── eom-ro.sh ├── firefox-private.sh ├── firefox-tmp.sh ├── firefox.sh ├── okular-ro.sh ├── okular-rw.sh └── thunderbird.sh └── seccomp-bpfs ├── bash-dev.c ├── bash-hide-net.c ├── bash.c ├── chromium-tmp.c ├── chromium.c ├── deluge.c ├── discord.c ├── eom-ro.c ├── firefox-private.c ├── firefox-tmp.c ├── firefox.c ├── okular-ro.c ├── okular-rw.c └── thunderbird.c /.gitignore: -------------------------------------------------------------------------------- 1 | runners/*.runner 2 | seccomp-bpfs/*.exe 3 | seccomp-bpfs/*.bpf 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sandboxing 2 | 3 | Scripts, files and tools related to sandboxing 4 | 5 | ## Description 6 | 7 | This sandboxing suite primarily targets desktop use, but may include assets for server use 8 | 9 | The scripts and files in this repo are designed to be readily usable on most systems 10 | 11 | - You only have to install OCaml toolchain if you want to develop upon the generator 12 | 13 | Basics 14 | 15 | - Private home for programs 16 | - Shell interpreter access is removed in the sandbox 17 | - Access to number of binaries is minimized (via bubblewrap and AppArmor) 18 | - Fairly strict seccomp filters are supplied to bubblewrap 19 | - Fairly strict AppArmor profiles are generated 20 | 21 | Note that some profiles assume usage of Wayland 22 | 23 | ## Install 24 | 25 | Simply `git clone https://github.com/darrenldl/sandboxing.git` in home 26 | 27 | Your system needs to have `bubblewrap`, `gcc` and `apparmor` to run the scripts 28 | 29 | ## Installation 30 | 31 | __Important__: Please make sure the following directories are not already in use in your `$HOME` 32 | 33 | - `sandboxing/` 34 | - `sandboxes/` 35 | - `sandbox-logs/` 36 | 37 | All bash scripts in `scripts/` directory should work out of the box on most Linux distros 38 | 39 | The scripts assume they stay in their original positions in the local copy of the repository, however 40 | 41 | One can invoke them via the full path 42 | 43 | ``` 44 | ./sandboxing/scripts/firefox.sh & 45 | ``` 46 | 47 | or use `add_links.sh DEST` to create symlinks to the scripts 48 | 49 | ``` 50 | ./sandboxing/add_links.sh ~/.bin # say ~/.bin is in our PATH variable 51 | sandbox-firefox-private & # all symlinks are prefixed with "sandbox-" to allow easy removal 52 | # and avoid shadowing 53 | ``` 54 | 55 | ## General usage 56 | 57 | Invoke the script directly (or via symlink), 58 | stdout are stored as `~/sandboxing-sandbox-logs/profile/*.stdout`, 59 | stderr are stored as `~/sandboxing-sandbox-logs/profile/*.stderr` 60 | 61 | See the following section for profile specific usage 62 | 63 | ## Profiles 64 | 65 | Only the listed profiles are considered stable 66 | 67 | Following serves as rough descriptions only, check the scripts directly to see if they fit your needs 68 | 69 | #### Internet 70 | 71 | - `firefox` 72 | - Persistent home as `~/sandboxing-sandboxes/firefox` on host 73 | - `firefox-tmp` 74 | - No persistent home 75 | - Temporary persistent `Downloads` folder in sandbox home, created as temporary directory under `/tmp` on host 76 | - This is the only directory that host and sandbox share 77 | - Is __NOT__ hardened against tracking/fingerprinting 78 | - `firefox-private` 79 | - Same as `firefox-tmp`, but uses the hardened `user.js` transparently (should work on most Linux distros) 80 | - __Important__: Please check the `user.js` is indeed loaded correctly, see https://github.com/pyllyukko/user.js/#verifying for how to verify 81 | - `thunderbird` 82 | - Persistent home as `~/sandboxing-sandboxes/thunderbird` on host 83 | - `discord` 84 | - Persistent home as `~/sandboxing-sandboxes/discord` on host 85 | - AppArmor profile not usable yet 86 | 87 | #### PDF reading 88 | 89 | - `okular-ro` 90 | - No persistent home 91 | - Accepts exactly one argument for file to be read, e.g. `sandbox-okular-ro file.pdf` 92 | - RO mounts only the specified PDF file in sandbox home 93 | - No network access 94 | 95 | - `okular-rw` 96 | - No persistent home 97 | - Accepts exactly one argument for file to be read, e.g. `sandbox-okular-rw file.pdf` 98 | - RW mounts only the specified PDF file in sandbox home 99 | - No network access 100 | 101 | #### Image viewing 102 | 103 | - `eom-ro` 104 | - No persistent home 105 | - Accepts exactly one argument for file to be read, e.g. `sandbox-eom-ro file.png` 106 | - RO mounts only the specified file in sandbox home 107 | - No network access 108 | 109 | ## Development 110 | 111 | #### TODO 112 | 113 | - Make each sandbox use a separate user (not sure yet) 114 | 115 | - Transition to syscall whitelist instead of blacklist 116 | 117 | - Network namespace set up with routing and DNS 118 | 119 | #### WIP 120 | 121 | - Discord AppArmor profile 122 | 123 | #### Index 124 | 125 | - `aa-profiles/` contains the generated AppArmor profiles 126 | - `firefox-hardening/` contains files specific to Firefox 127 | - `gen/` contains the OCaml code responsible for generating the bubblewrap scripts and generating seccomp BPF generator C code 128 | - `runners/` contains the generated runner C code 129 | - `scripts/` contains the generated bubblewrap scripts 130 | - `seccomp-bpfs/` contains the generated seccomp BPF generator C code 131 | 132 | See `gen/src/profiles.ml` for existing profiles 133 | 134 | Run `make run` in `bw-script-gen/` to generate scripts after making updates to the profiles 135 | 136 | ## Acknowledgements 137 | 138 | Some components (e.g. bubblewrap scripts, seccomp filter blacklist) are based on the following repo 139 | 140 | - https://github.com/valoq/bwscripts 141 | 142 | AppArmor profile generation, seccomp filter whitelist, and other design choices are based on the following repo 143 | 144 | - https://github.com/Whonix/sandbox-app-launcher 145 | 146 | Files in `firefox-hardening/` are from the following repo 147 | 148 | - https://github.com/pyllyukko/user.js/ 149 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.bash: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/bash.runner { 6 | capability sys_chroot, 7 | 8 | # Runner self access 9 | /home/sandbox/bash.runner r, 10 | 11 | # Sandbox access 12 | /home/sandbox/ r, 13 | /home/sandbox/** rwlk, 14 | deny /home/sandbox/** xm, 15 | deny /{,var/}/tmp/** xm, 16 | deny /dev/shm/** m, 17 | deny /sys/fs/cgroup/** m, 18 | 19 | /usr/bin/env ix, 20 | 21 | / r, 22 | 23 | unix, 24 | 25 | network, 26 | 27 | dbus bus=session, 28 | 29 | # Programs and libraries 30 | /usr/ r, 31 | /{,usr/,usr/local/}{,s}bin/ r, 32 | /{,usr/,usr/local/}{,s}bin/** rpix, 33 | /{,usr/,usr/local/}lib{,32,64}/ r, 34 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 35 | /usr/{,local/}{share,include}/ r, 36 | /usr/{,local/}{share,include}/** rpix, 37 | 38 | # Sysfs 39 | /sys/ r, 40 | /sys/devices/ r, 41 | /sys/devices/**/{uevent,config} r, 42 | /sys/devices/pci[0-9]*/**/ r, 43 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 44 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 45 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 46 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 47 | /sys/devices/virtual/tty/tty[0-9]*/active r, 48 | /sys/devices/virtual/tty/console/active r, 49 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 50 | /sys/devices/virtual/dmi/id/product_name r, 51 | /sys/devices/system/node/ r, 52 | /sys/devices/system/node/node[0-9]*/meminfo r, 53 | /sys/devices/system/cpu/ r, 54 | /sys/devices/system/cpu/{present,online} r, 55 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 56 | /sys/class/ r, 57 | /sys/class/{tty,input,drm,sound}/ r, 58 | /sys/bus/ r, 59 | /sys/bus/pci/devices/ r, 60 | /sys/fs/cgroup/** rw, 61 | 62 | # Procfs 63 | @{PROC}/ r, 64 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 65 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 66 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 67 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 68 | @{PROC}/sys/** r, 69 | deny /proc/*/{statm,smaps} r, 70 | deny /proc/*/net/ r, 71 | deny /proc/*/net/** r, 72 | 73 | # Tmpfs 74 | /{,var/}tmp/ r, 75 | /{,var/}tmp/** r, 76 | owner /{,var/}tmp/ rw, 77 | owner /{,var/}tmp/** rw, 78 | 79 | # /etc 80 | /etc/ r, 81 | /etc/** r, 82 | 83 | # Device access 84 | /dev/ r, 85 | /dev/console r, 86 | /dev/random rw, 87 | /dev/urandom rw, 88 | /dev/null rw, 89 | /dev/zero rw, 90 | /dev/full rw, 91 | owner /dev/stdin rw, 92 | owner /dev/stdout r, 93 | owner /dev/stderr rw, 94 | /dev/tty rw, 95 | owner /dev/ptmx rw, 96 | /dev/pts/ r, 97 | owner /dev/pts/* rw, 98 | owner /dev/shm/ r, 99 | owner /dev/shm/** rw, 100 | /dev/video* rw, 101 | /dev/snd/ r, 102 | /dev/snd/** rw, 103 | 104 | # /var and /run 105 | /var/ r, 106 | /var/{lib,cache}/ r, 107 | /var/lib/** r, 108 | /var/lib/command-not-found/commands.db rwk, 109 | /var/cache/** rwl, 110 | owner /var/lib/ rw, 111 | owner /var/lib/** rw, 112 | /{,var/}run/ r, 113 | /{,var/}run/** rw, 114 | /{,var/}run/shm/** rwl, 115 | owner /{,var/}run/** rwk, 116 | 117 | # Prevent leak of some important kernel info 118 | deny /{,usr/}lib/modules/ rw, 119 | deny /{,usr/}lib/modules/** rw, 120 | deny /**vmlinu{,z,x}* rw, 121 | deny /**System.map* rw, 122 | 123 | } 124 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.bash-dev: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/bash-dev.runner { 6 | capability sys_chroot, 7 | 8 | # Runner self access 9 | /home/sandbox/bash-dev.runner r, 10 | 11 | # Sandbox access 12 | /home/sandbox/ r, 13 | /home/sandbox/** rwlk, 14 | deny /home/sandbox/** xm, 15 | deny /{,var/}/tmp/** xm, 16 | deny /dev/shm/** m, 17 | deny /sys/fs/cgroup/** m, 18 | 19 | /usr/bin/env ix, 20 | 21 | / r, 22 | 23 | unix, 24 | 25 | network, 26 | 27 | dbus bus=session, 28 | 29 | # Programs and libraries 30 | /usr/ r, 31 | /{,usr/,usr/local/}{,s}bin/ r, 32 | /{,usr/,usr/local/}{,s}bin/** rpix, 33 | /{,usr/,usr/local/}lib{,32,64}/ r, 34 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 35 | /usr/{,local/}{share,include}/ r, 36 | /usr/{,local/}{share,include}/** rpix, 37 | 38 | # Sysfs 39 | /sys/ r, 40 | /sys/devices/ r, 41 | /sys/devices/**/{uevent,config} r, 42 | /sys/devices/pci[0-9]*/**/ r, 43 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 44 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 45 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 46 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 47 | /sys/devices/virtual/tty/tty[0-9]*/active r, 48 | /sys/devices/virtual/tty/console/active r, 49 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 50 | /sys/devices/virtual/dmi/id/product_name r, 51 | /sys/devices/system/node/ r, 52 | /sys/devices/system/node/node[0-9]*/meminfo r, 53 | /sys/devices/system/cpu/ r, 54 | /sys/devices/system/cpu/{present,online} r, 55 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 56 | /sys/class/ r, 57 | /sys/class/{tty,input,drm,sound}/ r, 58 | /sys/bus/ r, 59 | /sys/bus/pci/devices/ r, 60 | /sys/fs/cgroup/** rw, 61 | 62 | # Procfs 63 | @{PROC}/ r, 64 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 65 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 66 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 67 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 68 | @{PROC}/sys/** r, 69 | deny /proc/*/{statm,smaps} r, 70 | deny /proc/*/net/ r, 71 | deny /proc/*/net/** r, 72 | 73 | # Tmpfs 74 | /{,var/}tmp/ r, 75 | /{,var/}tmp/** r, 76 | owner /{,var/}tmp/ rw, 77 | owner /{,var/}tmp/** rw, 78 | 79 | # /etc 80 | /etc/ r, 81 | /etc/** r, 82 | 83 | # Device access 84 | /dev/ r, 85 | /dev/console r, 86 | /dev/random rw, 87 | /dev/urandom rw, 88 | /dev/null rw, 89 | /dev/zero rw, 90 | /dev/full rw, 91 | owner /dev/stdin rw, 92 | owner /dev/stdout r, 93 | owner /dev/stderr rw, 94 | /dev/tty rw, 95 | owner /dev/ptmx rw, 96 | /dev/pts/ r, 97 | owner /dev/pts/* rw, 98 | owner /dev/shm/ r, 99 | owner /dev/shm/** rw, 100 | /dev/video* rw, 101 | /dev/snd/ r, 102 | /dev/snd/** rw, 103 | 104 | # /var and /run 105 | /var/ r, 106 | /var/{lib,cache}/ r, 107 | /var/lib/** r, 108 | /var/lib/command-not-found/commands.db rwk, 109 | /var/cache/** rwl, 110 | owner /var/lib/ rw, 111 | owner /var/lib/** rw, 112 | /{,var/}run/ r, 113 | /{,var/}run/** rw, 114 | /{,var/}run/shm/** rwl, 115 | owner /{,var/}run/** rwk, 116 | 117 | # Prevent leak of some important kernel info 118 | deny /{,usr/}lib/modules/ rw, 119 | deny /{,usr/}lib/modules/** rw, 120 | deny /**vmlinu{,z,x}* rw, 121 | deny /**System.map* rw, 122 | 123 | } 124 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.bash-hide-net: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/bash-hide-net.runner { 6 | # Runner self access 7 | /home/sandbox/bash-hide-net.runner r, 8 | 9 | # Sandbox access 10 | /home/sandbox/ r, 11 | /home/sandbox/** rwlk, 12 | deny /home/sandbox/** xm, 13 | deny /{,var/}/tmp/** xm, 14 | deny /dev/shm/** m, 15 | deny /sys/fs/cgroup/** m, 16 | 17 | /usr/bin/env ix, 18 | 19 | / r, 20 | 21 | unix, 22 | 23 | dbus bus=session, 24 | 25 | # Programs and libraries 26 | /usr/ r, 27 | /{,usr/,usr/local/}{,s}bin/ r, 28 | /{,usr/,usr/local/}{,s}bin/** rpix, 29 | /{,usr/,usr/local/}lib{,32,64}/ r, 30 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 31 | /usr/{,local/}{share,include}/ r, 32 | /usr/{,local/}{share,include}/** rpix, 33 | 34 | # Sysfs 35 | /sys/ r, 36 | /sys/devices/ r, 37 | /sys/devices/**/{uevent,config} r, 38 | /sys/devices/pci[0-9]*/**/ r, 39 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 40 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 41 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 42 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 43 | /sys/devices/virtual/tty/tty[0-9]*/active r, 44 | /sys/devices/virtual/tty/console/active r, 45 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 46 | /sys/devices/virtual/dmi/id/product_name r, 47 | /sys/devices/system/node/ r, 48 | /sys/devices/system/node/node[0-9]*/meminfo r, 49 | /sys/devices/system/cpu/ r, 50 | /sys/devices/system/cpu/{present,online} r, 51 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 52 | /sys/class/ r, 53 | /sys/class/{tty,input,drm,sound}/ r, 54 | /sys/bus/ r, 55 | /sys/bus/pci/devices/ r, 56 | /sys/fs/cgroup/** rw, 57 | 58 | # Procfs 59 | @{PROC}/ r, 60 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 61 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 62 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 63 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 64 | @{PROC}/sys/** r, 65 | deny /proc/*/{statm,smaps} r, 66 | deny /proc/*/net/ r, 67 | deny /proc/*/net/** r, 68 | 69 | # Tmpfs 70 | /{,var/}tmp/ r, 71 | /{,var/}tmp/** r, 72 | owner /{,var/}tmp/ rw, 73 | owner /{,var/}tmp/** rw, 74 | 75 | # /etc 76 | /etc/ r, 77 | /etc/** r, 78 | 79 | # Device access 80 | /dev/ r, 81 | /dev/console r, 82 | /dev/random rw, 83 | /dev/urandom rw, 84 | /dev/null rw, 85 | /dev/zero rw, 86 | /dev/full rw, 87 | owner /dev/stdin rw, 88 | owner /dev/stdout r, 89 | owner /dev/stderr rw, 90 | /dev/tty rw, 91 | owner /dev/ptmx rw, 92 | /dev/pts/ r, 93 | owner /dev/pts/* rw, 94 | owner /dev/shm/ r, 95 | owner /dev/shm/** rw, 96 | /dev/video* rw, 97 | /dev/snd/ r, 98 | /dev/snd/** rw, 99 | 100 | # /var and /run 101 | /var/ r, 102 | /var/{lib,cache}/ r, 103 | /var/lib/** r, 104 | /var/lib/command-not-found/commands.db rwk, 105 | /var/cache/** rwl, 106 | owner /var/lib/ rw, 107 | owner /var/lib/** rw, 108 | /{,var/}run/ r, 109 | /{,var/}run/** rw, 110 | /{,var/}run/shm/** rwl, 111 | owner /{,var/}run/** rwk, 112 | 113 | # Prevent leak of some important kernel info 114 | deny /{,usr/}lib/modules/ rw, 115 | deny /{,usr/}lib/modules/** rw, 116 | deny /**vmlinu{,z,x}* rw, 117 | deny /**System.map* rw, 118 | 119 | } 120 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.chromium: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/chromium.runner { 6 | capability sys_admin, 7 | capability sys_chroot, 8 | capability sys_ptrace, 9 | 10 | # Runner self access 11 | /home/sandbox/chromium.runner r, 12 | 13 | # Sandbox access 14 | /home/sandbox/ r, 15 | /home/sandbox/** rwlk, 16 | deny /home/sandbox/** xm, 17 | deny /{,var/}/tmp/** xm, 18 | deny /dev/shm/** m, 19 | deny /sys/fs/cgroup/** m, 20 | 21 | /usr/bin/env ix, 22 | 23 | / r, 24 | 25 | unix, 26 | 27 | network, 28 | 29 | dbus bus=session, 30 | 31 | # Programs and libraries 32 | /usr/ r, 33 | /{,usr/,usr/local/}{,s}bin/ r, 34 | /{,usr/,usr/local/}{,s}bin/** rpix, 35 | /{,usr/,usr/local/}lib{,32,64}/ r, 36 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 37 | /usr/{,local/}{share,include}/ r, 38 | /usr/{,local/}{share,include}/** rpix, 39 | 40 | # Sysfs 41 | /sys/ r, 42 | /sys/devices/ r, 43 | /sys/devices/**/{uevent,config} r, 44 | /sys/devices/pci[0-9]*/**/ r, 45 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 46 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 47 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 48 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 49 | /sys/devices/virtual/tty/tty[0-9]*/active r, 50 | /sys/devices/virtual/tty/console/active r, 51 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 52 | /sys/devices/virtual/dmi/id/product_name r, 53 | /sys/devices/system/node/ r, 54 | /sys/devices/system/node/node[0-9]*/meminfo r, 55 | /sys/devices/system/cpu/ r, 56 | /sys/devices/system/cpu/{present,online} r, 57 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 58 | /sys/class/ r, 59 | /sys/class/{tty,input,drm,sound}/ r, 60 | /sys/bus/ r, 61 | /sys/bus/pci/devices/ r, 62 | /sys/fs/cgroup/** rw, 63 | 64 | # Procfs 65 | @{PROC}/ r, 66 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 67 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 68 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 69 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 70 | @{PROC}/sys/** r, 71 | deny /proc/*/{statm,smaps} r, 72 | deny /proc/*/net/ r, 73 | deny /proc/*/net/** r, 74 | 75 | # Tmpfs 76 | /{,var/}tmp/ r, 77 | /{,var/}tmp/** r, 78 | owner /{,var/}tmp/ rw, 79 | owner /{,var/}tmp/** rw, 80 | 81 | # /etc 82 | /etc/ r, 83 | /etc/** r, 84 | 85 | # Device access 86 | /dev/ r, 87 | /dev/console r, 88 | /dev/random rw, 89 | /dev/urandom rw, 90 | /dev/null rw, 91 | /dev/zero rw, 92 | /dev/full rw, 93 | owner /dev/stdin rw, 94 | owner /dev/stdout r, 95 | owner /dev/stderr rw, 96 | /dev/tty rw, 97 | owner /dev/ptmx rw, 98 | /dev/pts/ r, 99 | owner /dev/pts/* rw, 100 | owner /dev/shm/ r, 101 | owner /dev/shm/** rw, 102 | /dev/video* rw, 103 | /dev/snd/ r, 104 | /dev/snd/** rw, 105 | 106 | # /var and /run 107 | /var/ r, 108 | /var/{lib,cache}/ r, 109 | /var/lib/** r, 110 | /var/lib/command-not-found/commands.db rwk, 111 | /var/cache/** rwl, 112 | owner /var/lib/ rw, 113 | owner /var/lib/** rw, 114 | /{,var/}run/ r, 115 | /{,var/}run/** rw, 116 | /{,var/}run/shm/** rwl, 117 | owner /{,var/}run/** rwk, 118 | 119 | # Prevent leak of some important kernel info 120 | deny /{,usr/}lib/modules/ rw, 121 | deny /{,usr/}lib/modules/** rw, 122 | deny /**vmlinu{,z,x}* rw, 123 | deny /**System.map* rw, 124 | 125 | } 126 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.chromium-tmp: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/chromium-tmp.runner { 6 | capability sys_admin, 7 | capability sys_chroot, 8 | capability sys_ptrace, 9 | 10 | # Runner self access 11 | /home/sandbox/chromium-tmp.runner r, 12 | 13 | # Sandbox access 14 | /home/sandbox/ r, 15 | /home/sandbox/** rwlk, 16 | deny /home/sandbox/** xm, 17 | deny /{,var/}/tmp/** xm, 18 | deny /dev/shm/** m, 19 | deny /sys/fs/cgroup/** m, 20 | 21 | /usr/bin/env ix, 22 | 23 | / r, 24 | 25 | unix, 26 | 27 | network, 28 | 29 | dbus bus=session, 30 | 31 | # Programs and libraries 32 | /usr/ r, 33 | /{,usr/,usr/local/}{,s}bin/ r, 34 | /{,usr/,usr/local/}{,s}bin/** rpix, 35 | /{,usr/,usr/local/}lib{,32,64}/ r, 36 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 37 | /usr/{,local/}{share,include}/ r, 38 | /usr/{,local/}{share,include}/** rpix, 39 | 40 | # Sysfs 41 | /sys/ r, 42 | /sys/devices/ r, 43 | /sys/devices/**/{uevent,config} r, 44 | /sys/devices/pci[0-9]*/**/ r, 45 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 46 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 47 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 48 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 49 | /sys/devices/virtual/tty/tty[0-9]*/active r, 50 | /sys/devices/virtual/tty/console/active r, 51 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 52 | /sys/devices/virtual/dmi/id/product_name r, 53 | /sys/devices/system/node/ r, 54 | /sys/devices/system/node/node[0-9]*/meminfo r, 55 | /sys/devices/system/cpu/ r, 56 | /sys/devices/system/cpu/{present,online} r, 57 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 58 | /sys/class/ r, 59 | /sys/class/{tty,input,drm,sound}/ r, 60 | /sys/bus/ r, 61 | /sys/bus/pci/devices/ r, 62 | /sys/fs/cgroup/** rw, 63 | 64 | # Procfs 65 | @{PROC}/ r, 66 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 67 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 68 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 69 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 70 | @{PROC}/sys/** r, 71 | deny /proc/*/{statm,smaps} r, 72 | deny /proc/*/net/ r, 73 | deny /proc/*/net/** r, 74 | 75 | # Tmpfs 76 | /{,var/}tmp/ r, 77 | /{,var/}tmp/** r, 78 | owner /{,var/}tmp/ rw, 79 | owner /{,var/}tmp/** rw, 80 | 81 | # /etc 82 | /etc/ r, 83 | /etc/** r, 84 | 85 | # Device access 86 | /dev/ r, 87 | /dev/console r, 88 | /dev/random rw, 89 | /dev/urandom rw, 90 | /dev/null rw, 91 | /dev/zero rw, 92 | /dev/full rw, 93 | owner /dev/stdin rw, 94 | owner /dev/stdout r, 95 | owner /dev/stderr rw, 96 | /dev/tty rw, 97 | owner /dev/ptmx rw, 98 | /dev/pts/ r, 99 | owner /dev/pts/* rw, 100 | owner /dev/shm/ r, 101 | owner /dev/shm/** rw, 102 | /dev/video* rw, 103 | /dev/snd/ r, 104 | /dev/snd/** rw, 105 | 106 | # /var and /run 107 | /var/ r, 108 | /var/{lib,cache}/ r, 109 | /var/lib/** r, 110 | /var/lib/command-not-found/commands.db rwk, 111 | /var/cache/** rwl, 112 | owner /var/lib/ rw, 113 | owner /var/lib/** rw, 114 | /{,var/}run/ r, 115 | /{,var/}run/** rw, 116 | /{,var/}run/shm/** rwl, 117 | owner /{,var/}run/** rwk, 118 | 119 | # Prevent leak of some important kernel info 120 | deny /{,usr/}lib/modules/ rw, 121 | deny /{,usr/}lib/modules/** rw, 122 | deny /**vmlinu{,z,x}* rw, 123 | deny /**System.map* rw, 124 | 125 | } 126 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.deluge: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/deluge.runner { 6 | # Runner self access 7 | /home/sandbox/deluge.runner r, 8 | 9 | # Sandbox access 10 | /home/sandbox/ r, 11 | /home/sandbox/** rwlk, 12 | deny /home/sandbox/** xm, 13 | deny /{,var/}/tmp/** xm, 14 | deny /dev/shm/** m, 15 | deny /sys/fs/cgroup/** m, 16 | 17 | /usr/bin/env ix, 18 | 19 | / r, 20 | 21 | unix, 22 | 23 | network, 24 | 25 | dbus bus=session, 26 | 27 | # Programs and libraries 28 | /usr/ r, 29 | /{,usr/,usr/local/}{,s}bin/ r, 30 | /{,usr/,usr/local/}{,s}bin/** rpix, 31 | /{,usr/,usr/local/}lib{,32,64}/ r, 32 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 33 | /usr/{,local/}{share,include}/ r, 34 | /usr/{,local/}{share,include}/** rpix, 35 | 36 | # Sysfs 37 | /sys/ r, 38 | /sys/devices/ r, 39 | /sys/devices/**/{uevent,config} r, 40 | /sys/devices/pci[0-9]*/**/ r, 41 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 42 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 43 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 44 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 45 | /sys/devices/virtual/tty/tty[0-9]*/active r, 46 | /sys/devices/virtual/tty/console/active r, 47 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 48 | /sys/devices/virtual/dmi/id/product_name r, 49 | /sys/devices/system/node/ r, 50 | /sys/devices/system/node/node[0-9]*/meminfo r, 51 | /sys/devices/system/cpu/ r, 52 | /sys/devices/system/cpu/{present,online} r, 53 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 54 | /sys/class/ r, 55 | /sys/class/{tty,input,drm,sound}/ r, 56 | /sys/bus/ r, 57 | /sys/bus/pci/devices/ r, 58 | /sys/fs/cgroup/** rw, 59 | 60 | # Procfs 61 | @{PROC}/ r, 62 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 63 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 64 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 65 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 66 | @{PROC}/sys/** r, 67 | deny /proc/*/{statm,smaps} r, 68 | deny /proc/*/net/ r, 69 | deny /proc/*/net/** r, 70 | 71 | # Tmpfs 72 | /{,var/}tmp/ r, 73 | /{,var/}tmp/** r, 74 | owner /{,var/}tmp/ rw, 75 | owner /{,var/}tmp/** rw, 76 | 77 | # /etc 78 | /etc/ r, 79 | /etc/** r, 80 | 81 | # Device access 82 | /dev/ r, 83 | /dev/console r, 84 | /dev/random rw, 85 | /dev/urandom rw, 86 | /dev/null rw, 87 | /dev/zero rw, 88 | /dev/full rw, 89 | owner /dev/stdin rw, 90 | owner /dev/stdout r, 91 | owner /dev/stderr rw, 92 | /dev/tty rw, 93 | owner /dev/ptmx rw, 94 | /dev/pts/ r, 95 | owner /dev/pts/* rw, 96 | owner /dev/shm/ r, 97 | owner /dev/shm/** rw, 98 | /dev/video* rw, 99 | /dev/snd/ r, 100 | /dev/snd/** rw, 101 | 102 | # /var and /run 103 | /var/ r, 104 | /var/{lib,cache}/ r, 105 | /var/lib/** r, 106 | /var/lib/command-not-found/commands.db rwk, 107 | /var/cache/** rwl, 108 | owner /var/lib/ rw, 109 | owner /var/lib/** rw, 110 | /{,var/}run/ r, 111 | /{,var/}run/** rw, 112 | /{,var/}run/shm/** rwl, 113 | owner /{,var/}run/** rwk, 114 | 115 | # Prevent leak of some important kernel info 116 | deny /{,usr/}lib/modules/ rw, 117 | deny /{,usr/}lib/modules/** rw, 118 | deny /**vmlinu{,z,x}* rw, 119 | deny /**System.map* rw, 120 | 121 | deny /usr/lib/firefox/** rx, 122 | 123 | } 124 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.discord: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/discord.runner { 6 | capability sys_admin, 7 | capability sys_chroot, 8 | capability sys_ptrace, 9 | 10 | # Runner self access 11 | /home/sandbox/discord.runner r, 12 | 13 | # Sandbox access 14 | /home/sandbox/ r, 15 | /home/sandbox/** rwlk, 16 | owner /home/sandbox/** rwmlkix, 17 | owner /{,var/}/tmp/** rwmlkix, 18 | owner /dev/shm/** rwm, 19 | /sys/fs/cgroup/** rwm, 20 | 21 | /usr/bin/env ix, 22 | 23 | / r, 24 | 25 | unix, 26 | 27 | network, 28 | 29 | dbus bus=session, 30 | 31 | # Programs and libraries 32 | /usr/ r, 33 | /{,usr/,usr/local/}{,s}bin/ r, 34 | /{,usr/,usr/local/}{,s}bin/** rpix, 35 | /{,usr/,usr/local/}lib{,32,64}/ r, 36 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 37 | /usr/{,local/}{share,include}/ r, 38 | /usr/{,local/}{share,include}/** rpix, 39 | 40 | # Sysfs 41 | /sys/ r, 42 | /sys/devices/ r, 43 | /sys/devices/**/{uevent,config} r, 44 | /sys/devices/pci[0-9]*/**/ r, 45 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 46 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 47 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 48 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 49 | /sys/devices/virtual/tty/tty[0-9]*/active r, 50 | /sys/devices/virtual/tty/console/active r, 51 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 52 | /sys/devices/virtual/dmi/id/product_name r, 53 | /sys/devices/system/node/ r, 54 | /sys/devices/system/node/node[0-9]*/meminfo r, 55 | /sys/devices/system/cpu/ r, 56 | /sys/devices/system/cpu/{present,online} r, 57 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 58 | /sys/class/ r, 59 | /sys/class/{tty,input,drm,sound}/ r, 60 | /sys/bus/ r, 61 | /sys/bus/pci/devices/ r, 62 | /sys/fs/cgroup/** rw, 63 | 64 | # Procfs 65 | @{PROC}/ r, 66 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 67 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 68 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 69 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 70 | @{PROC}/sys/** r, 71 | deny /proc/*/{statm,smaps} r, 72 | deny /proc/*/net/ r, 73 | deny /proc/*/net/** r, 74 | 75 | # Tmpfs 76 | /{,var/}tmp/ r, 77 | /{,var/}tmp/** r, 78 | owner /{,var/}tmp/ rw, 79 | owner /{,var/}tmp/** rw, 80 | 81 | # /etc 82 | /etc/ r, 83 | /etc/** r, 84 | 85 | # Device access 86 | /dev/ r, 87 | /dev/console r, 88 | /dev/random rw, 89 | /dev/urandom rw, 90 | /dev/null rw, 91 | /dev/zero rw, 92 | /dev/full rw, 93 | owner /dev/stdin rw, 94 | owner /dev/stdout r, 95 | owner /dev/stderr rw, 96 | /dev/tty rw, 97 | owner /dev/ptmx rw, 98 | /dev/pts/ r, 99 | owner /dev/pts/* rw, 100 | owner /dev/shm/ r, 101 | owner /dev/shm/** rw, 102 | /dev/video* rw, 103 | /dev/snd/ r, 104 | /dev/snd/** rw, 105 | 106 | # /var and /run 107 | /var/ r, 108 | /var/{lib,cache}/ r, 109 | /var/lib/** r, 110 | /var/lib/command-not-found/commands.db rwk, 111 | /var/cache/** rwl, 112 | owner /var/lib/ rw, 113 | owner /var/lib/** rw, 114 | /{,var/}run/ r, 115 | /{,var/}run/** rw, 116 | /{,var/}run/shm/** rwl, 117 | owner /{,var/}run/** rwk, 118 | 119 | # Prevent leak of some important kernel info 120 | deny /{,usr/}lib/modules/ rw, 121 | deny /{,usr/}lib/modules/** rw, 122 | deny /**vmlinu{,z,x}* rw, 123 | deny /**System.map* rw, 124 | 125 | /opt/discord/ r, 126 | /opt/discord/** rix, 127 | 128 | } 129 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.eom-ro: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/eom-ro.runner { 6 | # Runner self access 7 | /home/sandbox/eom-ro.runner r, 8 | 9 | # Sandbox access 10 | /home/sandbox/ r, 11 | /home/sandbox/** rwlk, 12 | deny /home/sandbox/** xm, 13 | deny /{,var/}/tmp/** xm, 14 | deny /dev/shm/** m, 15 | deny /sys/fs/cgroup/** m, 16 | 17 | /usr/bin/env ix, 18 | 19 | / r, 20 | 21 | unix, 22 | 23 | dbus bus=session, 24 | 25 | # Programs and libraries 26 | /usr/ r, 27 | /{,usr/,usr/local/}{,s}bin/ r, 28 | /{,usr/,usr/local/}{,s}bin/** rpix, 29 | /{,usr/,usr/local/}lib{,32,64}/ r, 30 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 31 | /usr/{,local/}{share,include}/ r, 32 | /usr/{,local/}{share,include}/** rpix, 33 | 34 | # Sysfs 35 | /sys/ r, 36 | /sys/devices/ r, 37 | /sys/devices/**/{uevent,config} r, 38 | /sys/devices/pci[0-9]*/**/ r, 39 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 40 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 41 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 42 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 43 | /sys/devices/virtual/tty/tty[0-9]*/active r, 44 | /sys/devices/virtual/tty/console/active r, 45 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 46 | /sys/devices/virtual/dmi/id/product_name r, 47 | /sys/devices/system/node/ r, 48 | /sys/devices/system/node/node[0-9]*/meminfo r, 49 | /sys/devices/system/cpu/ r, 50 | /sys/devices/system/cpu/{present,online} r, 51 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 52 | /sys/class/ r, 53 | /sys/class/{tty,input,drm,sound}/ r, 54 | /sys/bus/ r, 55 | /sys/bus/pci/devices/ r, 56 | /sys/fs/cgroup/** rw, 57 | 58 | # Procfs 59 | @{PROC}/ r, 60 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 61 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 62 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 63 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 64 | @{PROC}/sys/** r, 65 | deny /proc/*/{statm,smaps} r, 66 | deny /proc/*/net/ r, 67 | deny /proc/*/net/** r, 68 | 69 | # Tmpfs 70 | /{,var/}tmp/ r, 71 | /{,var/}tmp/** r, 72 | owner /{,var/}tmp/ rw, 73 | owner /{,var/}tmp/** rw, 74 | 75 | # /etc 76 | /etc/ r, 77 | /etc/** r, 78 | 79 | # Device access 80 | /dev/ r, 81 | /dev/console r, 82 | /dev/random rw, 83 | /dev/urandom rw, 84 | /dev/null rw, 85 | /dev/zero rw, 86 | /dev/full rw, 87 | owner /dev/stdin rw, 88 | owner /dev/stdout r, 89 | owner /dev/stderr rw, 90 | /dev/tty rw, 91 | owner /dev/ptmx rw, 92 | /dev/pts/ r, 93 | owner /dev/pts/* rw, 94 | owner /dev/shm/ r, 95 | owner /dev/shm/** rw, 96 | /dev/video* rw, 97 | /dev/snd/ r, 98 | /dev/snd/** rw, 99 | 100 | # /var and /run 101 | /var/ r, 102 | /var/{lib,cache}/ r, 103 | /var/lib/** r, 104 | /var/lib/command-not-found/commands.db rwk, 105 | /var/cache/** rwl, 106 | owner /var/lib/ rw, 107 | owner /var/lib/** rw, 108 | /{,var/}run/ r, 109 | /{,var/}run/** rw, 110 | /{,var/}run/shm/** rwl, 111 | owner /{,var/}run/** rwk, 112 | 113 | # Prevent leak of some important kernel info 114 | deny /{,usr/}lib/modules/ rw, 115 | deny /{,usr/}lib/modules/** rw, 116 | deny /**vmlinu{,z,x}* rw, 117 | deny /**System.map* rw, 118 | 119 | } 120 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.firefox: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/firefox.runner { 6 | capability sys_admin, 7 | capability sys_chroot, 8 | capability sys_ptrace, 9 | 10 | # Runner self access 11 | /home/sandbox/firefox.runner r, 12 | 13 | # Sandbox access 14 | /home/sandbox/ r, 15 | /home/sandbox/** rwlk, 16 | deny /home/sandbox/** xm, 17 | deny /{,var/}/tmp/** xm, 18 | deny /dev/shm/** m, 19 | deny /sys/fs/cgroup/** m, 20 | 21 | /usr/bin/env ix, 22 | 23 | / r, 24 | 25 | unix, 26 | 27 | network, 28 | 29 | dbus bus=session, 30 | 31 | # Programs and libraries 32 | /usr/ r, 33 | /{,usr/,usr/local/}{,s}bin/ r, 34 | /{,usr/,usr/local/}{,s}bin/** rpix, 35 | /{,usr/,usr/local/}lib{,32,64}/ r, 36 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 37 | /usr/{,local/}{share,include}/ r, 38 | /usr/{,local/}{share,include}/** rpix, 39 | 40 | # Sysfs 41 | /sys/ r, 42 | /sys/devices/ r, 43 | /sys/devices/**/{uevent,config} r, 44 | /sys/devices/pci[0-9]*/**/ r, 45 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 46 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 47 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 48 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 49 | /sys/devices/virtual/tty/tty[0-9]*/active r, 50 | /sys/devices/virtual/tty/console/active r, 51 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 52 | /sys/devices/virtual/dmi/id/product_name r, 53 | /sys/devices/system/node/ r, 54 | /sys/devices/system/node/node[0-9]*/meminfo r, 55 | /sys/devices/system/cpu/ r, 56 | /sys/devices/system/cpu/{present,online} r, 57 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 58 | /sys/class/ r, 59 | /sys/class/{tty,input,drm,sound}/ r, 60 | /sys/bus/ r, 61 | /sys/bus/pci/devices/ r, 62 | /sys/fs/cgroup/** rw, 63 | 64 | # Procfs 65 | @{PROC}/ r, 66 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 67 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 68 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 69 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 70 | @{PROC}/sys/** r, 71 | deny /proc/*/{statm,smaps} r, 72 | deny /proc/*/net/ r, 73 | deny /proc/*/net/** r, 74 | 75 | # Tmpfs 76 | /{,var/}tmp/ r, 77 | /{,var/}tmp/** r, 78 | owner /{,var/}tmp/ rw, 79 | owner /{,var/}tmp/** rw, 80 | 81 | # /etc 82 | /etc/ r, 83 | /etc/** r, 84 | 85 | # Device access 86 | /dev/ r, 87 | /dev/console r, 88 | /dev/random rw, 89 | /dev/urandom rw, 90 | /dev/null rw, 91 | /dev/zero rw, 92 | /dev/full rw, 93 | owner /dev/stdin rw, 94 | owner /dev/stdout r, 95 | owner /dev/stderr rw, 96 | /dev/tty rw, 97 | owner /dev/ptmx rw, 98 | /dev/pts/ r, 99 | owner /dev/pts/* rw, 100 | owner /dev/shm/ r, 101 | owner /dev/shm/** rw, 102 | /dev/video* rw, 103 | /dev/snd/ r, 104 | /dev/snd/** rw, 105 | 106 | # /var and /run 107 | /var/ r, 108 | /var/{lib,cache}/ r, 109 | /var/lib/** r, 110 | /var/lib/command-not-found/commands.db rwk, 111 | /var/cache/** rwl, 112 | owner /var/lib/ rw, 113 | owner /var/lib/** rw, 114 | /{,var/}run/ r, 115 | /{,var/}run/** rw, 116 | /{,var/}run/shm/** rwl, 117 | owner /{,var/}run/** rwk, 118 | 119 | # Prevent leak of some important kernel info 120 | deny /{,usr/}lib/modules/ rw, 121 | deny /{,usr/}lib/modules/** rw, 122 | deny /**vmlinu{,z,x}* rw, 123 | deny /**System.map* rw, 124 | 125 | } 126 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.firefox-private: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/firefox-private.runner { 6 | capability sys_admin, 7 | capability sys_chroot, 8 | capability sys_ptrace, 9 | 10 | # Runner self access 11 | /home/sandbox/firefox-private.runner r, 12 | 13 | # Sandbox access 14 | /home/sandbox/ r, 15 | /home/sandbox/** rwlk, 16 | deny /home/sandbox/** xm, 17 | deny /{,var/}/tmp/** xm, 18 | deny /dev/shm/** m, 19 | deny /sys/fs/cgroup/** m, 20 | 21 | /usr/bin/env ix, 22 | 23 | / r, 24 | 25 | unix, 26 | 27 | network, 28 | 29 | dbus bus=session, 30 | 31 | # Programs and libraries 32 | /usr/ r, 33 | /{,usr/,usr/local/}{,s}bin/ r, 34 | /{,usr/,usr/local/}{,s}bin/** rpix, 35 | /{,usr/,usr/local/}lib{,32,64}/ r, 36 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 37 | /usr/{,local/}{share,include}/ r, 38 | /usr/{,local/}{share,include}/** rpix, 39 | 40 | # Sysfs 41 | /sys/ r, 42 | /sys/devices/ r, 43 | /sys/devices/**/{uevent,config} r, 44 | /sys/devices/pci[0-9]*/**/ r, 45 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 46 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 47 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 48 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 49 | /sys/devices/virtual/tty/tty[0-9]*/active r, 50 | /sys/devices/virtual/tty/console/active r, 51 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 52 | /sys/devices/virtual/dmi/id/product_name r, 53 | /sys/devices/system/node/ r, 54 | /sys/devices/system/node/node[0-9]*/meminfo r, 55 | /sys/devices/system/cpu/ r, 56 | /sys/devices/system/cpu/{present,online} r, 57 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 58 | /sys/class/ r, 59 | /sys/class/{tty,input,drm,sound}/ r, 60 | /sys/bus/ r, 61 | /sys/bus/pci/devices/ r, 62 | /sys/fs/cgroup/** rw, 63 | 64 | # Procfs 65 | @{PROC}/ r, 66 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 67 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 68 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 69 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 70 | @{PROC}/sys/** r, 71 | deny /proc/*/{statm,smaps} r, 72 | deny /proc/*/net/ r, 73 | deny /proc/*/net/** r, 74 | 75 | # Tmpfs 76 | /{,var/}tmp/ r, 77 | /{,var/}tmp/** r, 78 | owner /{,var/}tmp/ rw, 79 | owner /{,var/}tmp/** rw, 80 | 81 | # /etc 82 | /etc/ r, 83 | /etc/** r, 84 | 85 | # Device access 86 | /dev/ r, 87 | /dev/console r, 88 | /dev/random rw, 89 | /dev/urandom rw, 90 | /dev/null rw, 91 | /dev/zero rw, 92 | /dev/full rw, 93 | owner /dev/stdin rw, 94 | owner /dev/stdout r, 95 | owner /dev/stderr rw, 96 | /dev/tty rw, 97 | owner /dev/ptmx rw, 98 | /dev/pts/ r, 99 | owner /dev/pts/* rw, 100 | owner /dev/shm/ r, 101 | owner /dev/shm/** rw, 102 | /dev/video* rw, 103 | /dev/snd/ r, 104 | /dev/snd/** rw, 105 | 106 | # /var and /run 107 | /var/ r, 108 | /var/{lib,cache}/ r, 109 | /var/lib/** r, 110 | /var/lib/command-not-found/commands.db rwk, 111 | /var/cache/** rwl, 112 | owner /var/lib/ rw, 113 | owner /var/lib/** rw, 114 | /{,var/}run/ r, 115 | /{,var/}run/** rw, 116 | /{,var/}run/shm/** rwl, 117 | owner /{,var/}run/** rwk, 118 | 119 | # Prevent leak of some important kernel info 120 | deny /{,usr/}lib/modules/ rw, 121 | deny /{,usr/}lib/modules/** rw, 122 | deny /**vmlinu{,z,x}* rw, 123 | deny /**System.map* rw, 124 | 125 | } 126 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.firefox-tmp: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/firefox-tmp.runner { 6 | capability sys_admin, 7 | capability sys_chroot, 8 | capability sys_ptrace, 9 | 10 | # Runner self access 11 | /home/sandbox/firefox-tmp.runner r, 12 | 13 | # Sandbox access 14 | /home/sandbox/ r, 15 | /home/sandbox/** rwlk, 16 | deny /home/sandbox/** xm, 17 | deny /{,var/}/tmp/** xm, 18 | deny /dev/shm/** m, 19 | deny /sys/fs/cgroup/** m, 20 | 21 | /usr/bin/env ix, 22 | 23 | / r, 24 | 25 | unix, 26 | 27 | network, 28 | 29 | dbus bus=session, 30 | 31 | # Programs and libraries 32 | /usr/ r, 33 | /{,usr/,usr/local/}{,s}bin/ r, 34 | /{,usr/,usr/local/}{,s}bin/** rpix, 35 | /{,usr/,usr/local/}lib{,32,64}/ r, 36 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 37 | /usr/{,local/}{share,include}/ r, 38 | /usr/{,local/}{share,include}/** rpix, 39 | 40 | # Sysfs 41 | /sys/ r, 42 | /sys/devices/ r, 43 | /sys/devices/**/{uevent,config} r, 44 | /sys/devices/pci[0-9]*/**/ r, 45 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 46 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 47 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 48 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 49 | /sys/devices/virtual/tty/tty[0-9]*/active r, 50 | /sys/devices/virtual/tty/console/active r, 51 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 52 | /sys/devices/virtual/dmi/id/product_name r, 53 | /sys/devices/system/node/ r, 54 | /sys/devices/system/node/node[0-9]*/meminfo r, 55 | /sys/devices/system/cpu/ r, 56 | /sys/devices/system/cpu/{present,online} r, 57 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 58 | /sys/class/ r, 59 | /sys/class/{tty,input,drm,sound}/ r, 60 | /sys/bus/ r, 61 | /sys/bus/pci/devices/ r, 62 | /sys/fs/cgroup/** rw, 63 | 64 | # Procfs 65 | @{PROC}/ r, 66 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 67 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 68 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 69 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 70 | @{PROC}/sys/** r, 71 | deny /proc/*/{statm,smaps} r, 72 | deny /proc/*/net/ r, 73 | deny /proc/*/net/** r, 74 | 75 | # Tmpfs 76 | /{,var/}tmp/ r, 77 | /{,var/}tmp/** r, 78 | owner /{,var/}tmp/ rw, 79 | owner /{,var/}tmp/** rw, 80 | 81 | # /etc 82 | /etc/ r, 83 | /etc/** r, 84 | 85 | # Device access 86 | /dev/ r, 87 | /dev/console r, 88 | /dev/random rw, 89 | /dev/urandom rw, 90 | /dev/null rw, 91 | /dev/zero rw, 92 | /dev/full rw, 93 | owner /dev/stdin rw, 94 | owner /dev/stdout r, 95 | owner /dev/stderr rw, 96 | /dev/tty rw, 97 | owner /dev/ptmx rw, 98 | /dev/pts/ r, 99 | owner /dev/pts/* rw, 100 | owner /dev/shm/ r, 101 | owner /dev/shm/** rw, 102 | /dev/video* rw, 103 | /dev/snd/ r, 104 | /dev/snd/** rw, 105 | 106 | # /var and /run 107 | /var/ r, 108 | /var/{lib,cache}/ r, 109 | /var/lib/** r, 110 | /var/lib/command-not-found/commands.db rwk, 111 | /var/cache/** rwl, 112 | owner /var/lib/ rw, 113 | owner /var/lib/** rw, 114 | /{,var/}run/ r, 115 | /{,var/}run/** rw, 116 | /{,var/}run/shm/** rwl, 117 | owner /{,var/}run/** rwk, 118 | 119 | # Prevent leak of some important kernel info 120 | deny /{,usr/}lib/modules/ rw, 121 | deny /{,usr/}lib/modules/** rw, 122 | deny /**vmlinu{,z,x}* rw, 123 | deny /**System.map* rw, 124 | 125 | } 126 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.okular-ro: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/okular-ro.runner { 6 | # Runner self access 7 | /home/sandbox/okular-ro.runner r, 8 | 9 | # Sandbox access 10 | /home/sandbox/ r, 11 | /home/sandbox/** rwlk, 12 | deny /home/sandbox/** xm, 13 | deny /{,var/}/tmp/** xm, 14 | deny /dev/shm/** m, 15 | deny /sys/fs/cgroup/** m, 16 | 17 | /usr/bin/env ix, 18 | 19 | / r, 20 | 21 | unix, 22 | 23 | dbus bus=session, 24 | 25 | # Programs and libraries 26 | /usr/ r, 27 | /{,usr/,usr/local/}{,s}bin/ r, 28 | /{,usr/,usr/local/}{,s}bin/** rpix, 29 | /{,usr/,usr/local/}lib{,32,64}/ r, 30 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 31 | /usr/{,local/}{share,include}/ r, 32 | /usr/{,local/}{share,include}/** rpix, 33 | 34 | # Sysfs 35 | /sys/ r, 36 | /sys/devices/ r, 37 | /sys/devices/**/{uevent,config} r, 38 | /sys/devices/pci[0-9]*/**/ r, 39 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 40 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 41 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 42 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 43 | /sys/devices/virtual/tty/tty[0-9]*/active r, 44 | /sys/devices/virtual/tty/console/active r, 45 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 46 | /sys/devices/virtual/dmi/id/product_name r, 47 | /sys/devices/system/node/ r, 48 | /sys/devices/system/node/node[0-9]*/meminfo r, 49 | /sys/devices/system/cpu/ r, 50 | /sys/devices/system/cpu/{present,online} r, 51 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 52 | /sys/class/ r, 53 | /sys/class/{tty,input,drm,sound}/ r, 54 | /sys/bus/ r, 55 | /sys/bus/pci/devices/ r, 56 | /sys/fs/cgroup/** rw, 57 | 58 | # Procfs 59 | @{PROC}/ r, 60 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 61 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 62 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 63 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 64 | @{PROC}/sys/** r, 65 | deny /proc/*/{statm,smaps} r, 66 | deny /proc/*/net/ r, 67 | deny /proc/*/net/** r, 68 | 69 | # Tmpfs 70 | /{,var/}tmp/ r, 71 | /{,var/}tmp/** r, 72 | owner /{,var/}tmp/ rw, 73 | owner /{,var/}tmp/** rw, 74 | 75 | # /etc 76 | /etc/ r, 77 | /etc/** r, 78 | 79 | # Device access 80 | /dev/ r, 81 | /dev/console r, 82 | /dev/random rw, 83 | /dev/urandom rw, 84 | /dev/null rw, 85 | /dev/zero rw, 86 | /dev/full rw, 87 | owner /dev/stdin rw, 88 | owner /dev/stdout r, 89 | owner /dev/stderr rw, 90 | /dev/tty rw, 91 | owner /dev/ptmx rw, 92 | /dev/pts/ r, 93 | owner /dev/pts/* rw, 94 | owner /dev/shm/ r, 95 | owner /dev/shm/** rw, 96 | /dev/video* rw, 97 | /dev/snd/ r, 98 | /dev/snd/** rw, 99 | 100 | # /var and /run 101 | /var/ r, 102 | /var/{lib,cache}/ r, 103 | /var/lib/** r, 104 | /var/lib/command-not-found/commands.db rwk, 105 | /var/cache/** rwl, 106 | owner /var/lib/ rw, 107 | owner /var/lib/** rw, 108 | /{,var/}run/ r, 109 | /{,var/}run/** rw, 110 | /{,var/}run/shm/** rwl, 111 | owner /{,var/}run/** rwk, 112 | 113 | # Prevent leak of some important kernel info 114 | deny /{,usr/}lib/modules/ rw, 115 | deny /{,usr/}lib/modules/** rw, 116 | deny /**vmlinu{,z,x}* rw, 117 | deny /**System.map* rw, 118 | 119 | } 120 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.okular-rw: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/okular-rw.runner { 6 | # Runner self access 7 | /home/sandbox/okular-rw.runner r, 8 | 9 | # Sandbox access 10 | /home/sandbox/ r, 11 | /home/sandbox/** rwlk, 12 | deny /home/sandbox/** xm, 13 | deny /{,var/}/tmp/** xm, 14 | deny /dev/shm/** m, 15 | deny /sys/fs/cgroup/** m, 16 | 17 | /usr/bin/env ix, 18 | 19 | / r, 20 | 21 | unix, 22 | 23 | dbus bus=session, 24 | 25 | # Programs and libraries 26 | /usr/ r, 27 | /{,usr/,usr/local/}{,s}bin/ r, 28 | /{,usr/,usr/local/}{,s}bin/** rpix, 29 | /{,usr/,usr/local/}lib{,32,64}/ r, 30 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 31 | /usr/{,local/}{share,include}/ r, 32 | /usr/{,local/}{share,include}/** rpix, 33 | 34 | # Sysfs 35 | /sys/ r, 36 | /sys/devices/ r, 37 | /sys/devices/**/{uevent,config} r, 38 | /sys/devices/pci[0-9]*/**/ r, 39 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 40 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 41 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 42 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 43 | /sys/devices/virtual/tty/tty[0-9]*/active r, 44 | /sys/devices/virtual/tty/console/active r, 45 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 46 | /sys/devices/virtual/dmi/id/product_name r, 47 | /sys/devices/system/node/ r, 48 | /sys/devices/system/node/node[0-9]*/meminfo r, 49 | /sys/devices/system/cpu/ r, 50 | /sys/devices/system/cpu/{present,online} r, 51 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 52 | /sys/class/ r, 53 | /sys/class/{tty,input,drm,sound}/ r, 54 | /sys/bus/ r, 55 | /sys/bus/pci/devices/ r, 56 | /sys/fs/cgroup/** rw, 57 | 58 | # Procfs 59 | @{PROC}/ r, 60 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 61 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 62 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 63 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 64 | @{PROC}/sys/** r, 65 | deny /proc/*/{statm,smaps} r, 66 | deny /proc/*/net/ r, 67 | deny /proc/*/net/** r, 68 | 69 | # Tmpfs 70 | /{,var/}tmp/ r, 71 | /{,var/}tmp/** r, 72 | owner /{,var/}tmp/ rw, 73 | owner /{,var/}tmp/** rw, 74 | 75 | # /etc 76 | /etc/ r, 77 | /etc/** r, 78 | 79 | # Device access 80 | /dev/ r, 81 | /dev/console r, 82 | /dev/random rw, 83 | /dev/urandom rw, 84 | /dev/null rw, 85 | /dev/zero rw, 86 | /dev/full rw, 87 | owner /dev/stdin rw, 88 | owner /dev/stdout r, 89 | owner /dev/stderr rw, 90 | /dev/tty rw, 91 | owner /dev/ptmx rw, 92 | /dev/pts/ r, 93 | owner /dev/pts/* rw, 94 | owner /dev/shm/ r, 95 | owner /dev/shm/** rw, 96 | /dev/video* rw, 97 | /dev/snd/ r, 98 | /dev/snd/** rw, 99 | 100 | # /var and /run 101 | /var/ r, 102 | /var/{lib,cache}/ r, 103 | /var/lib/** r, 104 | /var/lib/command-not-found/commands.db rwk, 105 | /var/cache/** rwl, 106 | owner /var/lib/ rw, 107 | owner /var/lib/** rw, 108 | /{,var/}run/ r, 109 | /{,var/}run/** rw, 110 | /{,var/}run/shm/** rwl, 111 | owner /{,var/}run/** rwk, 112 | 113 | # Prevent leak of some important kernel info 114 | deny /{,usr/}lib/modules/ rw, 115 | deny /{,usr/}lib/modules/** rw, 116 | deny /**vmlinu{,z,x}* rw, 117 | deny /**System.map* rw, 118 | 119 | } 120 | -------------------------------------------------------------------------------- /aa-profiles/home.sandboxing.thunderbird: -------------------------------------------------------------------------------- 1 | abi , 2 | 3 | include 4 | 5 | profile /home/sandbox/thunderbird.runner { 6 | # Runner self access 7 | /home/sandbox/thunderbird.runner r, 8 | 9 | # Sandbox access 10 | /home/sandbox/ r, 11 | /home/sandbox/** rwlk, 12 | deny /home/sandbox/** xm, 13 | deny /{,var/}/tmp/** xm, 14 | deny /dev/shm/** m, 15 | deny /sys/fs/cgroup/** m, 16 | 17 | /usr/bin/env ix, 18 | 19 | / r, 20 | 21 | unix, 22 | 23 | network, 24 | 25 | dbus bus=session, 26 | 27 | # Programs and libraries 28 | /usr/ r, 29 | /{,usr/,usr/local/}{,s}bin/ r, 30 | /{,usr/,usr/local/}{,s}bin/** rpix, 31 | /{,usr/,usr/local/}lib{,32,64}/ r, 32 | /{,usr/,usr/local/}lib{,32,64}/** rmpix, 33 | /usr/{,local/}{share,include}/ r, 34 | /usr/{,local/}{share,include}/** rpix, 35 | 36 | # Sysfs 37 | /sys/ r, 38 | /sys/devices/ r, 39 | /sys/devices/**/{uevent,config} r, 40 | /sys/devices/pci[0-9]*/**/ r, 41 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r, 42 | /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r, 43 | /sys/devices/pci[0-9]*/**/sound/**/pcm_class r, 44 | /sys/devices/pci[0-9]*/**/backlight/**/* r, 45 | /sys/devices/virtual/tty/tty[0-9]*/active r, 46 | /sys/devices/virtual/tty/console/active r, 47 | /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r, 48 | /sys/devices/virtual/dmi/id/product_name r, 49 | /sys/devices/system/node/ r, 50 | /sys/devices/system/node/node[0-9]*/meminfo r, 51 | /sys/devices/system/cpu/ r, 52 | /sys/devices/system/cpu/{present,online} r, 53 | /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r, 54 | /sys/class/ r, 55 | /sys/class/{tty,input,drm,sound}/ r, 56 | /sys/bus/ r, 57 | /sys/bus/pci/devices/ r, 58 | /sys/fs/cgroup/** rw, 59 | 60 | # Procfs 61 | @{PROC}/ r, 62 | owner @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 63 | owner @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} r, 64 | owner @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} rw, 65 | @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r, 66 | @{PROC}/sys/** r, 67 | deny /proc/*/{statm,smaps} r, 68 | deny /proc/*/net/ r, 69 | deny /proc/*/net/** r, 70 | 71 | # Tmpfs 72 | /{,var/}tmp/ r, 73 | /{,var/}tmp/** r, 74 | owner /{,var/}tmp/ rw, 75 | owner /{,var/}tmp/** rw, 76 | 77 | # /etc 78 | /etc/ r, 79 | /etc/** r, 80 | 81 | # Device access 82 | /dev/ r, 83 | /dev/console r, 84 | /dev/random rw, 85 | /dev/urandom rw, 86 | /dev/null rw, 87 | /dev/zero rw, 88 | /dev/full rw, 89 | owner /dev/stdin rw, 90 | owner /dev/stdout r, 91 | owner /dev/stderr rw, 92 | /dev/tty rw, 93 | owner /dev/ptmx rw, 94 | /dev/pts/ r, 95 | owner /dev/pts/* rw, 96 | owner /dev/shm/ r, 97 | owner /dev/shm/** rw, 98 | /dev/video* rw, 99 | /dev/snd/ r, 100 | /dev/snd/** rw, 101 | 102 | # /var and /run 103 | /var/ r, 104 | /var/{lib,cache}/ r, 105 | /var/lib/** r, 106 | /var/lib/command-not-found/commands.db rwk, 107 | /var/cache/** rwl, 108 | owner /var/lib/ rw, 109 | owner /var/lib/** rw, 110 | /{,var/}run/ r, 111 | /{,var/}run/** rw, 112 | /{,var/}run/shm/** rwl, 113 | owner /{,var/}run/** rwk, 114 | 115 | # Prevent leak of some important kernel info 116 | deny /{,usr/}lib/modules/ rw, 117 | deny /{,usr/}lib/modules/** rw, 118 | deny /**vmlinu{,z,x}* rw, 119 | deny /**System.map* rw, 120 | 121 | deny /usr/lib/firefox/** x, 122 | 123 | } 124 | -------------------------------------------------------------------------------- /add_aa_profiles.