Firejail: Pure computation in a specific folder?

Created on 27 Jul 2018 · 1Comment · Source: netblue30/firejail

I need to run an untrusted script, which will run some sort of executable or interpreter, localized within a particular directory. I've been searching for a way to do this in firejail for a while, but I haven't had much luck. I need a way to run a script that allows:

-read-only access to a certain directory, all other directories are blacklisted
-limited to 1 CPU
-limited in memory use
-cannot make dangerous system calls
-cannot access the network
-cannot access the screen
-only I/O is reading the files in specified directory, and standard input/output/error
-ability to call certain language interpreters (python, java, etc).

Is this possible with firejail?
Thank you.

information

Source

gretchenfrage

Most helpful comment

Here is a basic profile for you to get started with.

# Firejail profile for restricted
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/restricted.local
# Persistent global definitions
include /etc/firejail/globals.local

#noblacklist any needed paths here

# Allow access to java
noblacklist ${PATH}/java
noblacklist /usr/lib/java
noblacklist /etc/java
noblacklist /usr/share/java

# Allow access to python
noblacklist ${PATH}/python*
noblacklist /usr/include/python*
noblacklist /usr/lib/python*
noblacklist /usr/local/lib/python*
noblacklist /usr/share/python*

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

#whitelist any needed paths here
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
ipc-namespace
net none
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none

#disable-mnt #enable if you don't need extra drives
#private #enable to make root and /home empty
#private-bin bash,etc #this is recommended
private-cache
private-dev
private-etc none
#private-lib #fiddle with this after
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp

#1 core with 512MB RAM
cpu 0
rlimit-as 512000000

SkewedZeppelin on 27 Jul 2018

👍3

>All comments

Here is a basic profile for you to get started with.

# Firejail profile for restricted
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/restricted.local
# Persistent global definitions
include /etc/firejail/globals.local

#noblacklist any needed paths here

# Allow access to java
noblacklist ${PATH}/java
noblacklist /usr/lib/java
noblacklist /etc/java
noblacklist /usr/share/java

# Allow access to python
noblacklist ${PATH}/python*
noblacklist /usr/include/python*
noblacklist /usr/lib/python*
noblacklist /usr/local/lib/python*
noblacklist /usr/share/python*

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

#whitelist any needed paths here
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
ipc-namespace
net none
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none

#disable-mnt #enable if you don't need extra drives
#private #enable to make root and /home empty
#private-bin bash,etc #this is recommended
private-cache
private-dev
private-etc none
#private-lib #fiddle with this after
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp

#1 core with 512MB RAM
cpu 0
rlimit-as 512000000

SkewedZeppelin on 27 Jul 2018

👍3

Was this page helpful?

0 / 5 - 0 ratings