73 lines
2.2 KiB
Plaintext
73 lines
2.2 KiB
Plaintext
|
# Sandbox main configuration file
|
||
|
|
||
|
# Note that configuration parser is fairly basic, so try to keep things simple.
|
||
|
|
||
|
#
|
||
|
# BASIC Section
|
||
|
#
|
||
|
|
||
|
# Basic sandbox configuration. Sandbox will use values here if not already set
|
||
|
# in the environment. Assignment works like bash variable assignment (ie, last
|
||
|
# value assigned to the variable is used).
|
||
|
|
||
|
# SANDBOX_VERBOSE
|
||
|
#
|
||
|
# Determine if sandbox print access violations, or if debugging is enabled,
|
||
|
# it will also print allowed operations. Default is "yes"
|
||
|
#SANDBOX_VERBOSE="yes"
|
||
|
|
||
|
# SANDBOX_DEBUG
|
||
|
#
|
||
|
# In addition to the normal log, a debug log is also written containing all
|
||
|
# operations caught by sandbox. Default is "no"
|
||
|
#SANDBOX_DEBUG="no"
|
||
|
|
||
|
# NOCOLOR
|
||
|
#
|
||
|
# Determine the use of color in the output. Default is "false" (ie, use color)
|
||
|
#NOCOLOR="false"
|
||
|
|
||
|
|
||
|
#
|
||
|
# ACCESS Section
|
||
|
#
|
||
|
|
||
|
# The next section contain rules for access. It works a bit different from the
|
||
|
# previous section in that values assigned to variables stack. Also since these
|
||
|
# do NOT get overridded by values already set in the environment, but rather
|
||
|
# those get added.
|
||
|
#
|
||
|
# If you want values that only get set if one of the variables are not already
|
||
|
# present in the environment, place a file in /etc/sandbox.d/ (replace /etc
|
||
|
# with what sysconfdir was configured to).
|
||
|
#
|
||
|
# Another difference from above, is that these support simple variable name
|
||
|
# substitution. Variable names must be in the form of '${variable}' (without
|
||
|
# the ''). It is very basic, so no command substitution, etc is supported.
|
||
|
#
|
||
|
# The values consists of the respective paths seperated by a colon (:)
|
||
|
#
|
||
|
# SANDBOX_DENY - all access to respective paths are denied
|
||
|
#
|
||
|
# SANDBOX_READ - can read respective paths
|
||
|
#
|
||
|
# SANDBOX_WRITE - can write to respective paths
|
||
|
#
|
||
|
# SANDBOX_PREDICT - respective paths are not writable, but no access violation
|
||
|
# will be issued in the case of a write
|
||
|
#
|
||
|
|
||
|
# Needed for stdout, stdin and stderr
|
||
|
SANDBOX_WRITE="/dev/fd:/proc/self/fd"
|
||
|
# Common device nodes
|
||
|
SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full"
|
||
|
# Console device nodes
|
||
|
SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
|
||
|
# Device filesystems
|
||
|
SANDBOX_WRITE="/dev/pts/:/dev/shm"
|
||
|
# Tempory storage
|
||
|
SANDBOX_WRITE="/tmp/:/var/tmp/"
|
||
|
# Needed for shells
|
||
|
SANDBOX_WRITE="${HOME}/.bash_history"
|
||
|
|