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | script_dir=$(dirname $(readlink -f "$0")) 4 | 5 | dst=$1 6 | 7 | if [[ "$dst" == "" ]]; then 8 | echo "Please specify destination" 9 | exit 1 10 | fi 11 | 12 | for file in "$script_dir"/aa-profiles/*; do 13 | dst_file="$dst"/$(basename "$file") 14 | cp $(realpath "$file") "$dst_file" 15 | done 16 | -------------------------------------------------------------------------------- /add_links.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | prefix="sandbox" 4 | 5 | dst=$1 6 | 7 | script_dir=$(dirname $(readlink -f "$0")) 8 | 9 | if [[ "$dst" == "" ]]; then 10 | echo "Please specify destination" 11 | exit 1 12 | fi 13 | 14 | for file in "$script_dir"/scripts/*.sh; do 15 | name=$(basename $file | sed 's/\.sh//g') 16 | 17 | echo "Creating symbolic link for" $name 18 | 19 | dst_file="$dst"/"$prefix"-"$name" 20 | 21 | rm -f "$dst_file" 22 | ln -s $(realpath "$file") "$dst_file" 23 | done 24 | -------------------------------------------------------------------------------- /firefox-hardening/local-settings.js: -------------------------------------------------------------------------------- 1 | pref("general.config.obscure_value", 0); 2 | pref("general.config.filename", "mozilla.cfg"); 3 | 4 | -------------------------------------------------------------------------------- /gen/.gitignore: -------------------------------------------------------------------------------- 1 | _build/ 2 | _coverage/ 3 | .merlin 4 | *.rst~ 5 | *.install 6 | bisect*.out 7 | bisect*.coverage 8 | -------------------------------------------------------------------------------- /gen/.ocamlformat: -------------------------------------------------------------------------------- 1 | version = 0.19.0 2 | break-infix = fit-or-vertical 3 | break-infix-before-func 4 | field-space = loose 5 | let-and = sparse 6 | sequence-style = terminator 7 | type-decl = sparse 8 | -------------------------------------------------------------------------------- /gen/Makefile: -------------------------------------------------------------------------------- 1 | SRCFILES = src/*.ml 2 | 3 | OCAMLFORMAT = ocamlformat \ 4 | --inplace \ 5 | $(SRCFILES) 6 | 7 | .PHONY: all 8 | all : 9 | dune build @all 10 | 11 | .PHONY: run 12 | run: all 13 | rm -f ../scripts/*.sh 14 | rm -f ../scripts/*.runner 15 | rm -f ../runners/*.runner 16 | rm -f ../seccomp-bpfs/*.c 17 | rm -f ../seccomp-bpfs/*.exe 18 | rm -f ../seccomp-bpfs/*.bpf 19 | rm -r ../aa-profiles/home.sandboxing.* 20 | dune exec gen 21 | 22 | .PHONY: format 23 | format : 24 | $(OCAMLFORMAT) 25 | 26 | .PHONY: cinaps 27 | cinaps : 28 | cinaps -i $(SRCFILES) 29 | $(OCAMLFORMAT) 30 | 31 | .PHONY : clean 32 | clean: 33 | dune clean 34 | -------------------------------------------------------------------------------- /gen/dune-project: -------------------------------------------------------------------------------- 1 | (lang dune 1.11) 2 | -------------------------------------------------------------------------------- /gen/sandboxing_gen.opam: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darrenldl/sandboxing/b3f73512b9afd3dd249829c71b01bb2f1f417b59/gen/sandboxing_gen.opam -------------------------------------------------------------------------------- /gen/src/aa.ml: -------------------------------------------------------------------------------- 1 | type capability = 2 | | Sys_admin 3 | | Sys_chroot 4 | | Sys_ptrace 5 | 6 | let string_of_capability c = 7 | match c with 8 | | Sys_admin -> "sys_admin" 9 | | Sys_chroot -> "sys_chroot" 10 | | Sys_ptrace -> "sys_ptrace" 11 | -------------------------------------------------------------------------------- /gen/src/bwrap.ml: -------------------------------------------------------------------------------- 1 | type arg = 2 | | Unshare_user 3 | | Unshare_user_try 4 | | Unshare_ipc 5 | | Unshare_pid 6 | | Unshare_net 7 | | Unshare_uts 8 | | Unshare_cgroup 9 | | Unshare_cgroup_try 10 | | Unshare_all 11 | | Uid of int option 12 | | Gid of int option 13 | | Hostname of string 14 | | Chdir of string 15 | | Setenv of string * string 16 | | Unsetenv of string 17 | | Lock_file of string 18 | | Bind of string * string option 19 | | Bind_try of string * string option 20 | | Dev_bind of string * string option 21 | | Dev_bind_try of string * string option 22 | | Ro_bind of string * string option 23 | | Ro_bind_try of string * string option 24 | | Remount_ro of string 25 | | Proc of string 26 | | Dev of string 27 | | Tmpfs of string 28 | | Dir of string 29 | | File of int * string 30 | | Bind_data of int * string 31 | | Ro_bind_data of int * string 32 | | Symlink of string * string option 33 | | Seccomp of string 34 | | New_session 35 | | Ro_bind_as_is_glob of string 36 | | Tmpfs_glob of string 37 | 38 | type res = 39 | | String of string 40 | | Glob of { 41 | arg_constr : string -> string; 42 | glob : string; 43 | } 44 | 45 | let get_jail_dir s = Filename.concat Config.jails_dir s 46 | 47 | let compile_arg (x : arg) : res = 48 | match x with 49 | | Unshare_user -> String "--unshare-user" 50 | | Unshare_user_try -> String "--unshare-user-try" 51 | | Unshare_ipc -> String "--unshare-ipc" 52 | | Unshare_pid -> String "--unshare-pid" 53 | | Unshare_net -> String "--unshare-net" 54 | | Unshare_uts -> String "--unshare-uts" 55 | | Unshare_cgroup -> String "--unshare-cgroup" 56 | | Unshare_cgroup_try -> String "--unshare-cgroup-try" 57 | | Unshare_all -> String "--unshare-all" 58 | | Uid id -> ( 59 | match id with 60 | | None -> String (Printf.sprintf "--uid $(%s)" Commands.get_unused_uid) 61 | | Some x -> String (Printf.sprintf "--uid %d" x)) 62 | | Gid id -> ( 63 | match id with 64 | | None -> String (Printf.sprintf "--gid $(%s)" Commands.get_unused_gid) 65 | | Some x -> String (Printf.sprintf "--gid \"%d\"" x)) 66 | | Hostname s -> String (Printf.sprintf "--hostname \"%s\"" s) 67 | | Chdir s -> String (Printf.sprintf "--chdir \"%s\"" s) 68 | | Setenv (key, value) -> 69 | String (Printf.sprintf "--setenv \"%s\" \"%s\"" key value) 70 | | Unsetenv key -> String (Printf.sprintf "--unsetenv \"%s\"" key) 71 | | Lock_file s -> String (Printf.sprintf "--lock-file \"%s\"" s) 72 | | Bind (src, dst) -> 73 | let dst = Option.value dst ~default:src in 74 | String (Printf.sprintf "--bind \"%s\" \"%s\"" src dst) 75 | | Bind_try (src, dst) -> 76 | let dst = Option.value dst ~default:src in 77 | String (Printf.sprintf "--bind-try \"%s\" \"%s\"" src dst) 78 | | Dev_bind (src, dst) -> 79 | let dst = Option.value dst ~default:src in 80 | String (Printf.sprintf "--dev-bind \"%s\" \"%s\"" src dst) 81 | | Dev_bind_try (src, dst) -> 82 | let dst = Option.value dst ~default:src in 83 | String (Printf.sprintf "--dev-bind-try \"%s\" \"%s\"" src dst) 84 | | Ro_bind (src, dst) -> 85 | let dst = Option.value dst ~default:src in 86 | String (Printf.sprintf "--ro-bind \"%s\" \"%s\"" src dst) 87 | | Ro_bind_try (src, dst) -> 88 | let dst = Option.value dst ~default:src in 89 | String (Printf.sprintf "--ro-bind-try \"%s\" \"%s\"" src dst) 90 | | Remount_ro s -> String (Printf.sprintf "--remount-ro \"%s\"" s) 91 | | Proc s -> String (Printf.sprintf "--proc \"%s\"" s) 92 | | Dev s -> String (Printf.sprintf "--dev \"%s\"" s) 93 | | Tmpfs s -> String (Printf.sprintf "--tmpfs \"%s\"" s) 94 | | Dir s -> String (Printf.sprintf "--dir \"%s\"" s) 95 | | File (fd, dst) -> String (Printf.sprintf "--file %d \"%s\"" fd dst) 96 | | Bind_data (fd, dst) -> String (Printf.sprintf "--file %d \"%s\"" fd dst) 97 | | Ro_bind_data (fd, dst) -> String (Printf.sprintf "--file %d \"%s\"" fd dst) 98 | | Symlink (src, dst) -> 99 | let dst = Option.value dst ~default:src in 100 | String (Printf.sprintf "--symlink \"%s\" \"%s\"" src dst) 101 | | Seccomp s -> String (Printf.sprintf "--seccomp 10 10<%s" s) 102 | | New_session -> String "--new-session" 103 | | Ro_bind_as_is_glob glob -> 104 | Glob 105 | { 106 | arg_constr = (fun x -> Printf.sprintf "--ro-bind \"%s\" \"%s\"" x x); 107 | glob; 108 | } 109 | | Tmpfs_glob glob -> 110 | Glob { arg_constr = (fun x -> Printf.sprintf "--tmpfs \"%s\"" x); glob } 111 | -------------------------------------------------------------------------------- /gen/src/commands.ml: -------------------------------------------------------------------------------- 1 | let get_unused_uid = 2 | {|getent passwd | awk -F: '($3>600) && ($3<10000) && ($3>maxuid) { maxuid=$3; } END { print maxuid+1; }'|} 3 | 4 | let get_unused_gid = 5 | {|getent passwd | awk -F: '($4>600) && ($4<10000) && ($4>maxgid) { maxgid=$4; } END { print maxgid+1; }'|} 6 | -------------------------------------------------------------------------------- /gen/src/config.ml: -------------------------------------------------------------------------------- 1 | let jails_dir = "$HOME/sandboxes" 2 | 3 | let jail_logs_dir = "$HOME/sandbox-logs" 4 | 5 | let stdout_log_suffix = "stdout" 6 | 7 | let stderr_log_suffix = "stderr" 8 | 9 | let log_date_format_str = "+%Y-%m-%d_%H%M%S" 10 | 11 | let home_inside_jail = "/home/sandbox" 12 | 13 | let aa_profile_output_dir = "../aa-profiles" 14 | 15 | let script_output_dir = "../scripts" 16 | 17 | let seccomp_bpf_output_dir = "../seccomp-bpfs" 18 | 19 | let seccomp_bpf_suffix = "_seccomp_filter.bpf" 20 | 21 | let runner_output_dir = "../runners" 22 | 23 | let runner_suffix = ".runner" 24 | 25 | let firefox_hardened_pref_path = 26 | "$script_dir/../firefox-hardening/local-settings.js" 27 | 28 | let firefox_hardened_user_js_path = 29 | "$script_dir/../firefox-hardening/systemwide_user.js" 30 | -------------------------------------------------------------------------------- /gen/src/dune: -------------------------------------------------------------------------------- 1 | (executable 2 | (name gen) 3 | (public_name gen) 4 | (flags (-w "+a-4-9-29-37-40-42-44-48-50-32-30")) 5 | (libraries containers 6 | fileutils 7 | ) 8 | ) 9 | -------------------------------------------------------------------------------- /gen/src/gen.ml: -------------------------------------------------------------------------------- 1 | let write_main_script (p : Profile.t) : unit = 2 | FileUtil.mkdir ~parent:true Config.script_output_dir; 3 | let file_name = FilePath.concat Config.script_output_dir (p.name ^ ".sh") in 4 | CCIO.with_out file_name (fun oc -> 5 | let write_line = CCIO.write_line oc in 6 | write_line "#!/usr/bin/bash"; 7 | write_line ""; 8 | write_line "set -euxo pipefail"; 9 | write_line ""; 10 | write_line (Printf.sprintf "script_dir=$(dirname $(readlink -f \"$0\"))"); 11 | write_line ""; 12 | let bpf_dir = 13 | Printf.sprintf "\"$script_dir\"/%s" Config.seccomp_bpf_output_dir 14 | in 15 | let bin_file_path = 16 | Printf.sprintf "\"$script_dir\"/%s/%s" Config.seccomp_bpf_output_dir 17 | p.name 18 | in 19 | write_line 20 | (Printf.sprintf "gcc %s.c -lseccomp -o %s.exe" bin_file_path 21 | bin_file_path); 22 | write_line (Printf.sprintf "%s.exe" bin_file_path); 23 | write_line "if [[ $? != 0 ]]; then"; 24 | write_line " echo \"Failed to generate seccomp filter\""; 25 | write_line " exit 1"; 26 | write_line "fi"; 27 | write_line ""; 28 | write_line 29 | (Printf.sprintf "mv %s%s %s" p.name Config.seccomp_bpf_suffix bpf_dir); 30 | write_line ""; 31 | let runner_src_path = 32 | Printf.sprintf "\"$script_dir\"/%s/%s.c" Config.runner_output_dir p.name 33 | in 34 | let runner_bin_path = 35 | Printf.sprintf "\"$script_dir\"/%s/%s.runner" Config.runner_output_dir 36 | p.name 37 | in 38 | write_line (Printf.sprintf "gcc %s -o %s" runner_src_path runner_bin_path); 39 | write_line ""; 40 | (match p.home_jail_dir with 41 | | None -> () 42 | | Some s -> 43 | let jail_dir = Filename.concat Config.jails_dir s in 44 | let downloads_dir = Filename.concat jail_dir "Downloads" in 45 | write_line (Printf.sprintf "mkdir -p \"%s\"" jail_dir); 46 | write_line (Printf.sprintf "mkdir -p \"%s\"" downloads_dir); 47 | write_line ""); 48 | let log_dir = Filename.concat Config.jail_logs_dir p.name in 49 | write_line 50 | (Printf.sprintf "cur_time=$(date \"%s\")" Config.log_date_format_str); 51 | if p.log_stdout then ( 52 | write_line (Printf.sprintf "mkdir -p \"%s\"" log_dir); 53 | write_line 54 | (Printf.sprintf "stdout_log_name=\"%s\"/\"$cur_time\".\"%s\"" log_dir 55 | Config.stdout_log_suffix); 56 | write_line ""); 57 | if p.log_stderr then ( 58 | write_line (Printf.sprintf "mkdir -p \"%s\"" log_dir); 59 | write_line 60 | (Printf.sprintf "stderr_log_name=\"%s\"/\"$cur_time\".\"%s\"" log_dir 61 | Config.stderr_log_suffix); 62 | write_line ""); 63 | (match p.preserved_temp_home_dirs with 64 | | [] -> () 65 | | _ -> 66 | write_line 67 | (Printf.sprintf "tmp_dir=$(mktemp -d -t %s-$cur_time-XXXX)" p.name); 68 | List.iter 69 | (fun (_perm, dir) -> 70 | write_line 71 | (Printf.sprintf "mkdir -p \"%s\"" 72 | (Filename.concat "$tmp_dir" dir))) 73 | p.preserved_temp_home_dirs; 74 | write_line ""); 75 | (* write_line "export script_dir"; 76 | * write_line "export tmp_dir"; 77 | * write_line "export stdout_log_name"; 78 | * write_line "export stderr_log_name"; *) 79 | let bwrap_args = 80 | let open Bwrap in 81 | p.bwrap_args 82 | @ List.map 83 | (fun (perm, dir) -> 84 | let src = Filename.concat "$tmp_dir" dir in 85 | let dst = Some (Filename.concat Config.home_inside_jail dir) in 86 | match perm with `R -> Ro_bind (src, dst) | `RW -> Bind (src, dst)) 87 | p.preserved_temp_home_dirs 88 | @ (match (p.syscall_blacklist, p.syscall_whitelist) with 89 | | [], [] -> [] 90 | | _, _ -> 91 | [ 92 | Seccomp 93 | (Filename.concat bpf_dir (p.name ^ Config.seccomp_bpf_suffix)); 94 | ]) 95 | @ [ 96 | Ro_bind 97 | ( runner_bin_path, 98 | Some 99 | (Filename.concat Config.home_inside_jail 100 | (Printf.sprintf "%s.runner" p.name)) ); 101 | ] 102 | in 103 | List.iteri 104 | (fun i x -> 105 | match Bwrap.compile_arg x with 106 | | String _ -> () 107 | | Glob { arg_constr; glob } -> 108 | write_line "shopt -s nullglob"; 109 | write_line (Printf.sprintf "glob_list_%d=(%s)" i glob); 110 | write_line "shopt -u nullglob"; 111 | write_line (Printf.sprintf "expanding_arg_%d=\"\"" i); 112 | write_line (Printf.sprintf "for x in ${glob_list_%d[@]}; do" i); 113 | write_line " if [[ $x != \"\" ]]; then"; 114 | write_line 115 | (Printf.sprintf " expanding_arg_%d+=\" %s \"" i 116 | (arg_constr "$x")); 117 | write_line " fi"; 118 | write_line "done") 119 | bwrap_args; 120 | write_line ""; 121 | write_line "( exec bwrap \\"; 122 | List.iteri 123 | (fun i x -> 124 | match Bwrap.compile_arg x with 125 | | String s -> write_line (Printf.sprintf " %s \\" s) 126 | | Glob _ -> write_line (Printf.sprintf " $expanding_arg_%d \\" i)) 127 | bwrap_args; 128 | write_line 129 | (Printf.sprintf " %s/%s.runner %s\\" Config.home_inside_jail p.name 130 | (match p.args with [] -> "" | _ -> String.concat " " p.args ^ " ")); 131 | if p.log_stdout then write_line " >$stdout_log_name \\"; 132 | if p.log_stderr then write_line " 2>$stderr_log_name \\"; 133 | write_line " )"; 134 | match p.preserved_temp_home_dirs with 135 | | [] -> () 136 | | _ -> 137 | write_line ""; 138 | List.iter 139 | (fun (_perm, dir) -> 140 | write_line 141 | (Printf.sprintf "rmdir --ignore-fail-on-non-empty \"%s\"" 142 | (Filename.concat "$tmp_dir" dir))) 143 | p.preserved_temp_home_dirs; 144 | write_line 145 | (Printf.sprintf "rmdir --ignore-fail-on-non-empty \"$tmp_dir\"")); 146 | FileUtil.chmod (`Octal 0o774) [ file_name ] 147 | 148 | (* let write_runner_script (p : Profile.t) : unit = 149 | * FileUtil.mkdir ~parent:true Config.script_output_dir; 150 | * let file_name = 151 | * FilePath.concat Config.script_output_dir (p.name ^ ".runner") 152 | * in 153 | * CCIO.with_out file_name (fun oc -> 154 | * let write_line = CCIO.write_line oc in 155 | * write_line "#!/usr/bin/bash"; 156 | * write_line ""; 157 | * write_line "set -euxo pipefail"; 158 | * write_line ""; 159 | * write_line (Printf.sprintf "%s \"$@\"" p.prog)); 160 | * FileUtil.chmod (`Octal 0o774) [ file_name ] *) 161 | 162 | let write_runner (p : Profile.t) : unit = 163 | Runner.write_c_file ~name:p.name ~prog:p.prog ~proc_limit:p.proc_limit 164 | ~heap_limit_MiB:p.heap_limit_MiB 165 | 166 | let write_seccomp_bpf (p : Profile.t) : unit = 167 | Seccomp_bpf.write_c_file ~name:p.name ~default_action:p.syscall_default_action 168 | ~blacklist:p.syscall_blacklist ~whitelist:p.syscall_whitelist 169 | 170 | let write_aa_profile (p : Profile.t) : unit = 171 | FileUtil.mkdir ~parent:true Config.aa_profile_output_dir; 172 | let file_name = 173 | FilePath.concat Config.aa_profile_output_dir 174 | (Printf.sprintf "home.sandboxing.%s" p.name) 175 | in 176 | CCIO.with_out file_name (fun oc -> 177 | let write_line = CCIO.write_line oc in 178 | write_line "abi ,"; 179 | write_line ""; 180 | write_line "include "; 181 | write_line ""; 182 | write_line (Printf.sprintf "profile /home/sandbox/%s.runner {" p.name); 183 | (match p.aa_caps with 184 | | [] -> () 185 | | l -> 186 | List.iter 187 | (fun x -> 188 | write_line 189 | (Printf.sprintf " capability %s," (Aa.string_of_capability x))) 190 | l; 191 | write_line ""); 192 | write_line " # Runner self access"; 193 | write_line (Printf.sprintf " /home/sandbox/%s.runner r," p.name); 194 | write_line ""; 195 | write_line " # Sandbox access"; 196 | write_line (Printf.sprintf " /home/sandbox/ r,"); 197 | write_line (Printf.sprintf " /home/sandbox/** rwlk,"); 198 | if p.allow_wx then ( 199 | write_line " owner /home/sandbox/** rwmlkix,"; 200 | write_line " owner /{,var/}/tmp/** rwmlkix,"; 201 | write_line " owner /dev/shm/** rwm,"; 202 | write_line " /sys/fs/cgroup/** rwm,") 203 | else ( 204 | write_line " deny /home/sandbox/** xm,"; 205 | write_line " deny /{,var/}/tmp/** xm,"; 206 | write_line " deny /dev/shm/** m,"; 207 | write_line " deny /sys/fs/cgroup/** m,"); 208 | write_line ""; 209 | write_line " /usr/bin/env ix,"; 210 | write_line ""; 211 | write_line " / r,"; 212 | write_line ""; 213 | write_line " unix,"; 214 | write_line ""; 215 | if p.allow_network then ( 216 | write_line " network,"; 217 | write_line ""); 218 | write_line " dbus bus=session,"; 219 | write_line ""; 220 | (* write_line " set rlimit nproc <= 200,"; 221 | * write_line ""; *) 222 | write_line " # Programs and libraries"; 223 | write_line " /usr/ r,"; 224 | write_line " /{,usr/,usr/local/}{,s}bin/ r,"; 225 | write_line " /{,usr/,usr/local/}{,s}bin/** rpix,"; 226 | write_line " /{,usr/,usr/local/}lib{,32,64}/ r,"; 227 | write_line " /{,usr/,usr/local/}lib{,32,64}/** rmpix,"; 228 | write_line " /usr/{,local/}{share,include}/ r,"; 229 | write_line " /usr/{,local/}{share,include}/** rpix,"; 230 | write_line ""; 231 | write_line " # Sysfs"; 232 | write_line " /sys/ r,"; 233 | write_line " /sys/devices/ r,"; 234 | write_line " /sys/devices/**/{uevent,config} r,"; 235 | write_line " /sys/devices/pci[0-9]*/**/ r,"; 236 | write_line 237 | " \ 238 | /sys/devices/pci[0-9]*/**/{resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} \ 239 | r,"; 240 | write_line " /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r,"; 241 | write_line " /sys/devices/pci[0-9]*/**/sound/**/pcm_class r,"; 242 | write_line " /sys/devices/pci[0-9]*/**/backlight/**/* r,"; 243 | write_line " /sys/devices/virtual/tty/tty[0-9]*/active r,"; 244 | write_line " /sys/devices/virtual/tty/console/active r,"; 245 | write_line " /sys/devices/virtual/dmi/id/{sys,board,bios}_vendor r,"; 246 | write_line " /sys/devices/virtual/dmi/id/product_name r,"; 247 | write_line " /sys/devices/system/node/ r,"; 248 | write_line " /sys/devices/system/node/node[0-9]*/meminfo r,"; 249 | write_line " /sys/devices/system/cpu/ r,"; 250 | write_line " /sys/devices/system/cpu/{present,online} r,"; 251 | write_line " /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r,"; 252 | write_line " /sys/class/ r,"; 253 | write_line " /sys/class/{tty,input,drm,sound}/ r,"; 254 | write_line " /sys/bus/ r,"; 255 | write_line " /sys/bus/pci/devices/ r,"; 256 | write_line " /sys/fs/cgroup/** rw,"; 257 | write_line ""; 258 | write_line " # Procfs"; 259 | write_line " @{PROC}/ r,"; 260 | write_line 261 | " owner \ 262 | @{PROC}/[0-9]*/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} \ 263 | r,"; 264 | write_line 265 | " owner \ 266 | @{PROC}/@{pid}/{cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv,attr/current,fd/,environ,limits,mountinfo,task/,task/*/stat,task/*/status,fdinfo/*,mem} \ 267 | r,"; 268 | write_line 269 | " owner \ 270 | @{PROC}/@{pid}/{setgroups,gid_map,uid_map,attr/exec,oom_score_adj} \ 271 | rw,"; 272 | write_line " @{PROC}/{stat,cpuinfo,filesystems,meminfo,swaps,uptime} r,"; 273 | write_line " @{PROC}/sys/** r,"; 274 | write_line " deny /proc/*/{statm,smaps} r,"; 275 | write_line " deny /proc/*/net/ r,"; 276 | write_line " deny /proc/*/net/** r,"; 277 | write_line ""; 278 | write_line " # Tmpfs"; 279 | write_line " /{,var/}tmp/ r,"; 280 | write_line " /{,var/}tmp/** r,"; 281 | write_line " owner /{,var/}tmp/ rw,"; 282 | write_line " owner /{,var/}tmp/** rw,"; 283 | write_line ""; 284 | write_line " # /etc"; 285 | write_line " /etc/ r,"; 286 | write_line " /etc/** r,"; 287 | write_line ""; 288 | write_line " # Device access"; 289 | write_line " /dev/ r,"; 290 | write_line " /dev/console r,"; 291 | write_line " /dev/random rw,"; 292 | write_line " /dev/urandom rw,"; 293 | write_line " /dev/null rw,"; 294 | write_line " /dev/zero rw,"; 295 | write_line " /dev/full rw,"; 296 | write_line " owner /dev/stdin rw,"; 297 | write_line " owner /dev/stdout r,"; 298 | write_line " owner /dev/stderr rw,"; 299 | write_line " /dev/tty rw,"; 300 | write_line " owner /dev/ptmx rw,"; 301 | write_line " /dev/pts/ r,"; 302 | write_line " owner /dev/pts/* rw,"; 303 | write_line " owner /dev/shm/ r,"; 304 | write_line " owner /dev/shm/** rw,"; 305 | write_line " /dev/video* rw,"; 306 | write_line " /dev/snd/ r,"; 307 | write_line " /dev/snd/** rw,"; 308 | write_line ""; 309 | write_line " # /var and /run"; 310 | write_line " /var/ r,"; 311 | write_line " /var/{lib,cache}/ r,"; 312 | write_line " /var/lib/** r,"; 313 | write_line " /var/lib/command-not-found/commands.db rwk,"; 314 | write_line " /var/cache/** rwl,"; 315 | write_line " owner /var/lib/ rw,"; 316 | write_line " owner /var/lib/** rw,"; 317 | write_line " /{,var/}run/ r,"; 318 | write_line " /{,var/}run/** rw,"; 319 | write_line " /{,var/}run/shm/** rwl,"; 320 | write_line " owner /{,var/}run/** rwk,"; 321 | write_line ""; 322 | write_line " # Prevent leak of some important kernel info"; 323 | write_line " deny /{,usr/}lib/modules/ rw,"; 324 | write_line " deny /{,usr/}lib/modules/** rw,"; 325 | write_line " deny /**vmlinu{,z,x}* rw,"; 326 | write_line " deny /**System.map* rw,"; 327 | write_line ""; 328 | (match p.extra_aa_lines with 329 | | [] -> () 330 | | l -> 331 | List.iter (fun x -> write_line (Printf.sprintf " %s," x)) l; 332 | write_line ""); 333 | write_line "}"); 334 | FileUtil.chmod (`Octal 0o774) [ file_name ]; 335 | () 336 | 337 | let () = 338 | List.iter 339 | (fun p -> 340 | write_main_script p; 341 | write_runner p; 342 | write_seccomp_bpf p; 343 | write_aa_profile p) 344 | Profiles.suite 345 | -------------------------------------------------------------------------------- /gen/src/profile.ml: -------------------------------------------------------------------------------- 1 | type rw = 2 | [ `R 3 | | `RW 4 | ] 5 | 6 | type t = { 7 | name : string; 8 | prog : string; 9 | args : string list; 10 | home_jail_dir : string option; 11 | preserved_temp_home_dirs : (rw * string) list; 12 | log_stdout : bool; 13 | log_stderr : bool; 14 | syscall_default_action : string; 15 | syscall_blacklist : Seccomp_bpf.syscall list; 16 | syscall_whitelist : Seccomp_bpf.syscall