# Sandbox main configuration file # Note that configuration parser is fairly basic, so try to keep things simple. # # BASIC Section # # Basic sandbox configuration. Sandbox will use values here if not already set # in the environment. Assignment works like bash variable assignment (ie, last # value assigned to the variable is used). # SANDBOX_VERBOSE # # Determine if sandbox print access violations, or if debugging is enabled, # it will also print allowed operations. Default is "yes" #SANDBOX_VERBOSE="yes" # SANDBOX_DEBUG # # In addition to the normal log, a debug log is also written containing all # operations caught by sandbox. Default is "no" #SANDBOX_DEBUG="no" # NOCOLOR # # Determine the use of color in the output. Default is "false" (ie, use color) #NOCOLOR="false" # SANDBOX_METHOD # # Control how processes are monitored. See the README for system requirements # for each setting, as well as particular limitations. Changing this setting # is not recommended. # # Possible values: # any: (default) Use any method of tracing available on the system. # preload: Only use in-process LD_PRELOAD symbol interposing. #SANDBOX_METHOD="any" # # Namespace Section (Linux-only) # # Global knob to control all namespaces. #NAMESPACES_ENABLE="no" # Knobs for different types of namespaces. If the runtime doesn't support a # particular type, it will be automatically skipped. Default to off as these # are currently experimental. # For more details on each type, see the namespaces(7) manpage. #NAMESPACE_CGROUP_ENABLE="no" #NAMESPACE_IPC_ENABLE="no" #NAMESPACE_MNT_ENABLE="no" #NAMESPACE_NET_ENABLE="no" #NAMESPACE_PID_ENABLE="no" #NAMESPACE_SYSV_ENABLE="no" #NAMESPACE_TIME_ENABLE="no" #NAMESPACE_USER_ENABLE="no" #NAMESPACE_UTS_ENABLE="no" # # ACCESS Section # # The next section contain rules for access. It works a bit different from the # previous section in that values assigned to variables stack. Also since these # do NOT get overridded by values already set in the environment, but rather # those get added. # # If you want values that only get set if one of the variables are not already # present in the environment, place a file in /etc/sandbox.d/ (replace /etc # with what sysconfdir was configured to). # # Another difference from above, is that these support simple variable name # substitution. Variable names must be in the form of '${variable}' (without # the ''). It is very basic, so no command substitution, etc is supported. # # The values consists of the respective paths seperated by a colon (:) # # SANDBOX_DENY - all access to respective paths are denied # # SANDBOX_READ - can read respective paths # # SANDBOX_WRITE - can write to respective paths # # SANDBOX_PREDICT - respective paths are not writable, but no access violation # will be issued in the case of a write # # Needed for stdout, stdin and stderr SANDBOX_WRITE="/dev/fd:/proc/self/fd" # Common device nodes SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full" # Console device nodes SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts" # Device filesystems SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm" # Tempory storage SANDBOX_WRITE="/tmp/:/var/tmp/:/usr/tmp/" # Needed for shells SANDBOX_WRITE="${HOME}/.bash_history"