/etc/sandbox.conf
From Gentoo Wiki
< /etc
Jump to:navigation
Jump to:search
/etc/sandbox.conf is the primary configuration directory for Sandbox.
# Sandbox main configuration file
# Note that configuration parser is fairly basic, so try to keep things simple.
#
# BASIC Section
#
# Basic sandbox configuration. Sandbox will use values here if not already set
# in the environment. Assignment works like bash variable assignment (ie, last
# value assigned to the variable is used).
# SANDBOX_VERBOSE
#
# Determine if sandbox print access violations, or if debugging is enabled,
# it will also print allowed operations. Default is "yes"
#SANDBOX_VERBOSE="yes"
# SANDBOX_DEBUG
#
# In addition to the normal log, a debug log is also written containing all
# operations caught by sandbox. Default is "no"
#SANDBOX_DEBUG="no"
# NOCOLOR
#
# Determine the use of color in the output. Default is "false" (ie, use color)
#NOCOLOR="false"
#
# Namespace Section (Linux-only)
#
# Global knob to control all namespaces.
#NAMESPACES_ENABLE="no"
# Knobs for different types of namespaces. If the runtime doesn't support a
# particular type, it will be automatically skipped. Default to off as these
# are currently experimental.
# For more details on each type, see the namespaces(7) manpage.
#NAMESPACE_IPC_ENABLE="no"
#NAMESPACE_MNT_ENABLE="no"
#NAMESPACE_NET_ENABLE="no"
#NAMESPACE_PID_ENABLE="no"
#NAMESPACE_SYSV_ENABLE="no"
#NAMESPACE_USER_ENABLE="no"
#NAMESPACE_UTS_ENABLE="no"
#
# ACCESS Section
#
# The next section contain rules for access. It works a bit different from the
# previous section in that values assigned to variables stack. Also since these
# do NOT get overridded by values already set in the environment, but rather
# those get added.
#
# If you want values that only get set if one of the variables are not already
# present in the environment, place a file in /etc/sandbox.d/ (replace /etc
# with what sysconfdir was configured to).
#
# Another difference from above, is that these support simple variable name
# substitution. Variable names must be in the form of '${variable}' (without
# the ''). It is very basic, so no command substitution, etc is supported.
#
# The values consists of the respective paths seperated by a colon (:)
#
# SANDBOX_DENY - all access to respective paths are denied
#
# SANDBOX_READ - can read respective paths
#
# SANDBOX_WRITE - can write to respective paths
#
# SANDBOX_PREDICT - respective paths are not writable, but no access violation
# will be issued in the case of a write
#
# Needed for stdout, stdin and stderr
SANDBOX_WRITE="/dev/fd:/proc/self/fd"
# Common device nodes
SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full"
# Console device nodes
SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
# Device filesystems
SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm"
# Tempory storage
SANDBOX_WRITE="/tmp/:/var/tmp/"
# Needed for shells
SANDBOX_WRITE="${HOME}/.bash_history"