list; 17 | bwrap_args : Bwrap.arg list; 18 | allow_network : bool; 19 | aa_caps : Aa.capability list; 20 | allow_wx : bool; 21 | extra_aa_lines : string list; 22 | proc_limit : int option; 23 | heap_limit_MiB : int option; 24 | } 25 | -------------------------------------------------------------------------------- /gen/src/profile_components.ml: -------------------------------------------------------------------------------- 1 | open Bwrap 2 | open Seccomp_bpf 3 | 4 | (* Based on https://github.com/valoq/bwscripts *) 5 | let default_syscall_blacklist : syscall list = 6 | [ 7 | { name = "_sysctl"; args = [] }; 8 | { name = "acct"; args = [] }; 9 | { name = "add_key"; args = [] }; 10 | { name = "adjtimex"; args = [] }; 11 | { name = "afs_syscall"; args = [] }; 12 | { name = "bdflush"; args = [] }; 13 | { name = "bpf"; args = [] }; 14 | { name = "break"; args = [] }; 15 | { name = "clock_adjtime"; args = [] }; 16 | { name = "clock_settime"; args = [] }; 17 | { name = "create_module"; args = [] }; 18 | { name = "delete_module"; args = [] }; 19 | { name = "fanotify_init"; args = [] }; 20 | { name = "finit_module"; args = [] }; 21 | { name = "ftime"; args = [] }; 22 | { name = "get_kernel_syms"; args = [] }; 23 | { name = "getpmsg"; args = [] }; 24 | { name = "gtty"; args = [] }; 25 | { name = "get_mempolicy"; args = [] }; 26 | { name = "init_module"; args = [] }; 27 | { name = "io_cancel"; args = [] }; 28 | { name = "io_destroy"; args = [] }; 29 | { name = "io_getevents"; args = [] }; 30 | { name = "io_setup"; args = [] }; 31 | { name = "io_submit"; args = [] }; 32 | { name = "ioperm"; args = [] }; 33 | { name = "iopl"; args = [] }; 34 | { name = "ioprio_set"; args = [] }; 35 | { name = "kcmp"; args = [] }; 36 | { name = "kexec_file_load"; args = [] }; 37 | { name = "kexec_load"; args = [] }; 38 | { name = "keyctl"; args = [] }; 39 | { name = "lock"; args = [] }; 40 | { name = "lookup_dcookie"; args = [] }; 41 | { name = "mbind"; args = [] }; 42 | { name = "migrate_pages"; args = [] }; 43 | { name = "modify_ldt"; args = [] }; 44 | { name = "mount"; args = [] }; 45 | { name = "move_pages"; args = [] }; 46 | { name = "mpx"; args = [] }; 47 | { name = "name_to_handle_at"; args = [] }; 48 | { name = "nfsservctl"; args = [] }; 49 | { name = "open_by_handle_at"; args = [] }; 50 | { name = "pciconfig_iobase"; args = [] }; 51 | { name = "pciconfig_read"; args = [] }; 52 | { name = "pciconfig_write"; args = [] }; 53 | { name = "perf_event_open"; args = [] }; 54 | { name = "personality"; args = [] }; 55 | { name = "pivot_root"; args = [] }; 56 | { name = "process_vm_readv"; args = [] }; 57 | { name = "process_vm_writev"; args = [] }; 58 | { name = "prof"; args = [] }; 59 | { name = "profil"; args = [] }; 60 | { name = "ptrace"; args = [] }; 61 | { name = "putpmsg"; args = [] }; 62 | { name = "query_module"; args = [] }; 63 | { name = "reboot"; args = [] }; 64 | { name = "remap_file_pages"; args = [] }; 65 | { name = "request_key"; args = [] }; 66 | { name = "rtas"; args = [] }; 67 | { name = "s390_pci_mmio_read"; args = [] }; 68 | { name = "s390_runtime_instr"; args = [] }; 69 | { name = "security"; args = [] }; 70 | { name = "set_mempolicy"; args = [] }; 71 | { name = "setdomainname"; args = [] }; 72 | { name = "sethostname"; args = [] }; 73 | { name = "settimeofday"; args = [] }; 74 | { name = "sgetmask"; args = [] }; 75 | { name = "ssetmask"; args = [] }; 76 | { name = "stime"; args = [] }; 77 | { name = "stty"; args = [] }; 78 | { name = "subpage_prot"; args = [] }; 79 | { name = "swapoff"; args = [] }; 80 | { name = "swapon"; args = [] }; 81 | { name = "switch_endian"; args = [] }; 82 | { name = "sysfs"; args = [] }; 83 | { name = "syslog"; args = [] }; 84 | { name = "tuxcall"; args = [] }; 85 | { name = "ulimit"; args = [] }; 86 | { name = "umount"; args = [] }; 87 | { name = "umount2"; args = [] }; 88 | { name = "uselib"; args = [] }; 89 | { name = "userfaultfd"; args = [] }; 90 | { name = "ustat"; args = [] }; 91 | { name = "vhangup"; args = [] }; 92 | { name = "vm86"; args = [] }; 93 | { name = "vm86old"; args = [] }; 94 | { name = "vmsplice"; args = [] }; 95 | { name = "vserver"; args = [] }; 96 | { name = "ioctl"; args = [ (1, "TIOCSTI") ] }; 97 | ] 98 | 99 | (* Based on https://github.com/Whonix/sandbox-app-launcher *) 100 | let default_syscall_whitelist : syscall list = 101 | [ 102 | { name = "_llseek"; args = [] }; 103 | { name = "_newselect"; args = [] }; 104 | { name = "accept"; args = [] }; 105 | { name = "accept4"; args = [] }; 106 | { name = "access"; args = [] }; 107 | { name = "alarm"; args = [] }; 108 | { name = "arch_prctl"; args = [] }; 109 | { name = "bind"; args = [] }; 110 | { name = "brk"; args = [] }; 111 | { name = "cacheflush"; args = [] }; 112 | { name = "capget"; args = [] }; 113 | { name = "capset"; args = [] }; 114 | { name = "chdir"; args = [] }; 115 | { name = "chmod"; args = [] }; 116 | { name = "chown"; args = [] }; 117 | { name = "chown32"; args = [] }; 118 | { name = "chroot"; args = [] }; 119 | { name = "clock_getres"; args = [] }; 120 | { name = "clock_gettime"; args = [] }; 121 | { name = "clock_nanosleep"; args = [] }; 122 | { name = "clone"; args = [] }; 123 | { name = "close"; args = [] }; 124 | { name = "connect"; args = [] }; 125 | { name = "copy_file_range"; args = [] }; 126 | { name = "creat"; args = [] }; 127 | { name = "dup"; args = [] }; 128 | { name = "dup2"; args = [] }; 129 | { name = "dup3"; args = [] }; 130 | { name = "epoll_create"; args = [] }; 131 | { name = "epoll_create1"; args = [] }; 132 | { name = "epoll_ctl"; args = [] }; 133 | { name = "epoll_pwait"; args = [] }; 134 | { name = "epoll_wait"; args = [] }; 135 | { name = "eventfd"; args = [] }; 136 | { name = "eventfd2"; args = [] }; 137 | { name = "execve"; args = [] }; 138 | { name = "execveat"; args = [] }; 139 | { name = "exit"; args = [] }; 140 | { name = "exit_group"; args = [] }; 141 | { name = "faccessat"; args = [] }; 142 | { name = "fadvise64"; args = [] }; 143 | { name = "fadvise64_64"; args = [] }; 144 | { name = "fallocate"; args = [] }; 145 | { name = "fanotify_mark"; args = [] }; 146 | { name = "fchdir"; args = [] }; 147 | { name = "fchmod"; args = [] }; 148 | { name = "fchmodat"; args = [] }; 149 | { name = "fchown"; args = [] }; 150 | { name = "fchown32"; args = [] }; 151 | { name = "fchownat"; args = [] }; 152 | { name = "fcntl"; args = [] }; 153 | { name = "fcntl64"; args = [] }; 154 | { name = "fdatasync"; args = [] }; 155 | { name = "fgetxattr"; args = [] }; 156 | { name = "flistxattr"; args = [] }; 157 | { name = "flock"; args = [] }; 158 | { name = "fork"; args = [] }; 159 | { name = "fremovexattr"; args = [] }; 160 | { name = "fstat"; args = [] }; 161 | { name = "fstat64"; args = [] }; 162 | { name = "fstatat64"; args = [] }; 163 | { name = "fstatfs"; args = [] }; 164 | { name = "fstatfs64"; args = [] }; 165 | { name = "fsync"; args = [] }; 166 | { name = "ftruncate"; args = [] }; 167 | { name = "ftruncate64"; args = [] }; 168 | { name = "futex"; args = [] }; 169 | { name = "futimesat"; args = [] }; 170 | { name = "get_robust_list"; args = [] }; 171 | { name = "get_thread_area"; args = [] }; 172 | { name = "getcpu"; args = [] }; 173 | { name = "getcwd"; args = [] }; 174 | { name = "getdents"; args = [] }; 175 | { name = "getdents64"; args = [] }; 176 | { name = "getegid"; args = [] }; 177 | { name = "getegid32"; args = [] }; 178 | { name = "geteuid"; args = [] }; 179 | { name = "geteuid32"; args = [] }; 180 | { name = "getgid"; args = [] }; 181 | { name = "getgid32"; args = [] }; 182 | { name = "getgroups"; args = [] }; 183 | { name = "getgroups32"; args = [] }; 184 | { name = "getitimer"; args = [] }; 185 | { name = "getpeername"; args = [] }; 186 | { name = "getpgid"; args = [] }; 187 | { name = "getpgrp"; args = [] }; 188 | { name = "getpid"; args = [] }; 189 | { name = "getppid"; args = [] }; 190 | { name = "getpriority"; args = [] }; 191 | { name = "getrandom"; args = [] }; 192 | { name = "getresgid"; args = [] }; 193 | { name = "getresgid32"; args = [] }; 194 | { name = "getresuid"; args = [] }; 195 | { name = "getresuid32"; args = [] }; 196 | { name = "getrlimit"; args = [] }; 197 | { name = "getrusage"; args = [] }; 198 | { name = "getsid"; args = [] }; 199 | { name = "getsockname"; args = [] }; 200 | { name = "getsockopt"; args = [] }; 201 | { name = "gettid"; args = [] }; 202 | { name = "gettimeofday"; args = [] }; 203 | { name = "getuid"; args = [] }; 204 | { name = "getuid32"; args = [] }; 205 | { name = "getxattr"; args = [] }; 206 | { name = "inotify_add_watch"; args = [] }; 207 | { name = "inotify_init"; args = [] }; 208 | { name = "inotify_init1"; args = [] }; 209 | { name = "inotify_rm_watch"; args = [] }; 210 | { name = "ioctl"; args = [ (1, "FIOCLEX") ] }; 211 | { name = "ioctl"; args = [ (1, "FIONBIO") ] }; 212 | { name = "ioctl"; args = [ (1, "FIONREAD") ] }; 213 | { name = "ioctl"; args = [ (1, "RNDGETENTCNT") ] }; 214 | { name = "ioctl"; args = [ (1, "TCGETS") ] }; 215 | { name = "ioctl"; args = [ (1, "TCSETS") ] }; 216 | { name = "ioctl"; args = [ (1, "TCSETSW") ] }; 217 | { name = "ioctl"; args = [ (1, "TIOCGPGRP") ] }; 218 | { name = "ioctl"; args = [ (1, "TIOCGWINSZ") ] }; 219 | { name = "ioctl"; args = [ (1, "TIOCSPGRP") ] }; 220 | { name = "ioctl"; args = [ (1, "TIOCSWINSZ") ] }; 221 | { name = "ioctl"; args = [ (1, "VT_GETSTATE") ] }; 222 | { name = "ioprio_get"; args = [] }; 223 | { name = "ipc"; args = [] }; 224 | { name = "kill"; args = [] }; 225 | { name = "lchown"; args = [] }; 226 | { name = "lchown32"; args = [] }; 227 | { name = "lgetxattr"; args = [] }; 228 | { name = "link"; args = [] }; 229 | { name = "linkat"; args = [] }; 230 | { name = "listen"; args = [] }; 231 | { name = "listxattr"; args = [] }; 232 | { name = "llistxattr"; args = [] }; 233 | { name = "lremovexattr"; args = [] }; 234 | { name = "lseek"; args = [] }; 235 | { name = "lsetxattr"; args = [] }; 236 | { name = "lstat"; args = [] }; 237 | { name = "lstat64"; args = [] }; 238 | { name = "madvise"; args = [] }; 239 | { name = "membarrier"; args = [] }; 240 | { name = "memfd_create"; args = [] }; 241 | { name = "mincore"; args = [] }; 242 | { name = "mkdir"; args = [] }; 243 | { name = "mkdirat"; args = [] }; 244 | (* We don't need to allow creation of char/block devices *) 245 | { name = "mknod"; args = [ (1, "S_IFREG") ] }; 246 | { name = "mknod"; args = [ (1, "S_IFIFO") ] }; 247 | { name = "mknod"; args = [ (1, "S_IFSOCK") ] }; 248 | { name = "mknodat"; args = [ (1, "S_IFREG") ] }; 249 | { name = "mknodat"; args = [ (1, "S_IFIFO") ] }; 250 | { name = "mknodat"; args = [ (1, "S_IFSOCK") ] }; 251 | (* --- *) 252 | { name = "mlock"; args = [] }; 253 | { name = "mlock2"; args = [] }; 254 | { name = "mlockall"; args = [] }; 255 | { name = "mq_getsetattr"; args = [] }; 256 | { name = "mq_notify"; args = [] }; 257 | { name = "mq_open"; args = [] }; 258 | { name = "mq_timedreceive"; args = [] }; 259 | { name = "mq_timedsend"; args = [] }; 260 | { name = "mq_unlink"; args = [] }; 261 | { name = "mremap"; args = [] }; 262 | { name = "msgctl"; args = [] }; 263 | { name = "msgget"; args = [] }; 264 | { name = "msgrcv"; args = [] }; 265 | { name = "msgsnd"; args = [] }; 266 | { name = "msync"; args = [] }; 267 | { name = "munlock"; args = [] }; 268 | { name = "munlockall"; args = [] }; 269 | { name = "munmap"; args = [] }; 270 | { name = "nanosleep"; args = [] }; 271 | { name = "newfstatat"; args = [] }; 272 | { name = "nice"; args = [] }; 273 | { name = "oldfstat"; args = [] }; 274 | { name = "oldlstat"; args = [] }; 275 | { name = "oldolduname"; args = [] }; 276 | { name = "oldstat"; args = [] }; 277 | { name = "olduname"; args = [] }; 278 | { name = "open"; args = [] }; 279 | { name = "openat"; args = [] }; 280 | { name = "pause"; args = [] }; 281 | { name = "pipe"; args = [] }; 282 | { name = "pipe2"; args = [] }; 283 | { name = "pkey_alloc"; args = [] }; 284 | { name = "pkey_free"; args = [] }; 285 | { name = "poll"; args = [] }; 286 | { name = "ppoll"; args = [] }; 287 | { name = "prctl"; args = [] }; 288 | { name = "pread64"; args = [] }; 289 | { name = "preadv"; args = [] }; 290 | { name = "preadv2"; args = [] }; 291 | { name = "prlimit64"; args = [] }; 292 | { name = "pselect6"; args = [] }; 293 | { name = "pwrite64"; args = [] }; 294 | { name = "pwritev"; args = [] }; 295 | { name = "pwritev2"; args = [] }; 296 | { name = "quotactl"; args = [] }; 297 | { name = "read"; args = [] }; 298 | { name = "readahead"; args = [] }; 299 | { name = "readdir"; args = [] }; 300 | { name = "readlink"; args = [] }; 301 | { name = "readlinkat"; args = [] }; 302 | { name = "readv"; args = [] }; 303 | { name = "recv"; args = [] }; 304 | { name = "recvfrom"; args = [] }; 305 | { name = "recvmsg"; args = [] }; 306 | { name = "recvmmsg"; args = [] }; 307 | { name = "removexattr"; args = [] }; 308 | { name = "rename"; args = [] }; 309 | { name = "renameat"; args = [] }; 310 | { name = "renameat2"; args = [] }; 311 | { name = "restart_syscall"; args = [] }; 312 | { name = "rmdir"; args = [] }; 313 | { name = "rt_sigaction"; args = [] }; 314 | { name = "rt_sigpending"; args = [] }; 315 | { name = "rt_sigprocmask"; args = [] }; 316 | { name = "rt_sigqueueinfo"; args = [] }; 317 | { name = "rt_sigreturn"; args = [] }; 318 | { name = "rt_sigsuspend"; args = [] }; 319 | { name = "rt_sigtimedwait"; args = [] }; 320 | { name = "rt_tgsigqueueinfo"; args = [] }; 321 | { name = "s390_pci_mmio_read"; args = [] }; 322 | { name = "s390_pci_mmio_write"; args = [] }; 323 | { name = "s390_sthyi"; args = [] }; 324 | { name = "sched_get_priority_max"; args = [] }; 325 | { name = "sched_get_priority_min"; args = [] }; 326 | { name = "sched_getaffinity"; args = [] }; 327 | { name = "sched_getattr"; args = [] }; 328 | { name = "sched_getparam"; args = [] }; 329 | { name = "sched_getscheduler"; args = [] }; 330 | { name = "sched_rr_get_interval"; args = [] }; 331 | { name = "sched_setaffinity"; args = [] }; 332 | { name = "sched_setattr"; args = [] }; 333 | { name = "sched_setparam"; args = [] }; 334 | { name = "sched_setscheduler"; args = [] }; 335 | { name = "sched_yield"; args = [] }; 336 | { name = "seccomp"; args = [] }; 337 | { name = "select"; args = [] }; 338 | { name = "semctl"; args = [] }; 339 | { name = "semget"; args = [] }; 340 | { name = "semop"; args = [] }; 341 | { name = "semtimedop"; args = [] }; 342 | { name = "send"; args = [] }; 343 | { name = "sendfile"; args = [] }; 344 | { name = "sendfile64"; args = [] }; 345 | { name = "sendmmsg"; args = [] }; 346 | { name = "sendmsg"; args = [] }; 347 | { name = "sendto"; args = [] }; 348 | { name = "set_robust_list"; args = [] }; 349 | { name = "set_thread_area"; args = [] }; 350 | { name = "set_tid_address"; args = [] }; 351 | { name = "setfsgid"; args = [] }; 352 | { name = "setfsgid32"; args = [] }; 353 | { name = "setfsuid"; args = [] }; 354 | { name = "setfsuid32"; args = [] }; 355 | { name = "setgid"; args = [] }; 356 | { name = "setgid32"; args = [] }; 357 | { name = "setgroups"; args = [] }; 358 | { name = "setgroups32"; args = [] }; 359 | { name = "setitimer"; args = [] }; 360 | { name = "setns"; args = [] }; 361 | { name = "setpgid"; args = [] }; 362 | { name = "setpriority"; args = [] }; 363 | { name = "setregid"; args = [] }; 364 | { name = "setregid32"; args = [] }; 365 | { name = "setresgid"; args = [] }; 366 | { name = "setresgid32"; args = [] }; 367 | { name = "setresuid"; args = [] }; 368 | { name = "setresuid32"; args = [] }; 369 | { name = "setrlimit"; args = [] }; 370 | { name = "setsid"; args = [] }; 371 | { name = "setsockopt"; args = [] }; 372 | { name = "setuid"; args = [] }; 373 | { name = "setuid32"; args = [] }; 374 | { name = "setxattr"; args = [] }; 375 | { name = "shmctl"; args = [] }; 376 | { name = "shmdt"; args = [] }; 377 | { name = "shmget"; args = [] }; 378 | { name = "shutdown"; args = [] }; 379 | { name = "sigaction"; args = [] }; 380 | { name = "sigaltstack"; args = [] }; 381 | { name = "signal"; args = [] }; 382 | { name = "signalfd"; args = [] }; 383 | { name = "signalfd4"; args = [] }; 384 | { name = "sigpending"; args = [] }; 385 | { name = "sigprocmask"; args = [] }; 386 | { name = "sigreturn"; args = [] }; 387 | { name = "sigsuspend"; args = [] }; 388 | { name = "socket"; args = [ (0, "AF_INET") ] }; 389 | { name = "socket"; args = [ (0, "AF_INET6") ] }; 390 | { name = "socket"; args = [ (0, "AF_LOCAL") ] }; 391 | { name = "socket"; args = [ (0, "AF_NETLINK") ] }; 392 | { name = "socket"; args = [ (0, "AF_UNIX") ] }; 393 | { name = "socket"; args = [ (0, "AF_UNSPEC") ] }; 394 | { name = "socketcall"; args = [] }; 395 | { name = "socketpair"; args = [] }; 396 | { name = "splice"; args = [] }; 397 | { name = "spu_create"; args = [] }; 398 | { name = "spu_run"; args = [] }; 399 | { name = "stat"; args = [] }; 400 | { name = "stat64"; args = [] }; 401 | { name = "statfs"; args = [] }; 402 | { name = "statfs64"; args = [] }; 403 | { name = "statx"; args = [] }; 404 | { name = "symlink"; args = [] }; 405 | { name = "symlinkat"; args = [] }; 406 | { name = "sync"; args = [] }; 407 | { name = "sync_file_range"; args = [] }; 408 | { name = "sync_file_range2"; args = [] }; 409 | { name = "syncfs"; args = [] }; 410 | { name = "sysinfo"; args = [] }; 411 | { name = "tee"; args = [] }; 412 | { name = "tgkill"; args = [] }; 413 | { name = "time"; args = [] }; 414 | { name = "timer_create"; args = [] }; 415 | { name = "timer_delete"; args = [] }; 416 | { name = "timer_getoverrun"; args = [] }; 417 | { name = "timer_gettime"; args = [] }; 418 | { name = "timer_settime"; args = [] }; 419 | { name = "timerfd_create"; args = [] }; 420 | { name = "timerfd_gettime"; args = [] }; 421 | { name = "timerfd_settime"; args = [] }; 422 | { name = "times"; args = [] }; 423 | { name = "tkill"; args = [] }; 424 | { name = "truncate"; args = [] }; 425 | { name = "truncate64"; args = [] }; 426 | { name = "ugetrlimit"; args = [] }; 427 | { name = "umask"; args = [] }; 428 | { name = "uname"; args = [] }; 429 | { name = "unlink"; args = [] }; 430 | { name = "unlinkat"; args = [] }; 431 | { name = "unshare"; args = [] }; 432 | { name = "utime"; args = [] }; 433 | { name = "utimensat"; args = [] }; 434 | { name = "utimes"; args = [] }; 435 | { name = "vfork"; args = [] }; 436 | { name = "wait4"; args = [] }; 437 | { name = "waitid"; args = [] }; 438 | { name = "waitpid"; args = [] }; 439 | { name = "write"; args = [] }; 440 | { name = "writev"; args = [] }; 441 | (* W^X *) 442 | (* Disallow creating writable and executable mappings *) 443 | { name = "mmap"; args = [ (2, "PROT_NONE") ] }; 444 | { name = "mmap"; args = [ (2, "PROT_READ") ] }; 445 | { name = "mmap"; args = [ (2, "PROT_WRITE") ] }; 446 | { name = "mmap"; args = [ (2, "PROT_EXEC") ] }; 447 | { name = "mmap"; args = [ (2, "PROT_READ|PROT_EXEC") ] }; 448 | { name = "mmap"; args = [ (2, "PROT_READ|PROT_WRITE") ] }; 449 | { name = "mmap2"; args = [ (2, "PROT_NONE") ] }; 450 | { name = "mmap2"; args = [ (2, "PROT_READ") ] }; 451 | { name = "mmap2"; args = [ (2, "PROT_WRITE") ] }; 452 | { name = "mmap2"; args = [ (2, "PROT_EXEC") ] }; 453 | { name = "mmap2"; args = [ (2, "PROT_READ|PROT_EXEC") ] }; 454 | { name = "mmap2"; args = [ (2, "PROT_READ|PROT_WRITE") ] }; 455 | (* Disallow transitioning mappings to executable *) 456 | { name = "mprotect"; args = [ (2, "PROT_NONE") ] }; 457 | { name = "mprotect"; args = [ (2, "PROT_READ") ] }; 458 | { name = "mprotect"; args = [ (2, "PROT_WRITE") ] }; 459 | { name = "mprotect"; args = [ (2, "PROT_READ|PROT_WRITE") ] }; 460 | { name = "pkey_mprotect"; args = [ (2, "PROT_NONE") ] }; 461 | { name = "pkey_mprotect"; args = [ (2, "PROT_READ") ] }; 462 | { name = "pkey_mprotect"; args = [ (2, "PROT_WRITE") ] }; 463 | { name = "pkey_mprotect"; args = [ (2, "PROT_READ|PROT_WRITE") ] }; 464 | (* Disallow mapping shared memory segments as executable *) 465 | { name = "shmat"; args = [ (2, "0") ] }; 466 | { name = "shmat"; args = [ (2, "SHM_RND") ] }; 467 | { name = "shmat"; args = [ (2, "SHM_RDONLY") ] }; 468 | { name = "shmat"; args = [ (2, "SHM_REMAP") ] }; 469 | ] 470 | 471 | let default_syscall_whitelist_wx : syscall list = 472 | default_syscall_whitelist 473 | @ [ 474 | { name = "mmap"; args = [] }; 475 | { name = "mmap2"; args = [] }; 476 | { name = "mprotect"; args = [] }; 477 | { name = "pkey_mprotect"; args = [] }; 478 | { name = "shmat"; args = [] }; 479 | ] 480 | 481 | let usr_share_common = [ Ro_bind ("/usr/share", None) ] 482 | 483 | (* [ 484 | Ro_bind ("/usr/share/X11", None); 485 | Ro_bind ("/usr/share/icons", None); 486 | Ro_bind_try ("/usr/share/fontconfig", None); 487 | Ro_bind ("/usr/share/fonts", None); 488 | Ro_bind ("/usr/share/mime", None); 489 | Ro_bind ("/usr/share/ca-certificates", None); 490 | Ro_bind ("/usr/share/glib-2.0", None); 491 | ] *) 492 | 493 | let usr_lib_lib64_common = 494 | [ 495 | Ro_bind ("/usr/lib", None); 496 | Ro_bind ("/usr/lib64", None); 497 | Tmpfs "/usr/lib/modules"; 498 | Tmpfs "/usr/lib/systemd"; 499 | Symlink ("/usr/lib", Some "/lib"); 500 | Symlink ("/usr/lib64", Some "/lib64"); 501 | ] 502 | 503 | let disallow_browsers = [ Tmpfs "/usr/lib/firefox" ] 504 | 505 | let usr_lib_lib64_bin_common = 506 | usr_lib_lib64_common 507 | @ [ 508 | Ro_bind ("/usr/bin", None); 509 | Symlink ("/usr/bin", Some "/bin"); 510 | Symlink ("/usr/bin", Some "/sbin"); 511 | Setenv ("PATH", "/usr/bin"); 512 | ] 513 | 514 | let etc_common = 515 | [ Ro_bind ("/etc/fonts", None); Ro_bind ("/etc/resolv.conf", None) ] 516 | 517 | let etc_ssl = 518 | [ Ro_bind ("/etc/ssl", None); Ro_bind ("/etc/ca-certificates", None) ] 519 | 520 | let etc_localtime = [ Ro_bind ("/etc/localtime", None) ] 521 | 522 | let proc_dev_common = [ Proc "/proc"; Dev "/dev" ] 523 | 524 | let render_common = 525 | [ 526 | Dev_bind ("/dev/dri", None); 527 | Ro_bind ("/sys/dev/char", None); 528 | Ro_bind ("/sys/devices/pci0000:00", None); 529 | ] 530 | 531 | let tmp_run_common = [ Tmpfs "/tmp"; Tmpfs "/run" ] 532 | 533 | let sound_common = 534 | [ 535 | (* Dev_bind ("/dev/snd", None); *) 536 | Ro_bind_try ("/usr/share/gst-plugins-bad", None); 537 | Ro_bind_try ("/usr/share/gst-plugins-base", None); 538 | Ro_bind_try ("/usr/share/gstreamer-1.0", None); 539 | Ro_bind ("/run/user/$UID/pulse", None); 540 | ] 541 | 542 | let dbus_common = [ Ro_bind ("/run/user/$UID/bus", None) ] 543 | 544 | let wayland_common = 545 | [ 546 | Ro_bind_try ("/run/user/$UID/wayland-0", None); 547 | Ro_bind_try ("/run/user/$UID/wayland-1", None); 548 | Ro_bind_try ("/run/user/$UID/wayland-2", None); 549 | Ro_bind_try ("/run/user/$UID/wayland-3", None); 550 | Setenv ("QT_QPA_PLATFORM", "wayland"); 551 | ] 552 | 553 | let x11_common = [ Ro_bind ("/tmp/.X11-unix", None) ] 554 | 555 | let dconf_common = [ Bind ("/run/user/$UID/dconf", None) ] 556 | 557 | let lsb_release_common = 558 | [ Ro_bind ("/etc/lsb-release", None); Ro_bind ("/etc/arch-release", None) ] 559 | 560 | let set_up_jail_home ~tmp ~name = 561 | [ 562 | (if tmp then Tmpfs Config.home_inside_jail 563 | else Bind (get_jail_dir name, Some Config.home_inside_jail)); 564 | Setenv ("HOME", Config.home_inside_jail); 565 | ] 566 | 567 | let paths_of_binary (binary : string) = 568 | [ 569 | Ro_bind ("/usr/bin/" ^ binary, None); 570 | Ro_bind ("/usr/bin/" ^ binary, Some ("/bin/" ^ binary)); 571 | Ro_bind ("/usr/bin/" ^ binary, Some ("/sbin/" ^ binary)); 572 | ] 573 | -------------------------------------------------------------------------------- /gen/src/profiles.ml: -------------------------------------------------------------------------------- 1 | open Bwrap 2 | open Profile_components 3 | 4 | let bash : Profile.t = 5 | { 6 | name = "bash"; 7 | prog = "/usr/bin/bash"; 8 | args = []; 9 | home_jail_dir = None; 10 | preserved_temp_home_dirs = []; 11 | log_stdout = false; 12 | log_stderr = false; 13 | syscall_default_action = "SCMP_ACT_KILL"; 14 | syscall_blacklist = []; 15 | syscall_whitelist = default_syscall_whitelist; 16 | bwrap_args = 17 | [ Ro_bind ("/usr/share", None) ] 18 | @ usr_lib_lib64_bin_common 19 | @ etc_common 20 | @ etc_ssl 21 | @ etc_localtime 22 | @ proc_dev_common 23 | @ tmp_run_common 24 | @ [ 25 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 26 | Setenv ("HOME", "/home/sandbox"); 27 | Setenv ("USER", "sandbox"); 28 | Setenv ("LOGNAME", "sandbox"); 29 | Bind (".", Some (Filename.concat Config.home_inside_jail "workspace")); 30 | Hostname "jail"; 31 | Unshare_user; 32 | Unshare_pid; 33 | Unshare_uts; 34 | Unshare_ipc; 35 | Unshare_cgroup; 36 | ]; 37 | allow_network = true; 38 | aa_caps = Aa.