diff options
| author |   Martin Schlemmer <azarah@gentoo.org> | 2006-07-06 16:37:20 +0000 |
|---|---|---|
| committer | Martin Schlemmer <azarah@gentoo.org> | 2006-07-06 16:37:20 +0000 |
| commit | 27feeab6e5eb6e2ff389943899691b18c970b08c (patch) | |
| tree | b300e0395e2b6b673900292f7d27dbef9a4c5ad8 /etc | |
| parent | Only print info if we have a controlling terminal. (diff) | |
| download | sandbox-27feeab6e5eb6e2ff389943899691b18c970b08c.tar.gz sandbox-27feeab6e5eb6e2ff389943899691b18c970b08c.tar.bz2 sandbox-27feeab6e5eb6e2ff389943899691b18c970b08c.zip | |
Set default values via a config file. Also support sandbox.d
config directory for package specific configuration files.
Signed-off-by: Martin Schlemmer <azarah@gentoo.org>
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/00default | 29 | ||||
| -rw-r--r-- | etc/Makefile.am | 6 | ||||
| -rw-r--r-- | etc/sandbox.conf | 80 |
3 files changed, 115 insertions, 0 deletions
diff --git a/etc/00default b/etc/00default new file mode 100644 index 0000000..6bae212 --- /dev/null +++ b/etc/00default @@ -0,0 +1,29 @@ +# Default configuration for non-set values +# +# As stated in sandbox.conf, any value in here do not get used if the variable +# is already present in the environment. All rules of the ACCESS Section +# applies here. + +# Normally the whole filesystem should be readable +SANDBOX_READ="/" + +# Finally add current directory if interactive +SANDBOX_WRITE="${SANDBOX_WORKDIR}" +# Needed for configure tests +SANDBOX_WRITE="/usr/tmp/conftest:/usr/lib/conftest:/usr/lib32/conftest:/usr/lib64/conftest:/usr/tmp/cf:/usr/lib/cf:/usr/lib32/cf:/usr/lib64/cf" + + +# +# The following should be moved to respective packages +# + +# This should be handled by gnome-base/gconf +SANDBOX_WRITE="${HOME}/.gconfd/lock" +# This should be handled by app-text/scrollkeeper +SANDBOX_WRITE="/var/log/scrollkeeper.log" + +# These should be handled by dev-lang/python or sys-apps/portage +SANDBOX_PREDICT="/usr/lib/python2.0/:/usr/lib/python2.1/:/usr/lib/python2.2/:/usr/lib/python2.3/:/usr/lib/python2.4/:/usr/lib/python2.5/:/usr/lib/python3.0/" +# These should be handled by sys-libs/nss-db +SANDBOX_PREDICT="/var/db/aliases.db:/var/db/netgroup.db:/var/db/netmasks.db:/var/db/ethers.db:/var/db/rpc.db:/var/db/protocols.db:/var/db/services.db:/var/db/networks.db:/var/db/hosts.db:/var/db/group.db:/var/db/passwd.db" + diff --git a/etc/Makefile.am b/etc/Makefile.am new file mode 100644 index 0000000..3425f1b --- /dev/null +++ b/etc/Makefile.am @@ -0,0 +1,6 @@ +confdir = $(sysconfdir) +dist_conf_DATA = sandbox.conf + +confddir = $(sysconfdir)/sandbox.d +dist_confd_DATA = 00default + diff --git a/etc/sandbox.conf b/etc/sandbox.conf new file mode 100644 index 0000000..d6ae4bf --- /dev/null +++ b/etc/sandbox.conf @@ -0,0 +1,80 @@ +# Sandbox main configuration file + +# Note that configuration parser is fairly basic, so try to keep things simple. + +# +# BASIC Section +# + +# Basic sandbox configuration. Sandbox will use values here if not already set +# in the environment. Assignment works like bash variable assignment (ie, last +# value assigned to the variable is used). + +# SANDBOX_VERBOSE +# +# Determine if sandbox print access violations, or if debugging is enabled, +# it will also print allowed operations. Default is "yes" +#SANDBOX_VERBOSE="yes" + +# SANDBOX_DEBUG +# +# In addition to the normal log, a debug log is also written containing all +# operations caught by sandbox. Default is "no" +#SANDBOX_DEBUG="no" + +# SANDBOX_BEEP +# +# The amount of beeps sandbox will issue when it exits with access violations +# after printing the normal log. Default is "3" +#SANDBOX_BEEP=3 + +# NOCOLOR +# +# Determine the use of color in the output. Default is "false" (ie, use color) +#NOCOLOR="false" + + +# +# ACCESS Section +# + +# The next section contain rules for access. It works a bit different from the +# previous section in that values assigned to variables stack. Also since these +# do NOT get overridded by values already set in the environment, but rather +# those get added. +# +# If you want values that only get set if one of the variables are not already +# present in the environment, place a file in /etc/sandbox.d/ (replace /etc +# with what sysconfdir was configured to). +# +# Another difference from above, is that these support simple variable name +# substitution. Variable names must be in the form of '${variable}' (without +# the ''). It is very basic, so no command substitution, etc is supported. +# +# The values consists of the respective paths seperated by a colon (:) +# +# SANDBOX_DENY - all access to respective paths are denied +# +# SANDBOX_READ - can read respective paths +# +# SANDBOX_WRITE - can write to respective paths +# +# SANDBOX_PREDICT - respective paths are not writable, but no access violation +# will be issued in the case of a write +# + +# Needed for stdout, stdin and stderr +SANDBOX_WRITE="/dev/fd:/proc/self/fd" +# Common device nodes +SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full" +# Console device nodes +SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts" +# Device filesystems +SANDBOX_WRITE="/dev/pts/:/dev/shm" +# Tempory storage +SANDBOX_WRITE="/tmp/:/var/tmp/" +# Needed for shells +SANDBOX_WRITE="${HOME}/.bash_history" + +# Usually writes in /home should not cause violations +SANDBOX_PREDICT="${HOME}" |