|
- # Sandbox main configuration file
-
- # Note that configuration parser is fairly basic, so try to keep things simple.
-
- #
- # BASIC Section
- #
-
- # Basic sandbox configuration. Sandbox will use values here if not already set
- # in the environment. Assignment works like bash variable assignment (ie, last
- # value assigned to the variable is used).
-
- # SANDBOX_VERBOSE
- #
- # Determine if sandbox print access violations, or if debugging is enabled,
- # it will also print allowed operations. Default is "yes"
- #SANDBOX_VERBOSE="yes"
-
- # SANDBOX_DEBUG
- #
- # In addition to the normal log, a debug log is also written containing all
- # operations caught by sandbox. Default is "no"
- #SANDBOX_DEBUG="no"
-
- # NOCOLOR
- #
- # Determine the use of color in the output. Default is "false" (ie, use color)
- #NOCOLOR="false"
-
-
- #
- # ACCESS Section
- #
-
- # The next section contain rules for access. It works a bit different from the
- # previous section in that values assigned to variables stack. Also since these
- # do NOT get overridded by values already set in the environment, but rather
- # those get added.
- #
- # If you want values that only get set if one of the variables are not already
- # present in the environment, place a file in /etc/sandbox.d/ (replace /etc
- # with what sysconfdir was configured to).
- #
- # Another difference from above, is that these support simple variable name
- # substitution. Variable names must be in the form of '${variable}' (without
- # the ''). It is very basic, so no command substitution, etc is supported.
- #
- # The values consists of the respective paths seperated by a colon (:)
- #
- # SANDBOX_DENY - all access to respective paths are denied
- #
- # SANDBOX_READ - can read respective paths
- #
- # SANDBOX_WRITE - can write to respective paths
- #
- # SANDBOX_PREDICT - respective paths are not writable, but no access violation
- # will be issued in the case of a write
- #
-
- # Needed for stdout, stdin and stderr
- SANDBOX_WRITE="/dev/fd:/proc/self/fd"
- # Common device nodes
- SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full"
- # Console device nodes
- SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
- # Device filesystems
- SANDBOX_WRITE="/dev/pts/:/dev/shm"
- # Tempory storage
- SANDBOX_WRITE="/tmp/:/var/tmp/"
- # Needed for shells
- SANDBOX_WRITE="${HOME}/.bash_history"
|