[ Sys_chroot ]; 39 | allow_wx = false; 40 | extra_aa_lines = []; 41 | proc_limit = Some 2000; 42 | heap_limit_MiB = Some 2048; 43 | } 44 | 45 | let bash_hide_net : Profile.t = 46 | let name = "bash-hide-net" in 47 | { 48 | name; 49 | prog = "/usr/bin/bash"; 50 | args = []; 51 | home_jail_dir = None; 52 | preserved_temp_home_dirs = []; 53 | log_stdout = false; 54 | log_stderr = false; 55 | syscall_default_action = "SCMP_ACT_KILL"; 56 | syscall_blacklist = []; 57 | syscall_whitelist = default_syscall_whitelist; 58 | bwrap_args = 59 | [ Ro_bind ("/usr/share", None) ] 60 | @ usr_lib_lib64_bin_common 61 | @ etc_common 62 | @ etc_ssl 63 | @ etc_localtime 64 | @ proc_dev_common 65 | @ tmp_run_common 66 | @ [ 67 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 68 | Setenv ("HOME", "/home/sandbox"); 69 | Setenv ("USER", "sandbox"); 70 | Setenv ("LOGNAME", "sandbox"); 71 | Bind (".", Some (Filename.concat Config.home_inside_jail "workspace")); 72 | Unshare_user; 73 | Unshare_pid; 74 | Unshare_uts; 75 | Unshare_ipc; 76 | Unshare_cgroup; 77 | Unshare_net; 78 | ]; 79 | allow_network = false; 80 | aa_caps = []; 81 | allow_wx = false; 82 | extra_aa_lines = []; 83 | proc_limit = Some 2000; 84 | heap_limit_MiB = Some 2048; 85 | } 86 | 87 | let bash_dev : Profile.t = 88 | { 89 | name = "bash-dev"; 90 | prog = "/usr/bin/bash"; 91 | args = []; 92 | home_jail_dir = None; 93 | preserved_temp_home_dirs = []; 94 | log_stdout = false; 95 | log_stderr = false; 96 | syscall_default_action = "SCMP_ACT_ALLOW"; 97 | syscall_blacklist = []; 98 | syscall_whitelist = []; 99 | bwrap_args = 100 | [ Ro_bind ("/usr/share", None) ] 101 | @ usr_lib_lib64_bin_common 102 | @ etc_common 103 | @ etc_ssl 104 | @ etc_localtime 105 | @ proc_dev_common 106 | @ tmp_run_common 107 | @ [ 108 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 109 | Setenv ("HOME", "/home/sandbox"); 110 | Setenv ("USER", "sandbox"); 111 | Setenv ("LOGNAME", "sandbox"); 112 | Bind (".", Some (Filename.concat Config.home_inside_jail "workspace")); 113 | Hostname "jail"; 114 | Unshare_user; 115 | Unshare_pid; 116 | Unshare_uts; 117 | Unshare_ipc; 118 | Unshare_cgroup; 119 | ]; 120 | allow_network = true; 121 | aa_caps = Aa.[ Sys_chroot ]; 122 | allow_wx = false; 123 | extra_aa_lines = []; 124 | proc_limit = Some 2000; 125 | heap_limit_MiB = Some 2048; 126 | } 127 | 128 | let alacritty : Profile.t = 129 | { 130 | name = "alacritty"; 131 | prog = "/usr/bin/alacritty"; 132 | args = []; 133 | home_jail_dir = None; 134 | preserved_temp_home_dirs = []; 135 | log_stdout = false; 136 | log_stderr = false; 137 | syscall_default_action = "SCMP_ACT_KILL"; 138 | syscall_blacklist = []; 139 | syscall_whitelist = default_syscall_whitelist; 140 | bwrap_args = 141 | [ Bind ("/", None) ] 142 | @ [ 143 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 144 | Unshare_user; 145 | Unshare_pid; 146 | Unshare_uts; 147 | Unshare_ipc; 148 | Unshare_cgroup; 149 | ]; 150 | allow_network = false; 151 | aa_caps = Aa.[ Sys_chroot ]; 152 | allow_wx = true; 153 | extra_aa_lines = []; 154 | proc_limit = Some 2000; 155 | heap_limit_MiB = Some 2048; 156 | } 157 | 158 | let make_firefox_profile ~(suffix : string option) : Profile.t = 159 | let name = match suffix with None -> "firefox" | Some s -> "firefox-" ^ s in 160 | { 161 | name; 162 | prog = "/usr/lib/firefox/firefox"; 163 | args = [ "--no-remote" ]; 164 | home_jail_dir = Some name; 165 | preserved_temp_home_dirs = []; 166 | log_stdout = false; 167 | log_stderr = false; 168 | syscall_default_action = "SCMP_ACT_KILL"; 169 | syscall_blacklist = []; 170 | syscall_whitelist = default_syscall_whitelist_wx; 171 | bwrap_args = 172 | usr_share_common 173 | @ usr_lib_lib64_common 174 | @ paths_of_binary "firefox" 175 | @ etc_common 176 | @ etc_ssl 177 | @ etc_localtime 178 | @ proc_dev_common 179 | @ render_common 180 | @ tmp_run_common 181 | @ sound_common 182 | @ wayland_common 183 | @ dconf_common 184 | @ dbus_common 185 | @ set_up_jail_home ~tmp:false ~name 186 | @ [ 187 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 188 | Setenv ("SHELL", "/bin/false"); 189 | Setenv ("USER", "nobody"); 190 | Setenv ("LOGNAME", "nobody"); 191 | Setenv ("MOZ_ENABLE_WAYLAND", "1"); 192 | Hostname "jail"; 193 | Unshare_user; 194 | Unshare_pid; 195 | Unshare_uts; 196 | Unshare_ipc; 197 | Unshare_cgroup; 198 | New_session; 199 | ]; 200 | allow_network = true; 201 | aa_caps = Aa.[ Sys_admin; Sys_chroot; Sys_ptrace ]; 202 | allow_wx = false; 203 | extra_aa_lines = []; 204 | proc_limit = Some 2000; 205 | heap_limit_MiB = Some 4096; 206 | } 207 | 208 | let firefox_tmp : Profile.t = 209 | let name = "firefox-tmp" in 210 | { 211 | name; 212 | prog = "/usr/lib/firefox/firefox"; 213 | args = [ "--no-remote" ]; 214 | home_jail_dir = None; 215 | preserved_temp_home_dirs = [ (`RW, "Downloads"); (`R, "Uploads") ]; 216 | log_stdout = true; 217 | log_stderr = true; 218 | syscall_default_action = "SCMP_ACT_KILL"; 219 | syscall_blacklist = []; 220 | syscall_whitelist = default_syscall_whitelist_wx; 221 | bwrap_args = 222 | usr_share_common 223 | @ usr_lib_lib64_common 224 | @ paths_of_binary "firefox" 225 | @ etc_common 226 | @ etc_ssl 227 | @ etc_localtime 228 | @ proc_dev_common 229 | @ render_common 230 | @ tmp_run_common 231 | @ sound_common 232 | @ wayland_common 233 | @ dconf_common 234 | @ dbus_common 235 | @ set_up_jail_home ~tmp:true ~name 236 | @ [ 237 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 238 | Setenv ("SHELL", "/bin/false"); 239 | Setenv ("USER", "nobody"); 240 | Setenv ("LOGNAME", "nobody"); 241 | Setenv ("MOZ_ENABLE_WAYLAND", "1"); 242 | Hostname "jail"; 243 | Unshare_user; 244 | Unshare_pid; 245 | Unshare_uts; 246 | Unshare_ipc; 247 | Unshare_cgroup; 248 | New_session; 249 | ]; 250 | allow_network = true; 251 | aa_caps = Aa.[ Sys_admin; Sys_chroot; Sys_ptrace ]; 252 | allow_wx = false; 253 | extra_aa_lines = []; 254 | proc_limit = Some 2000; 255 | heap_limit_MiB = Some 4096; 256 | } 257 | 258 | let firefox_private : Profile.t = 259 | let install_user_js_to_dir ~dir ~as_name = 260 | [ 261 | Tmpfs dir; 262 | Ro_bind_as_is_glob (Filename.concat dir "*"); 263 | Ro_bind 264 | ( Config.firefox_hardened_user_js_path, 265 | Some (Filename.concat dir as_name) ); 266 | ] 267 | in 268 | let install_user_js_to_usr_lib_dir usr_lib_dir = 269 | [ 270 | Tmpfs (Filename.concat usr_lib_dir "firefox/"); 271 | Ro_bind_as_is_glob (Filename.concat usr_lib_dir "firefox/*"); 272 | Ro_bind 273 | ( Config.firefox_hardened_user_js_path, 274 | Some (Filename.concat usr_lib_dir "firefox/mozilla.cfg") ); 275 | Tmpfs (Filename.concat usr_lib_dir "firefox/defaults/pref/"); 276 | Ro_bind 277 | ( Config.firefox_hardened_pref_path, 278 | Some 279 | (Filename.concat usr_lib_dir 280 | "firefox/defaults/pref/local-settings.js") ); 281 | ] 282 | in 283 | let name = "firefox-private" in 284 | { 285 | name; 286 | prog = "/usr/lib/firefox/firefox"; 287 | args = [ "--no-remote" ]; 288 | home_jail_dir = None; 289 | preserved_temp_home_dirs = [ (`RW, "Downloads"); (`R, "Uploads") ]; 290 | log_stdout = true; 291 | log_stderr = true; 292 | syscall_default_action = "SCMP_ACT_KILL"; 293 | syscall_blacklist = []; 294 | syscall_whitelist = default_syscall_whitelist_wx; 295 | bwrap_args = 296 | usr_share_common 297 | @ usr_lib_lib64_common 298 | @ paths_of_binary "firefox" 299 | @ etc_common 300 | @ etc_ssl 301 | @ etc_localtime 302 | @ proc_dev_common 303 | @ render_common 304 | @ tmp_run_common 305 | @ sound_common 306 | @ wayland_common 307 | @ dconf_common 308 | @ dbus_common 309 | @ set_up_jail_home ~tmp:true ~name 310 | @ install_user_js_to_dir ~dir:"/etc/firefox" ~as_name:"syspref.js" 311 | @ install_user_js_to_dir ~dir:"/etc/firefox" ~as_name:"firefox.js" 312 | @ install_user_js_to_dir ~dir:"/etc/firefox-esr" ~as_name:"firefox-esr.js" 313 | @ install_user_js_to_usr_lib_dir "/usr/lib" 314 | @ install_user_js_to_usr_lib_dir "/usr/lib32" 315 | @ install_user_js_to_usr_lib_dir "/usr/lib64" 316 | @ [ 317 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 318 | Setenv ("SHELL", "/bin/false"); 319 | Setenv ("USER", "nobody"); 320 | Setenv ("LOGNAME", "nobody"); 321 | Setenv ("MOZ_ENABLE_WAYLAND", "1"); 322 | Hostname "jail"; 323 | Unshare_user; 324 | Unshare_pid; 325 | Unshare_uts; 326 | Unshare_ipc; 327 | Unshare_cgroup; 328 | New_session; 329 | ]; 330 | allow_network = true; 331 | aa_caps = Aa.[ Sys_admin; Sys_chroot; Sys_ptrace ]; 332 | allow_wx = false; 333 | extra_aa_lines = []; 334 | proc_limit = Some 2000; 335 | heap_limit_MiB = Some 4096; 336 | } 337 | 338 | let discord : Profile.t = 339 | let name = "discord" in 340 | { 341 | name; 342 | prog = "/usr/bin/discord"; 343 | args = []; 344 | home_jail_dir = Some name; 345 | preserved_temp_home_dirs = []; 346 | log_stdout = false; 347 | log_stderr = false; 348 | syscall_default_action = "SCMP_ACT_ALLOW"; 349 | syscall_blacklist = default_syscall_blacklist; 350 | syscall_whitelist = []; 351 | bwrap_args = 352 | usr_share_common 353 | @ usr_lib_lib64_bin_common 354 | @ disallow_browsers 355 | (* @ usr_lib_lib64_common 356 | @ paths_of_binary "discord" 357 | @ paths_of_binary "firefox" 358 | @ paths_of_binary "electron" *) 359 | @ etc_common 360 | @ etc_ssl 361 | @ etc_localtime 362 | @ proc_dev_common 363 | @ tmp_run_common 364 | @ sound_common 365 | @ x11_common 366 | @ dconf_common 367 | @ dbus_common 368 | @ [ Ro_bind ("/opt/discord", None) ] 369 | @ set_up_jail_home ~tmp:false ~name 370 | @ [ 371 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 372 | Setenv ("QT_X11_NO_MITSHM", "1"); 373 | Setenv ("_X11_NO_MITSHM", "1"); 374 | Setenv ("_MITSHM", "0"); 375 | Setenv ("SHELL", "/bin/false"); 376 | Setenv ("USER", "nobody"); 377 | Setenv ("LOGNAME", "nobody"); 378 | Hostname "jail"; 379 | Unshare_user; 380 | Unshare_pid; 381 | Unshare_uts; 382 | (* Unshare_ipc; *) 383 | Unshare_cgroup; 384 | New_session; 385 | ]; 386 | allow_network = true; 387 | aa_caps = Aa.[ Sys_admin; Sys_chroot; Sys_ptrace ]; 388 | allow_wx = true; 389 | extra_aa_lines = [ "/opt/discord/ r"; "/opt/discord/** rix" ]; 390 | proc_limit = Some 2000; 391 | heap_limit_MiB = Some 2048; 392 | } 393 | 394 | let thunderbird : Profile.t = 395 | let name = "thunderbird" in 396 | { 397 | name; 398 | prog = "/usr/lib/thunderbird/thunderbird"; 399 | args = []; 400 | home_jail_dir = Some name; 401 | preserved_temp_home_dirs = []; 402 | log_stdout = false; 403 | log_stderr = false; 404 | syscall_default_action = "SCMP_ACT_KILL"; 405 | syscall_blacklist = []; 406 | syscall_whitelist = default_syscall_whitelist_wx; 407 | bwrap_args = 408 | usr_share_common 409 | @ usr_lib_lib64_bin_common 410 | @ etc_common 411 | @ etc_ssl 412 | @ etc_localtime 413 | @ proc_dev_common 414 | @ tmp_run_common 415 | @ wayland_common 416 | @ dconf_common 417 | @ dbus_common 418 | @ set_up_jail_home ~tmp:false ~name 419 | @ [ 420 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 421 | Setenv ("SHELL", "/bin/false"); 422 | Setenv ("USER", "nobody"); 423 | Setenv ("LOGNAME", "nobody"); 424 | Setenv ("MOZ_ENABLE_WAYLAND", "1"); 425 | Hostname "jail"; 426 | Unshare_user; 427 | Unshare_pid; 428 | Unshare_uts; 429 | Unshare_ipc; 430 | Unshare_cgroup; 431 | New_session; 432 | ]; 433 | allow_network = true; 434 | aa_caps = []; 435 | allow_wx = false; 436 | extra_aa_lines = [ "deny /usr/lib/firefox/** x" ]; 437 | proc_limit = Some 2000; 438 | heap_limit_MiB = Some 1024; 439 | } 440 | 441 | let chromium : Profile.t = 442 | let name = "chromium" in 443 | { 444 | name; 445 | prog = "/usr/lib/chromium/chromium"; 446 | args = []; 447 | home_jail_dir = Some name; 448 | preserved_temp_home_dirs = []; 449 | log_stdout = false; 450 | log_stderr = false; 451 | syscall_default_action = "SCMP_ACT_ALLOW"; 452 | syscall_blacklist = default_syscall_blacklist; 453 | syscall_whitelist = []; 454 | bwrap_args = 455 | usr_share_common 456 | @ usr_lib_lib64_bin_common 457 | @ etc_common 458 | @ etc_ssl 459 | @ etc_localtime 460 | @ proc_dev_common 461 | @ tmp_run_common 462 | @ sound_common 463 | @ wayland_common 464 | @ dconf_common 465 | @ dbus_common 466 | @ [ Dev_bind ("/dev/dri/card0", None) ] 467 | @ set_up_jail_home ~tmp:false ~name 468 | @ [ 469 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 470 | Setenv ("SHELL", "/bin/false"); 471 | Setenv ("USER", "nobody"); 472 | Setenv ("LOGNAME", "nobody"); 473 | Hostname "jail"; 474 | Unshare_user; 475 | Unshare_pid; 476 | Unshare_uts; 477 | Unshare_ipc; 478 | Unshare_cgroup; 479 | New_session; 480 | ]; 481 | allow_network = true; 482 | aa_caps = [ Sys_admin; Sys_chroot; Sys_ptrace ]; 483 | allow_wx = false; 484 | extra_aa_lines = []; 485 | proc_limit = Some 2000; 486 | heap_limit_MiB = Some 2048; 487 | } 488 | 489 | let chromium_tmp : Profile.t = 490 | let name = "chromium-tmp" in 491 | { 492 | name; 493 | prog = "/usr/lib/chromium/chromium"; 494 | args = []; 495 | home_jail_dir = None; 496 | preserved_temp_home_dirs = [ (`RW, "Downloads"); (`R, "Uploads") ]; 497 | log_stdout = false; 498 | log_stderr = false; 499 | syscall_default_action = "SCMP_ACT_ALLOW"; 500 | syscall_blacklist = default_syscall_blacklist; 501 | syscall_whitelist = []; 502 | bwrap_args = 503 | usr_share_common 504 | @ usr_lib_lib64_bin_common 505 | @ etc_common 506 | @ etc_ssl 507 | @ etc_localtime 508 | @ proc_dev_common 509 | @ tmp_run_common 510 | @ sound_common 511 | @ wayland_common 512 | @ dconf_common 513 | @ dbus_common 514 | @ [ Dev_bind ("/dev/dri/card0", None) ] 515 | @ set_up_jail_home ~tmp:true ~name 516 | @ [ 517 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 518 | Setenv ("SHELL", "/bin/false"); 519 | Setenv ("USER", "nobody"); 520 | Setenv ("LOGNAME", "nobody"); 521 | Hostname "jail"; 522 | Unshare_user; 523 | Unshare_pid; 524 | Unshare_uts; 525 | Unshare_ipc; 526 | Unshare_cgroup; 527 | New_session; 528 | ]; 529 | allow_network = true; 530 | aa_caps = [ Sys_admin; Sys_chroot; Sys_ptrace ]; 531 | allow_wx = false; 532 | extra_aa_lines = []; 533 | proc_limit = Some 2000; 534 | heap_limit_MiB = Some 2048; 535 | } 536 | 537 | let deluge : Profile.t = 538 | let name = "deluge" in 539 | { 540 | name; 541 | prog = "/usr/bin/deluge"; 542 | args = []; 543 | home_jail_dir = Some name; 544 | preserved_temp_home_dirs = []; 545 | log_stdout = false; 546 | log_stderr = false; 547 | syscall_default_action = "SCMP_ACT_KILL"; 548 | syscall_blacklist = []; 549 | syscall_whitelist = default_syscall_whitelist; 550 | bwrap_args = 551 | usr_share_common 552 | @ usr_lib_lib64_bin_common 553 | @ etc_common 554 | @ etc_ssl 555 | @ etc_localtime 556 | @ proc_dev_common 557 | @ tmp_run_common 558 | @ wayland_common 559 | @ dconf_common 560 | @ dbus_common 561 | @ lsb_release_common 562 | @ set_up_jail_home ~tmp:false ~name 563 | @ [ 564 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 565 | Setenv ("SHELL", "/bin/false"); 566 | Setenv ("USER", "nobody"); 567 | Setenv ("LOGNAME", "nobody"); 568 | Setenv ("MOZ_ENABLE_WAYLAND", "1"); 569 | Hostname "jail"; 570 | Unshare_user; 571 | Unshare_pid; 572 | Unshare_uts; 573 | Unshare_ipc; 574 | Unshare_cgroup; 575 | New_session; 576 | ]; 577 | allow_network = true; 578 | aa_caps = []; 579 | allow_wx = false; 580 | extra_aa_lines = [ "deny /usr/lib/firefox/** rx" ]; 581 | proc_limit = Some 2000; 582 | heap_limit_MiB = Some 200; 583 | } 584 | 585 | (* let zoom : profile = 586 | * let name = "zoom" in 587 | * { 588 | * name; 589 | * cmd = "/usr/bin/zoom"; 590 | * home_jail_dir = Some name; 591 | * preserved_temp_home_dirs = []; 592 | * syscall_blacklist = default_syscall_blacklist; 593 | * args = 594 | * [ Ro_bind ("/usr/share", None) ] 595 | * @ usr_lib_lib64_bin_common 596 | * @ etc_common 597 | * @ proc_dev_common 598 | * @ tmp_run_common 599 | * @ sound_common 600 | * @ x11_common 601 | * @ wayland_common 602 | * @ dconf_common 603 | * @ dbus_common 604 | * @ set_up_jail_home ~tmp:false ~name 605 | * @ [ 606 | * Ro_bind 607 | * (Filename.concat (get_jail_dir name) "opt/zoom", Some "/opt/zoom"); 608 | * Symlink ("/opt/zoom/ZoomLauncher", Some "/usr/bin/zoom"); 609 | * (\* Ro_bind ((Filename.concat (get_jail_dir name) "usr/share/mime/packages/zoom.xml"), 610 | * Some "/usr/share/mime/packages/zoom.xml"); 611 | * Ro_bind ((Filename.concat (get_jail_dir name) "usr/share/pixmaps/application-x-zoom.png"), 612 | * Some "/usr/share/pixmaps/application-x-zoom.png"); 613 | * Ro_bind ((Filename.concat (get_jail_dir name) "usr/share/pixmaps/Zoom.png"), 614 | * Some "/usr/share/pixmaps/Zoom.png"); *\) 615 | * Remount_ro "/usr/share"; 616 | * Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 617 | * Setenv ("SHELL", "/usr/bin/bash"); 618 | * Setenv ("USER", "nobody"); 619 | * Setenv ("LOGNAME", "nobody"); 620 | * Hostname "jail"; 621 | * Unshare_user; 622 | * Unshare_pid; 623 | * Unshare_uts; 624 | * Unshare_ipc; 625 | * Unshare_cgroup; 626 | * New_session; 627 | * ]; 628 | * } *) 629 | 630 | let okular_ro : Profile.t = 631 | let name = "okular-ro" in 632 | let pdf_file_in_home = 633 | Filename.concat Config.home_inside_jail "$(basename \"$1\")" 634 | in 635 | { 636 | name; 637 | prog = "/usr/bin/okular"; 638 | args = [ Printf.sprintf "\"%s\"" pdf_file_in_home ]; 639 | home_jail_dir = None; 640 | preserved_temp_home_dirs = []; 641 | log_stdout = true; 642 | log_stderr = true; 643 | syscall_default_action = "SCMP_ACT_KILL"; 644 | syscall_blacklist = []; 645 | syscall_whitelist = default_syscall_whitelist_wx; 646 | bwrap_args = 647 | usr_share_common 648 | @ usr_lib_lib64_common 649 | @ paths_of_binary "okular" 650 | @ etc_common 651 | @ etc_ssl 652 | @ etc_localtime 653 | @ proc_dev_common 654 | @ tmp_run_common 655 | @ wayland_common 656 | @ set_up_jail_home ~tmp:true ~name 657 | @ [ 658 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 659 | Setenv ("SHELL", "/bin/false"); 660 | Setenv ("USER", "nobody"); 661 | Setenv ("LOGNAME", "nobody"); 662 | Ro_bind ("$1", Some pdf_file_in_home); 663 | Hostname "jail"; 664 | Unshare_user; 665 | Unshare_pid; 666 | Unshare_uts; 667 | Unshare_ipc; 668 | Unshare_cgroup; 669 | Unshare_net; 670 | New_session; 671 | ]; 672 | allow_network = false; 673 | aa_caps = []; 674 | allow_wx = false; 675 | extra_aa_lines = []; 676 | proc_limit = Some 2000; 677 | heap_limit_MiB = Some 512; 678 | } 679 | 680 | let okular_rw : Profile.t = 681 | let name = "okular-rw" in 682 | let pdf_file_in_home = 683 | Filename.concat Config.home_inside_jail "$(basename \"$1\")" 684 | in 685 | { 686 | name; 687 | prog = "/usr/bin/okular"; 688 | args = [ Printf.sprintf "\"%s\"" pdf_file_in_home ]; 689 | home_jail_dir = None; 690 | preserved_temp_home_dirs = []; 691 | log_stdout = true; 692 | log_stderr = true; 693 | syscall_default_action = "SCMP_ACT_KILL"; 694 | syscall_blacklist = []; 695 | syscall_whitelist = default_syscall_whitelist_wx; 696 | bwrap_args = 697 | usr_share_common 698 | @ usr_lib_lib64_common 699 | @ paths_of_binary "okular" 700 | @ etc_common 701 | @ etc_ssl 702 | @ etc_localtime 703 | @ proc_dev_common 704 | @ tmp_run_common 705 | @ wayland_common 706 | @ set_up_jail_home ~tmp:true ~name 707 | @ [ 708 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 709 | Setenv ("SHELL", "/bin/false"); 710 | Setenv ("USER", "nobody"); 711 | Setenv ("LOGNAME", "nobody"); 712 | Bind ("$1", Some pdf_file_in_home); 713 | Hostname "jail"; 714 | Unshare_user; 715 | Unshare_pid; 716 | Unshare_uts; 717 | Unshare_ipc; 718 | Unshare_cgroup; 719 | Unshare_net; 720 | New_session; 721 | ]; 722 | allow_network = false; 723 | aa_caps = []; 724 | allow_wx = false; 725 | extra_aa_lines = []; 726 | proc_limit = Some 2000; 727 | heap_limit_MiB = Some 512; 728 | } 729 | 730 | let eom_ro : Profile.t = 731 | let name = "eom-ro" in 732 | let image_file_in_home = 733 | Filename.concat Config.home_inside_jail "$(basename \"$1\")" 734 | in 735 | { 736 | name; 737 | prog = "/usr/bin/eom"; 738 | args = [ Printf.sprintf "\"%s\"" image_file_in_home ]; 739 | home_jail_dir = None; 740 | preserved_temp_home_dirs = []; 741 | log_stdout = true; 742 | log_stderr = true; 743 | syscall_default_action = "SCMP_ACT_KILL"; 744 | syscall_blacklist = []; 745 | syscall_whitelist = default_syscall_whitelist; 746 | bwrap_args = 747 | usr_share_common 748 | @ usr_lib_lib64_common 749 | @ paths_of_binary "eom" 750 | @ etc_common 751 | @ etc_ssl 752 | @ etc_localtime 753 | @ proc_dev_common 754 | @ tmp_run_common 755 | @ wayland_common 756 | @ set_up_jail_home ~tmp:true ~name 757 | @ [ 758 | Unsetenv "DBUS_SESSION_BUS_ADDRESS"; 759 | Setenv ("SHELL", "/bin/false"); 760 | Setenv ("USER", "nobody"); 761 | Setenv ("LOGNAME", "nobody"); 762 | Ro_bind ("$1", Some image_file_in_home); 763 | Hostname "jail"; 764 | Unshare_user; 765 | Unshare_pid; 766 | Unshare_uts; 767 | Unshare_ipc; 768 | Unshare_cgroup; 769 | Unshare_net; 770 | New_session; 771 | ]; 772 | allow_network = false; 773 | aa_caps = []; 774 | allow_wx = false; 775 | extra_aa_lines = []; 776 | proc_limit = Some 2000; 777 | heap_limit_MiB = Some 512; 778 | } 779 | 780 | let suite = 781 | [ 782 | bash; 783 | bash_hide_net; 784 | bash_dev; 785 | (* alacritty; *) 786 | make_firefox_profile ~suffix:None; 787 | (* make_firefox_profile ~suffix:(Some "school"); 788 | * make_firefox_profile ~suffix:(Some "bank"); 789 | * make_firefox_profile ~suffix:(Some "google-play-book"); *) 790 | firefox_tmp; 791 | firefox_private; 792 | discord; 793 | thunderbird; 794 | chromium; 795 | chromium_tmp; 796 | deluge; 797 | (* zoom; *) 798 | okular_ro; 799 | okular_rw; 800 | eom_ro; 801 | ] 802 | -------------------------------------------------------------------------------- /gen/src/runner.ml: -------------------------------------------------------------------------------- 1 | let write_c_file ~name ~prog ~proc_limit ~heap_limit_MiB = 2 | FileUtil.mkdir ~parent:true Config.runner_output_dir; 3 | let file_name = FilePath.concat Config.runner_output_dir (name ^ ".c") in 4 | CCIO.with_out file_name (fun oc -> 5 | let write_line = CCIO.write_line oc in 6 | write_line "#include "; 7 | write_line "#include "; 8 | write_line "#include "; 9 | write_line "#include "; 10 | write_line ""; 11 | write_line "int main(int _argc, char * argv[]) {"; 12 | Option.iter 13 | (fun n -> 14 | write_line 15 | (Printf.sprintf 16 | " struct rlimit lim_nproc = { .rlim_cur = %d, .rlim_max = %d};" 17 | n n); 18 | write_line 19 | " if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; }") 20 | proc_limit; 21 | Option.iter 22 | (fun heap_limit_MiB -> 23 | let n = heap_limit_MiB * 1024 * 1024 in 24 | write_line 25 | (Printf.sprintf 26 | " struct rlimit lim_data = { .rlim_cur = %d, .rlim_max = %d};" n 27 | n); 28 | write_line 29 | " if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; }") 30 | heap_limit_MiB; 31 | write_line (Printf.sprintf " return execv(\"%s\", argv);" prog); 32 | write_line "}"; 33 | write_line ""); 34 | FileUtil.chmod (`Octal 0o664) [ file_name ] 35 | -------------------------------------------------------------------------------- /gen/src/seccomp_bpf.ml: -------------------------------------------------------------------------------- 1 | type syscall = { 2 | name : string; 3 | args : (int * string) list; 4 | } 5 | 6 | let string_of_rule ~action (x : syscall) = 7 | Printf.sprintf 8 | " if (seccomp_rule_add(ctx, %s, SCMP_SYS(%s), %d%s) < 0) { goto out; }" 9 | action x.name (List.length x.args) 10 | (match x.args with 11 | | [] -> "" 12 | | _ -> 13 | ", " 14 | ^ 15 | if x.name = "ioctl" then 16 | String.concat ", " 17 | (List.map 18 | (fun (n, arg) -> 19 | Printf.sprintf 20 | "SCMP_A%d(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) %s)" n arg) 21 | x.args) 22 | else 23 | String.concat ", " 24 | (List.map 25 | (fun (n, arg) -> 26 | Printf.sprintf "SCMP_A%d(SCMP_CMP_EQ, %s)" n arg) 27 | x.args)) 28 | 29 | let write_c_file ~name ~default_action ~(blacklist : syscall list) 30 | ~(whitelist : syscall list) = 31 | FileUtil.mkdir ~parent:true Config.seccomp_bpf_output_dir; 32 | let file_name = FilePath.concat Config.seccomp_bpf_output_dir (name ^ ".c") in 33 | CCIO.with_out file_name (fun oc -> 34 | let write_line = CCIO.write_line oc in 35 | write_line 36 | {| 37 | /* 38 | * File is generated by code generator in https://github.com/darrenldl/sandboxing 39 | * 40 | * File is based on example provided by libseccomp 41 | * and exportFilter.c from https://github.com/valoq/bwscripts 42 | * and https://github.com/Whonix/sandbox-app-launcher 43 | */ 44 | 45 | /* 46 | * This program is free software; you can redistribute it and/or modify it 47 | * under the terms of version 2.1 of the GNU Lesser General Public License as 48 | * published by the Free Software Foundation. 49 | * 50 | * This program is distributed in the hope that it will be useful, but WITHOUT 51 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 52 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License 53 | * for more details. 54 | * 55 | * You should have received a copy of the GNU Lesser General Public License 56 | * along with this program; if not, see . 57 | */ 58 | |}; 59 | write_line "#include "; 60 | write_line "#include "; 61 | write_line "#include "; 62 | write_line "#include "; 63 | write_line "#include "; 64 | write_line "#include "; 65 | write_line "#include "; 66 | write_line "#include "; 67 | write_line "#include "; 68 | write_line "#include "; 69 | write_line "#include "; 70 | write_line ""; 71 | write_line "int main (void) {"; 72 | write_line " int rc = -1;"; 73 | write_line " scmp_filter_ctx ctx;"; 74 | write_line " int filter_fd;"; 75 | write_line ""; 76 | write_line (Printf.sprintf " ctx = seccomp_init(%s);" default_action); 77 | write_line " if (ctx == NULL) { goto out; }"; 78 | write_line ""; 79 | List.iter 80 | (fun x -> write_line (string_of_rule ~action:"SCMP_ACT_KILL" x)) 81 | blacklist; 82 | List.iter 83 | (fun x -> write_line (string_of_rule ~action:"SCMP_ACT_ALLOW" x)) 84 | whitelist; 85 | write_line ""; 86 | write_line 87 | (Printf.sprintf 88 | " filter_fd = open(\"%s%s\", O_CREAT | O_WRONLY | O_TRUNC, 0644);" 89 | name Config.seccomp_bpf_suffix); 90 | write_line " if (filter_fd == -1) {"; 91 | write_line " rc = -errno;"; 92 | write_line " goto out;"; 93 | write_line " }"; 94 | write_line " rc = seccomp_export_bpf(ctx, filter_fd);"; 95 | write_line " if (rc < 0) {"; 96 | write_line " close(filter_fd);"; 97 | write_line " goto out;"; 98 | write_line " }"; 99 | write_line " close(filter_fd);"; 100 | write_line ""; 101 | write_line "out:"; 102 | write_line " seccomp_release(ctx);"; 103 | write_line " return -rc;"; 104 | write_line "}"); 105 | FileUtil.chmod (`Octal 0o664) [ file_name ] 106 | -------------------------------------------------------------------------------- /runners/archive-handling.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 500, .rlim_max = 500}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | return execv("/usr/bin/bash", argv); 10 | } 11 | 12 | -------------------------------------------------------------------------------- /runners/bash-dev.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 2147483648, .rlim_max = 2147483648}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/bin/bash", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/bash-hide-home-hide-net.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | return execv("/usr/bin/bash", argv); 8 | } 9 | 10 | -------------------------------------------------------------------------------- /runners/bash-hide-home.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | return execv("/usr/bin/bash", argv); 8 | } 9 | 10 | -------------------------------------------------------------------------------- /runners/bash-hide-net.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 2147483648, .rlim_max = 2147483648}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/bin/bash", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/bash-loose-hide-home.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | return execv("/usr/bin/bash", argv); 8 | } 9 | 10 | -------------------------------------------------------------------------------- /runners/bash.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 2147483648, .rlim_max = 2147483648}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/bin/bash", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/chromium-tmp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 2147483648, .rlim_max = 2147483648}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/lib/chromium/chromium", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/chromium.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 2147483648, .rlim_max = 2147483648}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/lib/chromium/chromium", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/deluge.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 209715200, .rlim_max = 209715200}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/bin/deluge", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/discord.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 2147483648, .rlim_max = 2147483648}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/bin/discord", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/eom-ro.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 536870912, .rlim_max = 536870912}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/bin/eom", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/firefox-private-arch.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 2147483648, .rlim_max = 2147483648}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/lib/firefox/firefox", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/firefox-private.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 4294967296, .rlim_max = 4294967296}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/lib/firefox/firefox", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/firefox-tmp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 4294967296, .rlim_max = 4294967296}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/lib/firefox/firefox", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/firefox.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 4294967296, .rlim_max = 4294967296}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/lib/firefox/firefox", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/make-workspace.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 500, .rlim_max = 500}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | return execv("/usr/bin/bash", argv); 10 | } 11 | 12 | -------------------------------------------------------------------------------- /runners/okular-ro.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 536870912, .rlim_max = 536870912}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/bin/okular", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/okular-rw.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 536870912, .rlim_max = 536870912}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/bin/okular", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /runners/thunderbird.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int _argc, char * argv[]) { 7 | struct rlimit lim_nproc = { .rlim_cur = 2000, .rlim_max = 2000}; 8 | if (setrlimit(RLIMIT_NPROC, &lim_nproc) != 0) { return 1; } 9 | struct rlimit lim_data = { .rlim_cur = 1073741824, .rlim_max = 1073741824}; 10 | if (setrlimit(RLIMIT_DATA, &lim_data) != 0) { return 1; } 11 | return execv("/usr/lib/thunderbird/thunderbird", argv); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /scripts/bash-dev.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/bash-dev.c -lseccomp -o "$script_dir"/../seccomp-bpfs/bash-dev.exe 8 | "$script_dir"/../seccomp-bpfs/bash-dev.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv bash-dev_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/bash-dev.c -o "$script_dir"/../runners/bash-dev.runner 17 | 18 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 19 | 20 | ( exec bwrap \ 21 | --ro-bind "/usr/share" "/usr/share" \ 22 | --ro-bind "/usr/lib" "/usr/lib" \ 23 | --ro-bind "/usr/lib64" "/usr/lib64" \ 24 | --tmpfs "/usr/lib/modules" \ 25 | --tmpfs "/usr/lib/systemd" \ 26 | --symlink "/usr/lib" "/lib" \ 27 | --symlink "/usr/lib64" "/lib64" \ 28 | --ro-bind "/usr/bin" "/usr/bin" \ 29 | --symlink "/usr/bin" "/bin" \ 30 | --symlink "/usr/bin" "/sbin" \ 31 | --setenv "PATH" "/usr/bin" \ 32 | --ro-bind "/etc/fonts" "/etc/fonts" \ 33 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 34 | --ro-bind "/etc/ssl" "/etc/ssl" \ 35 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 36 | --ro-bind "/etc/localtime" "/etc/localtime" \ 37 | --proc "/proc" \ 38 | --dev "/dev" \ 39 | --tmpfs "/tmp" \ 40 | --tmpfs "/run" \ 41 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 42 | --setenv "HOME" "/home/sandbox" \ 43 | --setenv "USER" "sandbox" \ 44 | --setenv "LOGNAME" "sandbox" \ 45 | --bind "." "/home/sandbox/workspace" \ 46 | --hostname "jail" \ 47 | --unshare-user \ 48 | --unshare-pid \ 49 | --unshare-uts \ 50 | --unshare-ipc \ 51 | --unshare-cgroup \ 52 | --ro-bind ""$script_dir"/../runners/bash-dev.runner" "/home/sandbox/bash-dev.runner" \ 53 | /home/sandbox/bash-dev.runner \ 54 | ) 55 | -------------------------------------------------------------------------------- /scripts/bash-hide-net.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/bash-hide-net.c -lseccomp -o "$script_dir"/../seccomp-bpfs/bash-hide-net.exe 8 | "$script_dir"/../seccomp-bpfs/bash-hide-net.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv bash-hide-net_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/bash-hide-net.c -o "$script_dir"/../runners/bash-hide-net.runner 17 | 18 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 19 | 20 | ( exec bwrap \ 21 | --ro-bind "/usr/share" "/usr/share" \ 22 | --ro-bind "/usr/lib" "/usr/lib" \ 23 | --ro-bind "/usr/lib64" "/usr/lib64" \ 24 | --tmpfs "/usr/lib/modules" \ 25 | --tmpfs "/usr/lib/systemd" \ 26 | --symlink "/usr/lib" "/lib" \ 27 | --symlink "/usr/lib64" "/lib64" \ 28 | --ro-bind "/usr/bin" "/usr/bin" \ 29 | --symlink "/usr/bin" "/bin" \ 30 | --symlink "/usr/bin" "/sbin" \ 31 | --setenv "PATH" "/usr/bin" \ 32 | --ro-bind "/etc/fonts" "/etc/fonts" \ 33 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 34 | --ro-bind "/etc/ssl" "/etc/ssl" \ 35 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 36 | --ro-bind "/etc/localtime" "/etc/localtime" \ 37 | --proc "/proc" \ 38 | --dev "/dev" \ 39 | --tmpfs "/tmp" \ 40 | --tmpfs "/run" \ 41 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 42 | --setenv "HOME" "/home/sandbox" \ 43 | --setenv "USER" "sandbox" \ 44 | --setenv "LOGNAME" "sandbox" \ 45 | --bind "." "/home/sandbox/workspace" \ 46 | --unshare-user \ 47 | --unshare-pid \ 48 | --unshare-uts \ 49 | --unshare-ipc \ 50 | --unshare-cgroup \ 51 | --unshare-net \ 52 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/bash-hide-net_seccomp_filter.bpf \ 53 | --ro-bind ""$script_dir"/../runners/bash-hide-net.runner" "/home/sandbox/bash-hide-net.runner" \ 54 | /home/sandbox/bash-hide-net.runner \ 55 | ) 56 | -------------------------------------------------------------------------------- /scripts/bash.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/bash.c -lseccomp -o "$script_dir"/../seccomp-bpfs/bash.exe 8 | "$script_dir"/../seccomp-bpfs/bash.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv bash_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/bash.c -o "$script_dir"/../runners/bash.runner 17 | 18 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 19 | 20 | ( exec bwrap \ 21 | --ro-bind "/usr/share" "/usr/share" \ 22 | --ro-bind "/usr/lib" "/usr/lib" \ 23 | --ro-bind "/usr/lib64" "/usr/lib64" \ 24 | --tmpfs "/usr/lib/modules" \ 25 | --tmpfs "/usr/lib/systemd" \ 26 | --symlink "/usr/lib" "/lib" \ 27 | --symlink "/usr/lib64" "/lib64" \ 28 | --ro-bind "/usr/bin" "/usr/bin" \ 29 | --symlink "/usr/bin" "/bin" \ 30 | --symlink "/usr/bin" "/sbin" \ 31 | --setenv "PATH" "/usr/bin" \ 32 | --ro-bind "/etc/fonts" "/etc/fonts" \ 33 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 34 | --ro-bind "/etc/ssl" "/etc/ssl" \ 35 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 36 | --ro-bind "/etc/localtime" "/etc/localtime" \ 37 | --proc "/proc" \ 38 | --dev "/dev" \ 39 | --tmpfs "/tmp" \ 40 | --tmpfs "/run" \ 41 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 42 | --setenv "HOME" "/home/sandbox" \ 43 | --setenv "USER" "sandbox" \ 44 | --setenv "LOGNAME" "sandbox" \ 45 | --bind "." "/home/sandbox/workspace" \ 46 | --hostname "jail" \ 47 | --unshare-user \ 48 | --unshare-pid \ 49 | --unshare-uts \ 50 | --unshare-ipc \ 51 | --unshare-cgroup \ 52 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/bash_seccomp_filter.bpf \ 53 | --ro-bind ""$script_dir"/../runners/bash.runner" "/home/sandbox/bash.runner" \ 54 | /home/sandbox/bash.runner \ 55 | ) 56 | -------------------------------------------------------------------------------- /scripts/chromium-tmp.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/chromium-tmp.c -lseccomp -o "$script_dir"/../seccomp-bpfs/chromium-tmp.exe 8 | "$script_dir"/../seccomp-bpfs/chromium-tmp.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv chromium-tmp_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/chromium-tmp.c -o "$script_dir"/../runners/chromium-tmp.runner 17 | 18 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 19 | tmp_dir=$(mktemp -d -t chromium-tmp-$cur_time-XXXX) 20 | mkdir -p "$tmp_dir/Downloads" 21 | mkdir -p "$tmp_dir/Uploads" 22 | 23 | 24 | ( exec bwrap \ 25 | --ro-bind "/usr/share" "/usr/share" \ 26 | --ro-bind "/usr/lib" "/usr/lib" \ 27 | --ro-bind "/usr/lib64" "/usr/lib64" \ 28 | --tmpfs "/usr/lib/modules" \ 29 | --tmpfs "/usr/lib/systemd" \ 30 | --symlink "/usr/lib" "/lib" \ 31 | --symlink "/usr/lib64" "/lib64" \ 32 | --ro-bind "/usr/bin" "/usr/bin" \ 33 | --symlink "/usr/bin" "/bin" \ 34 | --symlink "/usr/bin" "/sbin" \ 35 | --setenv "PATH" "/usr/bin" \ 36 | --ro-bind "/etc/fonts" "/etc/fonts" \ 37 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 38 | --ro-bind "/etc/ssl" "/etc/ssl" \ 39 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 40 | --ro-bind "/etc/localtime" "/etc/localtime" \ 41 | --proc "/proc" \ 42 | --dev "/dev" \ 43 | --tmpfs "/tmp" \ 44 | --tmpfs "/run" \ 45 | --ro-bind-try "/usr/share/gst-plugins-bad" "/usr/share/gst-plugins-bad" \ 46 | --ro-bind-try "/usr/share/gst-plugins-base" "/usr/share/gst-plugins-base" \ 47 | --ro-bind-try "/usr/share/gstreamer-1.0" "/usr/share/gstreamer-1.0" \ 48 | --ro-bind "/run/user/$UID/pulse" "/run/user/$UID/pulse" \ 49 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 50 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 51 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 52 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 53 | --setenv "QT_QPA_PLATFORM" "wayland" \ 54 | --bind "/run/user/$UID/dconf" "/run/user/$UID/dconf" \ 55 | --ro-bind "/run/user/$UID/bus" "/run/user/$UID/bus" \ 56 | --dev-bind "/dev/dri/card0" "/dev/dri/card0" \ 57 | --tmpfs "/home/sandbox" \ 58 | --setenv "HOME" "/home/sandbox" \ 59 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 60 | --setenv "SHELL" "/bin/false" \ 61 | --setenv "USER" "nobody" \ 62 | --setenv "LOGNAME" "nobody" \ 63 | --hostname "jail" \ 64 | --unshare-user \ 65 | --unshare-pid \ 66 | --unshare-uts \ 67 | --unshare-ipc \ 68 | --unshare-cgroup \ 69 | --new-session \ 70 | --bind "$tmp_dir/Downloads" "/home/sandbox/Downloads" \ 71 | --ro-bind "$tmp_dir/Uploads" "/home/sandbox/Uploads" \ 72 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/chromium-tmp_seccomp_filter.bpf \ 73 | --ro-bind ""$script_dir"/../runners/chromium-tmp.runner" "/home/sandbox/chromium-tmp.runner" \ 74 | /home/sandbox/chromium-tmp.runner \ 75 | ) 76 | 77 | rmdir --ignore-fail-on-non-empty "$tmp_dir/Downloads" 78 | rmdir --ignore-fail-on-non-empty "$tmp_dir/Uploads" 79 | rmdir --ignore-fail-on-non-empty "$tmp_dir" 80 | -------------------------------------------------------------------------------- /scripts/chromium.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/chromium.c -lseccomp -o "$script_dir"/../seccomp-bpfs/chromium.exe 8 | "$script_dir"/../seccomp-bpfs/chromium.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv chromium_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/chromium.c -o "$script_dir"/../runners/chromium.runner 17 | 18 | mkdir -p "$HOME/sandboxes/chromium" 19 | mkdir -p "$HOME/sandboxes/chromium/Downloads" 20 | 21 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 22 | 23 | ( exec bwrap \ 24 | --ro-bind "/usr/share" "/usr/share" \ 25 | --ro-bind "/usr/lib" "/usr/lib" \ 26 | --ro-bind "/usr/lib64" "/usr/lib64" \ 27 | --tmpfs "/usr/lib/modules" \ 28 | --tmpfs "/usr/lib/systemd" \ 29 | --symlink "/usr/lib" "/lib" \ 30 | --symlink "/usr/lib64" "/lib64" \ 31 | --ro-bind "/usr/bin" "/usr/bin" \ 32 | --symlink "/usr/bin" "/bin" \ 33 | --symlink "/usr/bin" "/sbin" \ 34 | --setenv "PATH" "/usr/bin" \ 35 | --ro-bind "/etc/fonts" "/etc/fonts" \ 36 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 37 | --ro-bind "/etc/ssl" "/etc/ssl" \ 38 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 39 | --ro-bind "/etc/localtime" "/etc/localtime" \ 40 | --proc "/proc" \ 41 | --dev "/dev" \ 42 | --tmpfs "/tmp" \ 43 | --tmpfs "/run" \ 44 | --ro-bind-try "/usr/share/gst-plugins-bad" "/usr/share/gst-plugins-bad" \ 45 | --ro-bind-try "/usr/share/gst-plugins-base" "/usr/share/gst-plugins-base" \ 46 | --ro-bind-try "/usr/share/gstreamer-1.0" "/usr/share/gstreamer-1.0" \ 47 | --ro-bind "/run/user/$UID/pulse" "/run/user/$UID/pulse" \ 48 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 49 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 50 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 51 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 52 | --setenv "QT_QPA_PLATFORM" "wayland" \ 53 | --bind "/run/user/$UID/dconf" "/run/user/$UID/dconf" \ 54 | --ro-bind "/run/user/$UID/bus" "/run/user/$UID/bus" \ 55 | --dev-bind "/dev/dri/card0" "/dev/dri/card0" \ 56 | --bind "$HOME/sandboxes/chromium" "/home/sandbox" \ 57 | --setenv "HOME" "/home/sandbox" \ 58 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 59 | --setenv "SHELL" "/bin/false" \ 60 | --setenv "USER" "nobody" \ 61 | --setenv "LOGNAME" "nobody" \ 62 | --hostname "jail" \ 63 | --unshare-user \ 64 | --unshare-pid \ 65 | --unshare-uts \ 66 | --unshare-ipc \ 67 | --unshare-cgroup \ 68 | --new-session \ 69 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/chromium_seccomp_filter.bpf \ 70 | --ro-bind ""$script_dir"/../runners/chromium.runner" "/home/sandbox/chromium.runner" \ 71 | /home/sandbox/chromium.runner \ 72 | ) 73 | -------------------------------------------------------------------------------- /scripts/deluge.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/deluge.c -lseccomp -o "$script_dir"/../seccomp-bpfs/deluge.exe 8 | "$script_dir"/../seccomp-bpfs/deluge.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv deluge_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/deluge.c -o "$script_dir"/../runners/deluge.runner 17 | 18 | mkdir -p "$HOME/sandboxes/deluge" 19 | mkdir -p "$HOME/sandboxes/deluge/Downloads" 20 | 21 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 22 | 23 | ( exec bwrap \ 24 | --ro-bind "/usr/share" "/usr/share" \ 25 | --ro-bind "/usr/lib" "/usr/lib" \ 26 | --ro-bind "/usr/lib64" "/usr/lib64" \ 27 | --tmpfs "/usr/lib/modules" \ 28 | --tmpfs "/usr/lib/systemd" \ 29 | --symlink "/usr/lib" "/lib" \ 30 | --symlink "/usr/lib64" "/lib64" \ 31 | --ro-bind "/usr/bin" "/usr/bin" \ 32 | --symlink "/usr/bin" "/bin" \ 33 | --symlink "/usr/bin" "/sbin" \ 34 | --setenv "PATH" "/usr/bin" \ 35 | --ro-bind "/etc/fonts" "/etc/fonts" \ 36 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 37 | --ro-bind "/etc/ssl" "/etc/ssl" \ 38 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 39 | --ro-bind "/etc/localtime" "/etc/localtime" \ 40 | --proc "/proc" \ 41 | --dev "/dev" \ 42 | --tmpfs "/tmp" \ 43 | --tmpfs "/run" \ 44 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 45 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 46 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 47 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 48 | --setenv "QT_QPA_PLATFORM" "wayland" \ 49 | --bind "/run/user/$UID/dconf" "/run/user/$UID/dconf" \ 50 | --ro-bind "/run/user/$UID/bus" "/run/user/$UID/bus" \ 51 | --ro-bind "/etc/lsb-release" "/etc/lsb-release" \ 52 | --ro-bind "/etc/arch-release" "/etc/arch-release" \ 53 | --bind "$HOME/sandboxes/deluge" "/home/sandbox" \ 54 | --setenv "HOME" "/home/sandbox" \ 55 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 56 | --setenv "SHELL" "/bin/false" \ 57 | --setenv "USER" "nobody" \ 58 | --setenv "LOGNAME" "nobody" \ 59 | --setenv "MOZ_ENABLE_WAYLAND" "1" \ 60 | --hostname "jail" \ 61 | --unshare-user \ 62 | --unshare-pid \ 63 | --unshare-uts \ 64 | --unshare-ipc \ 65 | --unshare-cgroup \ 66 | --new-session \ 67 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/deluge_seccomp_filter.bpf \ 68 | --ro-bind ""$script_dir"/../runners/deluge.runner" "/home/sandbox/deluge.runner" \ 69 | /home/sandbox/deluge.runner \ 70 | ) 71 | -------------------------------------------------------------------------------- /scripts/discord.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/discord.c -lseccomp -o "$script_dir"/../seccomp-bpfs/discord.exe 8 | "$script_dir"/../seccomp-bpfs/discord.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv discord_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/discord.c -o "$script_dir"/../runners/discord.runner 17 | 18 | mkdir -p "$HOME/sandboxes/discord" 19 | mkdir -p "$HOME/sandboxes/discord/Downloads" 20 | 21 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 22 | 23 | ( exec bwrap \ 24 | --ro-bind "/usr/share" "/usr/share" \ 25 | --ro-bind "/usr/lib" "/usr/lib" \ 26 | --ro-bind "/usr/lib64" "/usr/lib64" \ 27 | --tmpfs "/usr/lib/modules" \ 28 | --tmpfs "/usr/lib/systemd" \ 29 | --symlink "/usr/lib" "/lib" \ 30 | --symlink "/usr/lib64" "/lib64" \ 31 | --ro-bind "/usr/bin" "/usr/bin" \ 32 | --symlink "/usr/bin" "/bin" \ 33 | --symlink "/usr/bin" "/sbin" \ 34 | --setenv "PATH" "/usr/bin" \ 35 | --tmpfs "/usr/lib/firefox" \ 36 | --ro-bind "/etc/fonts" "/etc/fonts" \ 37 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 38 | --ro-bind "/etc/ssl" "/etc/ssl" \ 39 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 40 | --ro-bind "/etc/localtime" "/etc/localtime" \ 41 | --proc "/proc" \ 42 | --dev "/dev" \ 43 | --tmpfs "/tmp" \ 44 | --tmpfs "/run" \ 45 | --ro-bind-try "/usr/share/gst-plugins-bad" "/usr/share/gst-plugins-bad" \ 46 | --ro-bind-try "/usr/share/gst-plugins-base" "/usr/share/gst-plugins-base" \ 47 | --ro-bind-try "/usr/share/gstreamer-1.0" "/usr/share/gstreamer-1.0" \ 48 | --ro-bind "/run/user/$UID/pulse" "/run/user/$UID/pulse" \ 49 | --ro-bind "/tmp/.X11-unix" "/tmp/.X11-unix" \ 50 | --bind "/run/user/$UID/dconf" "/run/user/$UID/dconf" \ 51 | --ro-bind "/run/user/$UID/bus" "/run/user/$UID/bus" \ 52 | --ro-bind "/opt/discord" "/opt/discord" \ 53 | --bind "$HOME/sandboxes/discord" "/home/sandbox" \ 54 | --setenv "HOME" "/home/sandbox" \ 55 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 56 | --setenv "QT_X11_NO_MITSHM" "1" \ 57 | --setenv "_X11_NO_MITSHM" "1" \ 58 | --setenv "_MITSHM" "0" \ 59 | --setenv "SHELL" "/bin/false" \ 60 | --setenv "USER" "nobody" \ 61 | --setenv "LOGNAME" "nobody" \ 62 | --hostname "jail" \ 63 | --unshare-user \ 64 | --unshare-pid \ 65 | --unshare-uts \ 66 | --unshare-cgroup \ 67 | --new-session \ 68 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/discord_seccomp_filter.bpf \ 69 | --ro-bind ""$script_dir"/../runners/discord.runner" "/home/sandbox/discord.runner" \ 70 | /home/sandbox/discord.runner \ 71 | ) 72 | -------------------------------------------------------------------------------- /scripts/eom-ro.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/eom-ro.c -lseccomp -o "$script_dir"/../seccomp-bpfs/eom-ro.exe 8 | "$script_dir"/../seccomp-bpfs/eom-ro.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv eom-ro_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/eom-ro.c -o "$script_dir"/../runners/eom-ro.runner 17 | 18 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 19 | mkdir -p "$HOME/sandbox-logs/eom-ro" 20 | stdout_log_name="$HOME/sandbox-logs/eom-ro"/"$cur_time"."stdout" 21 | 22 | mkdir -p "$HOME/sandbox-logs/eom-ro" 23 | stderr_log_name="$HOME/sandbox-logs/eom-ro"/"$cur_time"."stderr" 24 | 25 | 26 | ( exec bwrap \ 27 | --ro-bind "/usr/share" "/usr/share" \ 28 | --ro-bind "/usr/lib" "/usr/lib" \ 29 | --ro-bind "/usr/lib64" "/usr/lib64" \ 30 | --tmpfs "/usr/lib/modules" \ 31 | --tmpfs "/usr/lib/systemd" \ 32 | --symlink "/usr/lib" "/lib" \ 33 | --symlink "/usr/lib64" "/lib64" \ 34 | --ro-bind "/usr/bin/eom" "/usr/bin/eom" \ 35 | --ro-bind "/usr/bin/eom" "/bin/eom" \ 36 | --ro-bind "/usr/bin/eom" "/sbin/eom" \ 37 | --ro-bind "/etc/fonts" "/etc/fonts" \ 38 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 39 | --ro-bind "/etc/ssl" "/etc/ssl" \ 40 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 41 | --ro-bind "/etc/localtime" "/etc/localtime" \ 42 | --proc "/proc" \ 43 | --dev "/dev" \ 44 | --tmpfs "/tmp" \ 45 | --tmpfs "/run" \ 46 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 47 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 48 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 49 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 50 | --setenv "QT_QPA_PLATFORM" "wayland" \ 51 | --tmpfs "/home/sandbox" \ 52 | --setenv "HOME" "/home/sandbox" \ 53 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 54 | --setenv "SHELL" "/bin/false" \ 55 | --setenv "USER" "nobody" \ 56 | --setenv "LOGNAME" "nobody" \ 57 | --ro-bind "$1" "/home/sandbox/$(basename "$1")" \ 58 | --hostname "jail" \ 59 | --unshare-user \ 60 | --unshare-pid \ 61 | --unshare-uts \ 62 | --unshare-ipc \ 63 | --unshare-cgroup \ 64 | --unshare-net \ 65 | --new-session \ 66 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/eom-ro_seccomp_filter.bpf \ 67 | --ro-bind ""$script_dir"/../runners/eom-ro.runner" "/home/sandbox/eom-ro.runner" \ 68 | /home/sandbox/eom-ro.runner "/home/sandbox/$(basename "$1")" \ 69 | >$stdout_log_name \ 70 | 2>$stderr_log_name \ 71 | ) 72 | -------------------------------------------------------------------------------- /scripts/firefox-private.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/firefox-private.c -lseccomp -o "$script_dir"/../seccomp-bpfs/firefox-private.exe 8 | "$script_dir"/../seccomp-bpfs/firefox-private.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv firefox-private_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/firefox-private.c -o "$script_dir"/../runners/firefox-private.runner 17 | 18 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 19 | mkdir -p "$HOME/sandbox-logs/firefox-private" 20 | stdout_log_name="$HOME/sandbox-logs/firefox-private"/"$cur_time"."stdout" 21 | 22 | mkdir -p "$HOME/sandbox-logs/firefox-private" 23 | stderr_log_name="$HOME/sandbox-logs/firefox-private"/"$cur_time"."stderr" 24 | 25 | tmp_dir=$(mktemp -d -t firefox-private-$cur_time-XXXX) 26 | mkdir -p "$tmp_dir/Downloads" 27 | mkdir -p "$tmp_dir/Uploads" 28 | 29 | shopt -s nullglob 30 | glob_list_36=(/etc/firefox/*) 31 | shopt -u nullglob 32 | expanding_arg_36="" 33 | for x in ${glob_list_36[@]}; do 34 | if [[ $x != "" ]]; then 35 | expanding_arg_36+=" --ro-bind "$x" "$x" " 36 | fi 37 | done 38 | shopt -s nullglob 39 | glob_list_39=(/etc/firefox/*) 40 | shopt -u nullglob 41 | expanding_arg_39="" 42 | for x in ${glob_list_39[@]}; do 43 | if [[ $x != "" ]]; then 44 | expanding_arg_39+=" --ro-bind "$x" "$x" " 45 | fi 46 | done 47 | shopt -s nullglob 48 | glob_list_42=(/etc/firefox-esr/*) 49 | shopt -u nullglob 50 | expanding_arg_42="" 51 | for x in ${glob_list_42[@]}; do 52 | if [[ $x != "" ]]; then 53 | expanding_arg_42+=" --ro-bind "$x" "$x" " 54 | fi 55 | done 56 | shopt -s nullglob 57 | glob_list_45=(/usr/lib/firefox/*) 58 | shopt -u nullglob 59 | expanding_arg_45="" 60 | for x in ${glob_list_45[@]}; do 61 | if [[ $x != "" ]]; then 62 | expanding_arg_45+=" --ro-bind "$x" "$x" " 63 | fi 64 | done 65 | shopt -s nullglob 66 | glob_list_50=(/usr/lib32/firefox/*) 67 | shopt -u nullglob 68 | expanding_arg_50="" 69 | for x in ${glob_list_50[@]}; do 70 | if [[ $x != "" ]]; then 71 | expanding_arg_50+=" --ro-bind "$x" "$x" " 72 | fi 73 | done 74 | shopt -s nullglob 75 | glob_list_55=(/usr/lib64/firefox/*) 76 | shopt -u nullglob 77 | expanding_arg_55="" 78 | for x in ${glob_list_55[@]}; do 79 | if [[ $x != "" ]]; then 80 | expanding_arg_55+=" --ro-bind "$x" "$x" " 81 | fi 82 | done 83 | 84 | ( exec bwrap \ 85 | --ro-bind "/usr/share" "/usr/share" \ 86 | --ro-bind "/usr/lib" "/usr/lib" \ 87 | --ro-bind "/usr/lib64" "/usr/lib64" \ 88 | --tmpfs "/usr/lib/modules" \ 89 | --tmpfs "/usr/lib/systemd" \ 90 | --symlink "/usr/lib" "/lib" \ 91 | --symlink "/usr/lib64" "/lib64" \ 92 | --ro-bind "/usr/bin/firefox" "/usr/bin/firefox" \ 93 | --ro-bind "/usr/bin/firefox" "/bin/firefox" \ 94 | --ro-bind "/usr/bin/firefox" "/sbin/firefox" \ 95 | --ro-bind "/etc/fonts" "/etc/fonts" \ 96 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 97 | --ro-bind "/etc/ssl" "/etc/ssl" \ 98 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 99 | --ro-bind "/etc/localtime" "/etc/localtime" \ 100 | --proc "/proc" \ 101 | --dev "/dev" \ 102 | --dev-bind "/dev/dri" "/dev/dri" \ 103 | --ro-bind "/sys/dev/char" "/sys/dev/char" \ 104 | --ro-bind "/sys/devices/pci0000:00" "/sys/devices/pci0000:00" \ 105 | --tmpfs "/tmp" \ 106 | --tmpfs "/run" \ 107 | --ro-bind-try "/usr/share/gst-plugins-bad" "/usr/share/gst-plugins-bad" \ 108 | --ro-bind-try "/usr/share/gst-plugins-base" "/usr/share/gst-plugins-base" \ 109 | --ro-bind-try "/usr/share/gstreamer-1.0" "/usr/share/gstreamer-1.0" \ 110 | --ro-bind "/run/user/$UID/pulse" "/run/user/$UID/pulse" \ 111 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 112 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 113 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 114 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 115 | --setenv "QT_QPA_PLATFORM" "wayland" \ 116 | --bind "/run/user/$UID/dconf" "/run/user/$UID/dconf" \ 117 | --ro-bind "/run/user/$UID/bus" "/run/user/$UID/bus" \ 118 | --tmpfs "/home/sandbox" \ 119 | --setenv "HOME" "/home/sandbox" \ 120 | --tmpfs "/etc/firefox" \ 121 | $expanding_arg_36 \ 122 | --ro-bind "$script_dir/../firefox-hardening/systemwide_user.js" "/etc/firefox/syspref.js" \ 123 | --tmpfs "/etc/firefox" \ 124 | $expanding_arg_39 \ 125 | --ro-bind "$script_dir/../firefox-hardening/systemwide_user.js" "/etc/firefox/firefox.js" \ 126 | --tmpfs "/etc/firefox-esr" \ 127 | $expanding_arg_42 \ 128 | --ro-bind "$script_dir/../firefox-hardening/systemwide_user.js" "/etc/firefox-esr/firefox-esr.js" \ 129 | --tmpfs "/usr/lib/firefox/" \ 130 | $expanding_arg_45 \ 131 | --ro-bind "$script_dir/../firefox-hardening/systemwide_user.js" "/usr/lib/firefox/mozilla.cfg" \ 132 | --tmpfs "/usr/lib/firefox/defaults/pref/" \ 133 | --ro-bind "$script_dir/../firefox-hardening/local-settings.js" "/usr/lib/firefox/defaults/pref/local-settings.js" \ 134 | --tmpfs "/usr/lib32/firefox/" \ 135 | $expanding_arg_50 \ 136 | --ro-bind "$script_dir/../firefox-hardening/systemwide_user.js" "/usr/lib32/firefox/mozilla.cfg" \ 137 | --tmpfs "/usr/lib32/firefox/defaults/pref/" \ 138 | --ro-bind "$script_dir/../firefox-hardening/local-settings.js" "/usr/lib32/firefox/defaults/pref/local-settings.js" \ 139 | --tmpfs "/usr/lib64/firefox/" \ 140 | $expanding_arg_55 \ 141 | --ro-bind "$script_dir/../firefox-hardening/systemwide_user.js" "/usr/lib64/firefox/mozilla.cfg" \ 142 | --tmpfs "/usr/lib64/firefox/defaults/pref/" \ 143 | --ro-bind "$script_dir/../firefox-hardening/local-settings.js" "/usr/lib64/firefox/defaults/pref/local-settings.js" \ 144 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 145 | --setenv "SHELL" "/bin/false" \ 146 | --setenv "USER" "nobody" \ 147 | --setenv "LOGNAME" "nobody" \ 148 | --setenv "MOZ_ENABLE_WAYLAND" "1" \ 149 | --hostname "jail" \ 150 | --unshare-user \ 151 | --unshare-pid \ 152 | --unshare-uts \ 153 | --unshare-ipc \ 154 | --unshare-cgroup \ 155 | --new-session \ 156 | --bind "$tmp_dir/Downloads" "/home/sandbox/Downloads" \ 157 | --ro-bind "$tmp_dir/Uploads" "/home/sandbox/Uploads" \ 158 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/firefox-private_seccomp_filter.bpf \ 159 | --ro-bind ""$script_dir"/../runners/firefox-private.runner" "/home/sandbox/firefox-private.runner" \ 160 | /home/sandbox/firefox-private.runner --no-remote \ 161 | >$stdout_log_name \ 162 | 2>$stderr_log_name \ 163 | ) 164 | 165 | rmdir --ignore-fail-on-non-empty "$tmp_dir/Downloads" 166 | rmdir --ignore-fail-on-non-empty "$tmp_dir/Uploads" 167 | rmdir --ignore-fail-on-non-empty "$tmp_dir" 168 | -------------------------------------------------------------------------------- /scripts/firefox-tmp.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/firefox-tmp.c -lseccomp -o "$script_dir"/../seccomp-bpfs/firefox-tmp.exe 8 | "$script_dir"/../seccomp-bpfs/firefox-tmp.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv firefox-tmp_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/firefox-tmp.c -o "$script_dir"/../runners/firefox-tmp.runner 17 | 18 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 19 | mkdir -p "$HOME/sandbox-logs/firefox-tmp" 20 | stdout_log_name="$HOME/sandbox-logs/firefox-tmp"/"$cur_time"."stdout" 21 | 22 | mkdir -p "$HOME/sandbox-logs/firefox-tmp" 23 | stderr_log_name="$HOME/sandbox-logs/firefox-tmp"/"$cur_time"."stderr" 24 | 25 | tmp_dir=$(mktemp -d -t firefox-tmp-$cur_time-XXXX) 26 | mkdir -p "$tmp_dir/Downloads" 27 | mkdir -p "$tmp_dir/Uploads" 28 | 29 | 30 | ( exec bwrap \ 31 | --ro-bind "/usr/share" "/usr/share" \ 32 | --ro-bind "/usr/lib" "/usr/lib" \ 33 | --ro-bind "/usr/lib64" "/usr/lib64" \ 34 | --tmpfs "/usr/lib/modules" \ 35 | --tmpfs "/usr/lib/systemd" \ 36 | --symlink "/usr/lib" "/lib" \ 37 | --symlink "/usr/lib64" "/lib64" \ 38 | --ro-bind "/usr/bin/firefox" "/usr/bin/firefox" \ 39 | --ro-bind "/usr/bin/firefox" "/bin/firefox" \ 40 | --ro-bind "/usr/bin/firefox" "/sbin/firefox" \ 41 | --ro-bind "/etc/fonts" "/etc/fonts" \ 42 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 43 | --ro-bind "/etc/ssl" "/etc/ssl" \ 44 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 45 | --ro-bind "/etc/localtime" "/etc/localtime" \ 46 | --proc "/proc" \ 47 | --dev "/dev" \ 48 | --dev-bind "/dev/dri" "/dev/dri" \ 49 | --ro-bind "/sys/dev/char" "/sys/dev/char" \ 50 | --ro-bind "/sys/devices/pci0000:00" "/sys/devices/pci0000:00" \ 51 | --tmpfs "/tmp" \ 52 | --tmpfs "/run" \ 53 | --ro-bind-try "/usr/share/gst-plugins-bad" "/usr/share/gst-plugins-bad" \ 54 | --ro-bind-try "/usr/share/gst-plugins-base" "/usr/share/gst-plugins-base" \ 55 | --ro-bind-try "/usr/share/gstreamer-1.0" "/usr/share/gstreamer-1.0" \ 56 | --ro-bind "/run/user/$UID/pulse" "/run/user/$UID/pulse" \ 57 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 58 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 59 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 60 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 61 | --setenv "QT_QPA_PLATFORM" "wayland" \ 62 | --bind "/run/user/$UID/dconf" "/run/user/$UID/dconf" \ 63 | --ro-bind "/run/user/$UID/bus" "/run/user/$UID/bus" \ 64 | --tmpfs "/home/sandbox" \ 65 | --setenv "HOME" "/home/sandbox" \ 66 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 67 | --setenv "SHELL" "/bin/false" \ 68 | --setenv "USER" "nobody" \ 69 | --setenv "LOGNAME" "nobody" \ 70 | --setenv "MOZ_ENABLE_WAYLAND" "1" \ 71 | --hostname "jail" \ 72 | --unshare-user \ 73 | --unshare-pid \ 74 | --unshare-uts \ 75 | --unshare-ipc \ 76 | --unshare-cgroup \ 77 | --new-session \ 78 | --bind "$tmp_dir/Downloads" "/home/sandbox/Downloads" \ 79 | --ro-bind "$tmp_dir/Uploads" "/home/sandbox/Uploads" \ 80 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/firefox-tmp_seccomp_filter.bpf \ 81 | --ro-bind ""$script_dir"/../runners/firefox-tmp.runner" "/home/sandbox/firefox-tmp.runner" \ 82 | /home/sandbox/firefox-tmp.runner --no-remote \ 83 | >$stdout_log_name \ 84 | 2>$stderr_log_name \ 85 | ) 86 | 87 | rmdir --ignore-fail-on-non-empty "$tmp_dir/Downloads" 88 | rmdir --ignore-fail-on-non-empty "$tmp_dir/Uploads" 89 | rmdir --ignore-fail-on-non-empty "$tmp_dir" 90 | -------------------------------------------------------------------------------- /scripts/firefox.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/firefox.c -lseccomp -o "$script_dir"/../seccomp-bpfs/firefox.exe 8 | "$script_dir"/../seccomp-bpfs/firefox.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv firefox_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/firefox.c -o "$script_dir"/../runners/firefox.runner 17 | 18 | mkdir -p "$HOME/sandboxes/firefox" 19 | mkdir -p "$HOME/sandboxes/firefox/Downloads" 20 | 21 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 22 | 23 | ( exec bwrap \ 24 | --ro-bind "/usr/share" "/usr/share" \ 25 | --ro-bind "/usr/lib" "/usr/lib" \ 26 | --ro-bind "/usr/lib64" "/usr/lib64" \ 27 | --tmpfs "/usr/lib/modules" \ 28 | --tmpfs "/usr/lib/systemd" \ 29 | --symlink "/usr/lib" "/lib" \ 30 | --symlink "/usr/lib64" "/lib64" \ 31 | --ro-bind "/usr/bin/firefox" "/usr/bin/firefox" \ 32 | --ro-bind "/usr/bin/firefox" "/bin/firefox" \ 33 | --ro-bind "/usr/bin/firefox" "/sbin/firefox" \ 34 | --ro-bind "/etc/fonts" "/etc/fonts" \ 35 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 36 | --ro-bind "/etc/ssl" "/etc/ssl" \ 37 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 38 | --ro-bind "/etc/localtime" "/etc/localtime" \ 39 | --proc "/proc" \ 40 | --dev "/dev" \ 41 | --dev-bind "/dev/dri" "/dev/dri" \ 42 | --ro-bind "/sys/dev/char" "/sys/dev/char" \ 43 | --ro-bind "/sys/devices/pci0000:00" "/sys/devices/pci0000:00" \ 44 | --tmpfs "/tmp" \ 45 | --tmpfs "/run" \ 46 | --ro-bind-try "/usr/share/gst-plugins-bad" "/usr/share/gst-plugins-bad" \ 47 | --ro-bind-try "/usr/share/gst-plugins-base" "/usr/share/gst-plugins-base" \ 48 | --ro-bind-try "/usr/share/gstreamer-1.0" "/usr/share/gstreamer-1.0" \ 49 | --ro-bind "/run/user/$UID/pulse" "/run/user/$UID/pulse" \ 50 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 51 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 52 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 53 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 54 | --setenv "QT_QPA_PLATFORM" "wayland" \ 55 | --bind "/run/user/$UID/dconf" "/run/user/$UID/dconf" \ 56 | --ro-bind "/run/user/$UID/bus" "/run/user/$UID/bus" \ 57 | --bind "$HOME/sandboxes/firefox" "/home/sandbox" \ 58 | --setenv "HOME" "/home/sandbox" \ 59 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 60 | --setenv "SHELL" "/bin/false" \ 61 | --setenv "USER" "nobody" \ 62 | --setenv "LOGNAME" "nobody" \ 63 | --setenv "MOZ_ENABLE_WAYLAND" "1" \ 64 | --hostname "jail" \ 65 | --unshare-user \ 66 | --unshare-pid \ 67 | --unshare-uts \ 68 | --unshare-ipc \ 69 | --unshare-cgroup \ 70 | --new-session \ 71 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/firefox_seccomp_filter.bpf \ 72 | --ro-bind ""$script_dir"/../runners/firefox.runner" "/home/sandbox/firefox.runner" \ 73 | /home/sandbox/firefox.runner --no-remote \ 74 | ) 75 | -------------------------------------------------------------------------------- /scripts/okular-ro.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/okular-ro.c -lseccomp -o "$script_dir"/../seccomp-bpfs/okular-ro.exe 8 | "$script_dir"/../seccomp-bpfs/okular-ro.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv okular-ro_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/okular-ro.c -o "$script_dir"/../runners/okular-ro.runner 17 | 18 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 19 | mkdir -p "$HOME/sandbox-logs/okular-ro" 20 | stdout_log_name="$HOME/sandbox-logs/okular-ro"/"$cur_time"."stdout" 21 | 22 | mkdir -p "$HOME/sandbox-logs/okular-ro" 23 | stderr_log_name="$HOME/sandbox-logs/okular-ro"/"$cur_time"."stderr" 24 | 25 | 26 | ( exec bwrap \ 27 | --ro-bind "/usr/share" "/usr/share" \ 28 | --ro-bind "/usr/lib" "/usr/lib" \ 29 | --ro-bind "/usr/lib64" "/usr/lib64" \ 30 | --tmpfs "/usr/lib/modules" \ 31 | --tmpfs "/usr/lib/systemd" \ 32 | --symlink "/usr/lib" "/lib" \ 33 | --symlink "/usr/lib64" "/lib64" \ 34 | --ro-bind "/usr/bin/okular" "/usr/bin/okular" \ 35 | --ro-bind "/usr/bin/okular" "/bin/okular" \ 36 | --ro-bind "/usr/bin/okular" "/sbin/okular" \ 37 | --ro-bind "/etc/fonts" "/etc/fonts" \ 38 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 39 | --ro-bind "/etc/ssl" "/etc/ssl" \ 40 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 41 | --ro-bind "/etc/localtime" "/etc/localtime" \ 42 | --proc "/proc" \ 43 | --dev "/dev" \ 44 | --tmpfs "/tmp" \ 45 | --tmpfs "/run" \ 46 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 47 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 48 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 49 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 50 | --setenv "QT_QPA_PLATFORM" "wayland" \ 51 | --tmpfs "/home/sandbox" \ 52 | --setenv "HOME" "/home/sandbox" \ 53 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 54 | --setenv "SHELL" "/bin/false" \ 55 | --setenv "USER" "nobody" \ 56 | --setenv "LOGNAME" "nobody" \ 57 | --ro-bind "$1" "/home/sandbox/$(basename "$1")" \ 58 | --hostname "jail" \ 59 | --unshare-user \ 60 | --unshare-pid \ 61 | --unshare-uts \ 62 | --unshare-ipc \ 63 | --unshare-cgroup \ 64 | --unshare-net \ 65 | --new-session \ 66 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/okular-ro_seccomp_filter.bpf \ 67 | --ro-bind ""$script_dir"/../runners/okular-ro.runner" "/home/sandbox/okular-ro.runner" \ 68 | /home/sandbox/okular-ro.runner "/home/sandbox/$(basename "$1")" \ 69 | >$stdout_log_name \ 70 | 2>$stderr_log_name \ 71 | ) 72 | -------------------------------------------------------------------------------- /scripts/okular-rw.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/okular-rw.c -lseccomp -o "$script_dir"/../seccomp-bpfs/okular-rw.exe 8 | "$script_dir"/../seccomp-bpfs/okular-rw.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv okular-rw_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/okular-rw.c -o "$script_dir"/../runners/okular-rw.runner 17 | 18 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 19 | mkdir -p "$HOME/sandbox-logs/okular-rw" 20 | stdout_log_name="$HOME/sandbox-logs/okular-rw"/"$cur_time"."stdout" 21 | 22 | mkdir -p "$HOME/sandbox-logs/okular-rw" 23 | stderr_log_name="$HOME/sandbox-logs/okular-rw"/"$cur_time"."stderr" 24 | 25 | 26 | ( exec bwrap \ 27 | --ro-bind "/usr/share" "/usr/share" \ 28 | --ro-bind "/usr/lib" "/usr/lib" \ 29 | --ro-bind "/usr/lib64" "/usr/lib64" \ 30 | --tmpfs "/usr/lib/modules" \ 31 | --tmpfs "/usr/lib/systemd" \ 32 | --symlink "/usr/lib" "/lib" \ 33 | --symlink "/usr/lib64" "/lib64" \ 34 | --ro-bind "/usr/bin/okular" "/usr/bin/okular" \ 35 | --ro-bind "/usr/bin/okular" "/bin/okular" \ 36 | --ro-bind "/usr/bin/okular" "/sbin/okular" \ 37 | --ro-bind "/etc/fonts" "/etc/fonts" \ 38 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 39 | --ro-bind "/etc/ssl" "/etc/ssl" \ 40 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 41 | --ro-bind "/etc/localtime" "/etc/localtime" \ 42 | --proc "/proc" \ 43 | --dev "/dev" \ 44 | --tmpfs "/tmp" \ 45 | --tmpfs "/run" \ 46 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 47 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 48 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 49 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 50 | --setenv "QT_QPA_PLATFORM" "wayland" \ 51 | --tmpfs "/home/sandbox" \ 52 | --setenv "HOME" "/home/sandbox" \ 53 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 54 | --setenv "SHELL" "/bin/false" \ 55 | --setenv "USER" "nobody" \ 56 | --setenv "LOGNAME" "nobody" \ 57 | --bind "$1" "/home/sandbox/$(basename "$1")" \ 58 | --hostname "jail" \ 59 | --unshare-user \ 60 | --unshare-pid \ 61 | --unshare-uts \ 62 | --unshare-ipc \ 63 | --unshare-cgroup \ 64 | --unshare-net \ 65 | --new-session \ 66 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/okular-rw_seccomp_filter.bpf \ 67 | --ro-bind ""$script_dir"/../runners/okular-rw.runner" "/home/sandbox/okular-rw.runner" \ 68 | /home/sandbox/okular-rw.runner "/home/sandbox/$(basename "$1")" \ 69 | >$stdout_log_name \ 70 | 2>$stderr_log_name \ 71 | ) 72 | -------------------------------------------------------------------------------- /scripts/thunderbird.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | set -euxo pipefail 4 | 5 | script_dir=$(dirname $(readlink -f "$0")) 6 | 7 | gcc "$script_dir"/../seccomp-bpfs/thunderbird.c -lseccomp -o "$script_dir"/../seccomp-bpfs/thunderbird.exe 8 | "$script_dir"/../seccomp-bpfs/thunderbird.exe 9 | if [[ $? != 0 ]]; then 10 | echo "Failed to generate seccomp filter" 11 | exit 1 12 | fi 13 | 14 | mv thunderbird_seccomp_filter.bpf "$script_dir"/../seccomp-bpfs 15 | 16 | gcc "$script_dir"/../runners/thunderbird.c -o "$script_dir"/../runners/thunderbird.runner 17 | 18 | mkdir -p "$HOME/sandboxes/thunderbird" 19 | mkdir -p "$HOME/sandboxes/thunderbird/Downloads" 20 | 21 | cur_time=$(date "+%Y-%m-%d_%H%M%S") 22 | 23 | ( exec bwrap \ 24 | --ro-bind "/usr/share" "/usr/share" \ 25 | --ro-bind "/usr/lib" "/usr/lib" \ 26 | --ro-bind "/usr/lib64" "/usr/lib64" \ 27 | --tmpfs "/usr/lib/modules" \ 28 | --tmpfs "/usr/lib/systemd" \ 29 | --symlink "/usr/lib" "/lib" \ 30 | --symlink "/usr/lib64" "/lib64" \ 31 | --ro-bind "/usr/bin" "/usr/bin" \ 32 | --symlink "/usr/bin" "/bin" \ 33 | --symlink "/usr/bin" "/sbin" \ 34 | --setenv "PATH" "/usr/bin" \ 35 | --ro-bind "/etc/fonts" "/etc/fonts" \ 36 | --ro-bind "/etc/resolv.conf" "/etc/resolv.conf" \ 37 | --ro-bind "/etc/ssl" "/etc/ssl" \ 38 | --ro-bind "/etc/ca-certificates" "/etc/ca-certificates" \ 39 | --ro-bind "/etc/localtime" "/etc/localtime" \ 40 | --proc "/proc" \ 41 | --dev "/dev" \ 42 | --tmpfs "/tmp" \ 43 | --tmpfs "/run" \ 44 | --ro-bind-try "/run/user/$UID/wayland-0" "/run/user/$UID/wayland-0" \ 45 | --ro-bind-try "/run/user/$UID/wayland-1" "/run/user/$UID/wayland-1" \ 46 | --ro-bind-try "/run/user/$UID/wayland-2" "/run/user/$UID/wayland-2" \ 47 | --ro-bind-try "/run/user/$UID/wayland-3" "/run/user/$UID/wayland-3" \ 48 | --setenv "QT_QPA_PLATFORM" "wayland" \ 49 | --bind "/run/user/$UID/dconf" "/run/user/$UID/dconf" \ 50 | --ro-bind "/run/user/$UID/bus" "/run/user/$UID/bus" \ 51 | --bind "$HOME/sandboxes/thunderbird" "/home/sandbox" \ 52 | --setenv "HOME" "/home/sandbox" \ 53 | --unsetenv "DBUS_SESSION_BUS_ADDRESS" \ 54 | --setenv "SHELL" "/bin/false" \ 55 | --setenv "USER" "nobody" \ 56 | --setenv "LOGNAME" "nobody" \ 57 | --setenv "MOZ_ENABLE_WAYLAND" "1" \ 58 | --hostname "jail" \ 59 | --unshare-user \ 60 | --unshare-pid \ 61 | --unshare-uts \ 62 | --unshare-ipc \ 63 | --unshare-cgroup \ 64 | --new-session \ 65 | --seccomp 10 10<"$script_dir"/../seccomp-bpfs/thunderbird_seccomp_filter.bpf \ 66 | --ro-bind ""$script_dir"/../runners/thunderbird.runner" "/home/sandbox/thunderbird.runner" \ 67 | /home/sandbox/thunderbird.runner \ 68 | ) 69 | -------------------------------------------------------------------------------- /seccomp-bpfs/bash-dev.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * File is generated by code generator in https://github.com/darrenldl/sandboxing 4 | * 5 | * File is based on example provided by libseccomp 6 | * and exportFilter.c from https://github.com/valoq/bwscripts 7 | * and https://github.com/Whonix/sandbox-app-launcher 8 | */ 9 | 10 | /* 11 | * This program is free software; you can redistribute it and/or modify it 12 | * under the terms of version 2.1 of the GNU Lesser General Public License as 13 | * published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, but WITHOUT 16 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 17 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License 18 | * for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with this program; if not, see . 22 | */ 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | int main (void) { 37 | int rc = -1; 38 | scmp_filter_ctx ctx; 39 | int filter_fd; 40 | 41 | ctx = seccomp_init(SCMP_ACT_ALLOW); 42 | if (ctx == NULL) { goto out; } 43 | 44 | 45 | filter_fd = open("bash-dev_seccomp_filter.bpf", O_CREAT | O_WRONLY | O_TRUNC, 0644); 46 | if (filter_fd == -1) { 47 | rc = -errno; 48 | goto out; 49 | } 50 | rc = seccomp_export_bpf(ctx, filter_fd); 51 | if (rc < 0) { 52 | close(filter_fd); 53 | goto out; 54 | } 55 | close(filter_fd); 56 | 57 | out: 58 | seccomp_release(ctx); 59 | return -rc; 60 | } 61 | -------------------------------------------------------------------------------- /seccomp-bpfs/chromium-tmp.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * File is generated by code generator in https://github.com/darrenldl/sandboxing 4 | * 5 | * File is based on example provided by libseccomp 6 | * and exportFilter.c from https://github.com/valoq/bwscripts 7 | * and https://github.com/Whonix/sandbox-app-launcher 8 | */ 9 | 10 | /* 11 | * This program is free software; you can redistribute it and/or modify it 12 | * under the terms of version 2.1 of the GNU Lesser General Public License as 13 | * published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, but WITHOUT 16 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 17 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License 18 | * for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with this program; if not, see . 22 | */ 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | int main (void) { 37 | int rc = -1; 38 | scmp_filter_ctx ctx; 39 | int filter_fd; 40 | 41 | ctx = seccomp_init(SCMP_ACT_ALLOW); 42 | if (ctx == NULL) { goto out; } 43 | 44 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(_sysctl), 0) < 0) { goto out; } 45 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(acct), 0) < 0) { goto out; } 46 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(add_key), 0) < 0) { goto out; } 47 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(adjtimex), 0) < 0) { goto out; } 48 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(afs_syscall), 0) < 0) { goto out; } 49 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bdflush), 0) < 0) { goto out; } 50 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bpf), 0) < 0) { goto out; } 51 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(break), 0) < 0) { goto out; } 52 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(clock_adjtime), 0) < 0) { goto out; } 53 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(clock_settime), 0) < 0) { goto out; } 54 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(create_module), 0) < 0) { goto out; } 55 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(delete_module), 0) < 0) { goto out; } 56 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(fanotify_init), 0) < 0) { goto out; } 57 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(finit_module), 0) < 0) { goto out; } 58 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ftime), 0) < 0) { goto out; } 59 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(get_kernel_syms), 0) < 0) { goto out; } 60 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(getpmsg), 0) < 0) { goto out; } 61 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(gtty), 0) < 0) { goto out; } 62 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(get_mempolicy), 0) < 0) { goto out; } 63 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(init_module), 0) < 0) { goto out; } 64 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_cancel), 0) < 0) { goto out; } 65 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_destroy), 0) < 0) { goto out; } 66 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_getevents), 0) < 0) { goto out; } 67 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_setup), 0) < 0) { goto out; } 68 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_submit), 0) < 0) { goto out; } 69 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioperm), 0) < 0) { goto out; } 70 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(iopl), 0) < 0) { goto out; } 71 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioprio_set), 0) < 0) { goto out; } 72 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kcmp), 0) < 0) { goto out; } 73 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kexec_file_load), 0) < 0) { goto out; } 74 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kexec_load), 0) < 0) { goto out; } 75 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(keyctl), 0) < 0) { goto out; } 76 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(lock), 0) < 0) { goto out; } 77 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(lookup_dcookie), 0) < 0) { goto out; } 78 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mbind), 0) < 0) { goto out; } 79 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(migrate_pages), 0) < 0) { goto out; } 80 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(modify_ldt), 0) < 0) { goto out; } 81 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mount), 0) < 0) { goto out; } 82 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(move_pages), 0) < 0) { goto out; } 83 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mpx), 0) < 0) { goto out; } 84 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(name_to_handle_at), 0) < 0) { goto out; } 85 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(nfsservctl), 0) < 0) { goto out; } 86 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open_by_handle_at), 0) < 0) { goto out; } 87 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pciconfig_iobase), 0) < 0) { goto out; } 88 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pciconfig_read), 0) < 0) { goto out; } 89 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pciconfig_write), 0) < 0) { goto out; } 90 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(perf_event_open), 0) < 0) { goto out; } 91 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(personality), 0) < 0) { goto out; } 92 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pivot_root), 0) < 0) { goto out; } 93 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(process_vm_readv), 0) < 0) { goto out; } 94 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(process_vm_writev), 0) < 0) { goto out; } 95 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(prof), 0) < 0) { goto out; } 96 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(profil), 0) < 0) { goto out; } 97 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ptrace), 0) < 0) { goto out; } 98 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(putpmsg), 0) < 0) { goto out; } 99 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(query_module), 0) < 0) { goto out; } 100 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(reboot), 0) < 0) { goto out; } 101 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(remap_file_pages), 0) < 0) { goto out; } 102 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(request_key), 0) < 0) { goto out; } 103 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(rtas), 0) < 0) { goto out; } 104 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(s390_pci_mmio_read), 0) < 0) { goto out; } 105 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(s390_runtime_instr), 0) < 0) { goto out; } 106 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(security), 0) < 0) { goto out; } 107 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(set_mempolicy), 0) < 0) { goto out; } 108 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(setdomainname), 0) < 0) { goto out; } 109 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sethostname), 0) < 0) { goto out; } 110 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(settimeofday), 0) < 0) { goto out; } 111 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sgetmask), 0) < 0) { goto out; } 112 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ssetmask), 0) < 0) { goto out; } 113 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(stime), 0) < 0) { goto out; } 114 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(stty), 0) < 0) { goto out; } 115 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(subpage_prot), 0) < 0) { goto out; } 116 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(swapoff), 0) < 0) { goto out; } 117 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(swapon), 0) < 0) { goto out; } 118 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(switch_endian), 0) < 0) { goto out; } 119 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sysfs), 0) < 0) { goto out; } 120 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(syslog), 0) < 0) { goto out; } 121 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(tuxcall), 0) < 0) { goto out; } 122 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ulimit), 0) < 0) { goto out; } 123 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(umount), 0) < 0) { goto out; } 124 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(umount2), 0) < 0) { goto out; } 125 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(uselib), 0) < 0) { goto out; } 126 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(userfaultfd), 0) < 0) { goto out; } 127 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ustat), 0) < 0) { goto out; } 128 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vhangup), 0) < 0) { goto out; } 129 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86), 0) < 0) { goto out; } 130 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86old), 0) < 0) { goto out; } 131 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vmsplice), 0) < 0) { goto out; } 132 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vserver), 0) < 0) { goto out; } 133 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)) < 0) { goto out; } 134 | 135 | filter_fd = open("chromium-tmp_seccomp_filter.bpf", O_CREAT | O_WRONLY | O_TRUNC, 0644); 136 | if (filter_fd == -1) { 137 | rc = -errno; 138 | goto out; 139 | } 140 | rc = seccomp_export_bpf(ctx, filter_fd); 141 | if (rc < 0) { 142 | close(filter_fd); 143 | goto out; 144 | } 145 | close(filter_fd); 146 | 147 | out: 148 | seccomp_release(ctx); 149 | return -rc; 150 | } 151 | -------------------------------------------------------------------------------- /seccomp-bpfs/chromium.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * File is generated by code generator in https://github.com/darrenldl/sandboxing 4 | * 5 | * File is based on example provided by libseccomp 6 | * and exportFilter.c from https://github.com/valoq/bwscripts 7 | * and https://github.com/Whonix/sandbox-app-launcher 8 | */ 9 | 10 | /* 11 | * This program is free software; you can redistribute it and/or modify it 12 | * under the terms of version 2.1 of the GNU Lesser General Public License as 13 | * published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, but WITHOUT 16 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 17 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License 18 | * for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with this program; if not, see . 22 | */ 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | int main (void) { 37 | int rc = -1; 38 | scmp_filter_ctx ctx; 39 | int filter_fd; 40 | 41 | ctx = seccomp_init(SCMP_ACT_ALLOW); 42 | if (ctx == NULL) { goto out; } 43 | 44 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(_sysctl), 0) < 0) { goto out; } 45 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(acct), 0) < 0) { goto out; } 46 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(add_key), 0) < 0) { goto out; } 47 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(adjtimex), 0) < 0) { goto out; } 48 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(afs_syscall), 0) < 0) { goto out; } 49 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bdflush), 0) < 0) { goto out; } 50 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bpf), 0) < 0) { goto out; } 51 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(break), 0) < 0) { goto out; } 52 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(clock_adjtime), 0) < 0) { goto out; } 53 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(clock_settime), 0) < 0) { goto out; } 54 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(create_module), 0) < 0) { goto out; } 55 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(delete_module), 0) < 0) { goto out; } 56 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(fanotify_init), 0) < 0) { goto out; } 57 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(finit_module), 0) < 0) { goto out; } 58 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ftime), 0) < 0) { goto out; } 59 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(get_kernel_syms), 0) < 0) { goto out; } 60 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(getpmsg), 0) < 0) { goto out; } 61 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(gtty), 0) < 0) { goto out; } 62 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(get_mempolicy), 0) < 0) { goto out; } 63 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(init_module), 0) < 0) { goto out; } 64 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_cancel), 0) < 0) { goto out; } 65 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_destroy), 0) < 0) { goto out; } 66 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_getevents), 0) < 0) { goto out; } 67 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_setup), 0) < 0) { goto out; } 68 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_submit), 0) < 0) { goto out; } 69 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioperm), 0) < 0) { goto out; } 70 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(iopl), 0) < 0) { goto out; } 71 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioprio_set), 0) < 0) { goto out; } 72 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kcmp), 0) < 0) { goto out; } 73 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kexec_file_load), 0) < 0) { goto out; } 74 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kexec_load), 0) < 0) { goto out; } 75 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(keyctl), 0) < 0) { goto out; } 76 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(lock), 0) < 0) { goto out; } 77 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(lookup_dcookie), 0) < 0) { goto out; } 78 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mbind), 0) < 0) { goto out; } 79 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(migrate_pages), 0) < 0) { goto out; } 80 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(modify_ldt), 0) < 0) { goto out; } 81 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mount), 0) < 0) { goto out; } 82 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(move_pages), 0) < 0) { goto out; } 83 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mpx), 0) < 0) { goto out; } 84 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(name_to_handle_at), 0) < 0) { goto out; } 85 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(nfsservctl), 0) < 0) { goto out; } 86 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open_by_handle_at), 0) < 0) { goto out; } 87 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pciconfig_iobase), 0) < 0) { goto out; } 88 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pciconfig_read), 0) < 0) { goto out; } 89 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pciconfig_write), 0) < 0) { goto out; } 90 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(perf_event_open), 0) < 0) { goto out; } 91 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(personality), 0) < 0) { goto out; } 92 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pivot_root), 0) < 0) { goto out; } 93 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(process_vm_readv), 0) < 0) { goto out; } 94 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(process_vm_writev), 0) < 0) { goto out; } 95 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(prof), 0) < 0) { goto out; } 96 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(profil), 0) < 0) { goto out; } 97 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ptrace), 0) < 0) { goto out; } 98 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(putpmsg), 0) < 0) { goto out; } 99 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(query_module), 0) < 0) { goto out; } 100 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(reboot), 0) < 0) { goto out; } 101 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(remap_file_pages), 0) < 0) { goto out; } 102 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(request_key), 0) < 0) { goto out; } 103 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(rtas), 0) < 0) { goto out; } 104 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(s390_pci_mmio_read), 0) < 0) { goto out; } 105 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(s390_runtime_instr), 0) < 0) { goto out; } 106 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(security), 0) < 0) { goto out; } 107 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(set_mempolicy), 0) < 0) { goto out; } 108 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(setdomainname), 0) < 0) { goto out; } 109 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sethostname), 0) < 0) { goto out; } 110 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(settimeofday), 0) < 0) { goto out; } 111 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sgetmask), 0) < 0) { goto out; } 112 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ssetmask), 0) < 0) { goto out; } 113 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(stime), 0) < 0) { goto out; } 114 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(stty), 0) < 0) { goto out; } 115 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(subpage_prot), 0) < 0) { goto out; } 116 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(swapoff), 0) < 0) { goto out; } 117 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(swapon), 0) < 0) { goto out; } 118 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(switch_endian), 0) < 0) { goto out; } 119 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sysfs), 0) < 0) { goto out; } 120 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(syslog), 0) < 0) { goto out; } 121 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(tuxcall), 0) < 0) { goto out; } 122 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ulimit), 0) < 0) { goto out; } 123 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(umount), 0) < 0) { goto out; } 124 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(umount2), 0) < 0) { goto out; } 125 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(uselib), 0) < 0) { goto out; } 126 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(userfaultfd), 0) < 0) { goto out; } 127 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ustat), 0) < 0) { goto out; } 128 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vhangup), 0) < 0) { goto out; } 129 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86), 0) < 0) { goto out; } 130 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86old), 0) < 0) { goto out; } 131 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vmsplice), 0) < 0) { goto out; } 132 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vserver), 0) < 0) { goto out; } 133 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)) < 0) { goto out; } 134 | 135 | filter_fd = open("chromium_seccomp_filter.bpf", O_CREAT | O_WRONLY | O_TRUNC, 0644); 136 | if (filter_fd == -1) { 137 | rc = -errno; 138 | goto out; 139 | } 140 | rc = seccomp_export_bpf(ctx, filter_fd); 141 | if (rc < 0) { 142 | close(filter_fd); 143 | goto out; 144 | } 145 | close(filter_fd); 146 | 147 | out: 148 | seccomp_release(ctx); 149 | return -rc; 150 | } 151 | -------------------------------------------------------------------------------- /seccomp-bpfs/discord.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * File is generated by code generator in https://github.com/darrenldl/sandboxing 4 | * 5 | * File is based on example provided by libseccomp 6 | * and exportFilter.c from https://github.com/valoq/bwscripts 7 | * and https://github.com/Whonix/sandbox-app-launcher 8 | */ 9 | 10 | /* 11 | * This program is free software; you can redistribute it and/or modify it 12 | * under the terms of version 2.1 of the GNU Lesser General Public License as 13 | * published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, but WITHOUT 16 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 17 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License 18 | * for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with this program; if not, see . 22 | */ 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | int main (void) { 37 | int rc = -1; 38 | scmp_filter_ctx ctx; 39 | int filter_fd; 40 | 41 | ctx = seccomp_init(SCMP_ACT_ALLOW); 42 | if (ctx == NULL) { goto out; } 43 | 44 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(_sysctl), 0) < 0) { goto out; } 45 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(acct), 0) < 0) { goto out; } 46 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(add_key), 0) < 0) { goto out; } 47 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(adjtimex), 0) < 0) { goto out; } 48 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(afs_syscall), 0) < 0) { goto out; } 49 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bdflush), 0) < 0) { goto out; } 50 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bpf), 0) < 0) { goto out; } 51 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(break), 0) < 0) { goto out; } 52 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(clock_adjtime), 0) < 0) { goto out; } 53 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(clock_settime), 0) < 0) { goto out; } 54 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(create_module), 0) < 0) { goto out; } 55 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(delete_module), 0) < 0) { goto out; } 56 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(fanotify_init), 0) < 0) { goto out; } 57 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(finit_module), 0) < 0) { goto out; } 58 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ftime), 0) < 0) { goto out; } 59 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(get_kernel_syms), 0) < 0) { goto out; } 60 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(getpmsg), 0) < 0) { goto out; } 61 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(gtty), 0) < 0) { goto out; } 62 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(get_mempolicy), 0) < 0) { goto out; } 63 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(init_module), 0) < 0) { goto out; } 64 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_cancel), 0) < 0) { goto out; } 65 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_destroy), 0) < 0) { goto out; } 66 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_getevents), 0) < 0) { goto out; } 67 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_setup), 0) < 0) { goto out; } 68 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(io_submit), 0) < 0) { goto out; } 69 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioperm), 0) < 0) { goto out; } 70 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(iopl), 0) < 0) { goto out; } 71 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioprio_set), 0) < 0) { goto out; } 72 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kcmp), 0) < 0) { goto out; } 73 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kexec_file_load), 0) < 0) { goto out; } 74 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kexec_load), 0) < 0) { goto out; } 75 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(keyctl), 0) < 0) { goto out; } 76 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(lock), 0) < 0) { goto out; } 77 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(lookup_dcookie), 0) < 0) { goto out; } 78 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mbind), 0) < 0) { goto out; } 79 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(migrate_pages), 0) < 0) { goto out; } 80 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(modify_ldt), 0) < 0) { goto out; } 81 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mount), 0) < 0) { goto out; } 82 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(move_pages), 0) < 0) { goto out; } 83 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mpx), 0) < 0) { goto out; } 84 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(name_to_handle_at), 0) < 0) { goto out; } 85 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(nfsservctl), 0) < 0) { goto out; } 86 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open_by_handle_at), 0) < 0) { goto out; } 87 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pciconfig_iobase), 0) < 0) { goto out; } 88 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pciconfig_read), 0) < 0) { goto out; } 89 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pciconfig_write), 0) < 0) { goto out; } 90 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(perf_event_open), 0) < 0) { goto out; } 91 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(personality), 0) < 0) { goto out; } 92 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(pivot_root), 0) < 0) { goto out; } 93 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(process_vm_readv), 0) < 0) { goto out; } 94 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(process_vm_writev), 0) < 0) { goto out; } 95 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(prof), 0) < 0) { goto out; } 96 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(profil), 0) < 0) { goto out; } 97 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ptrace), 0) < 0) { goto out; } 98 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(putpmsg), 0) < 0) { goto out; } 99 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(query_module), 0) < 0) { goto out; } 100 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(reboot), 0) < 0) { goto out; } 101 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(remap_file_pages), 0) < 0) { goto out; } 102 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(request_key), 0) < 0) { goto out; } 103 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(rtas), 0) < 0) { goto out; } 104 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(s390_pci_mmio_read), 0) < 0) { goto out; } 105 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(s390_runtime_instr), 0) < 0) { goto out; } 106 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(security), 0) < 0) { goto out; } 107 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(set_mempolicy), 0) < 0) { goto out; } 108 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(setdomainname), 0) < 0) { goto out; } 109 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sethostname), 0) < 0) { goto out; } 110 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(settimeofday), 0) < 0) { goto out; } 111 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sgetmask), 0) < 0) { goto out; } 112 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ssetmask), 0) < 0) { goto out; } 113 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(stime), 0) < 0) { goto out; } 114 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(stty), 0) < 0) { goto out; } 115 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(subpage_prot), 0) < 0) { goto out; } 116 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(swapoff), 0) < 0) { goto out; } 117 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(swapon), 0) < 0) { goto out; } 118 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(switch_endian), 0) < 0) { goto out; } 119 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sysfs), 0) < 0) { goto out; } 120 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(syslog), 0) < 0) { goto out; } 121 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(tuxcall), 0) < 0) { goto out; } 122 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ulimit), 0) < 0) { goto out; } 123 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(umount), 0) < 0) { goto out; } 124 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(umount2), 0) < 0) { goto out; } 125 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(uselib), 0) < 0) { goto out; } 126 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(userfaultfd), 0) < 0) { goto out; } 127 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ustat), 0) < 0) { goto out; } 128 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vhangup), 0) < 0) { goto out; } 129 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86), 0) < 0) { goto out; } 130 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86old), 0) < 0) { goto out; } 131 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vmsplice), 0) < 0) { goto out; } 132 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vserver), 0) < 0) { goto out; } 133 | if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)) < 0) { goto out; } 134 | 135 | filter_fd = open("discord_seccomp_filter.bpf", O_CREAT | O_WRONLY | O_TRUNC, 0644); 136 | if (filter_fd == -1) { 137 | rc = -errno; 138 | goto out; 139 | } 140 | rc = seccomp_export_bpf(ctx, filter_fd); 141 | if (rc < 0) { 142 | close(filter_fd); 143 | goto out; 144 | } 145 | close(filter_fd); 146 | 147 | out: 148 | seccomp_release(ctx); 149 | return -rc; 150 | } 151 | --------------------------------------------------------------------------------