rules/global.rules

# Default ruleset to get a simple application running
# The commands are:
#
# bind <from> <to>
#   take from the current filesystem a single directory and make it
#   available elsewhere. See the -rbind argument on /usr/bin/mount
# tmpfs <target>
#   create a tmpfs on the full path 'target'. Useful to hide sensitive
#   content.
# umount <path>
#   un-mount a mounted 'drive'.
#
# try
#   Prefix any command with 'try' to make its failure non-fatal.
#   Things like 'copy' or tmpfs also not auto-create a target
#    directory if this is a 'try'
#
# ---- replacement variables.
# $HOME         the actual homedir of the user
# $APPHOME      the location of the app-jail
#
# Notice that those variables are set at the start, as you do binds
# etc they may change and the variables will not be auto-updated to
# follow.
#
# ---- conditionals
# if [denied|allowed] <keyword>
#   # do stuff
# endif
#

copy $HOME/.config/kdedefaults/kdeglobals $APPHOME/config/kdefaults/
copy $HOME/.config/kdeglobals $APPHOME/config/

bind /tmp /var/tmp
umount /tmp
tmpfs /tmp
# x11 support
try bind /var/tmp/.X11-unix /tmp/.X11-unix
# xauth was in /tmp before wayland.
try copy /var/tmp/xauth_* /tmp/
# KDE sessions management server
try bind /var/tmp/.ICE-unix /tmp/.ICE-unix

setPermissionDefault dbus allowed
setPermissionDefault docker denied
setPermissionDefault dbus-system denied
setPermissionDefault git denied
setPermissionDefault ssh denied
# Give access to documents in homedir in the 'shared' dir.
setPermissionDefault homedir allowed
# media is 'mounts', like a USB device
setPermissionDefault media allowed
# access to things like pulseaudio and pipewire
setPermissionDefault audio allowed

# if there are specific rules for the current app,
# execute them here.
#   If no rules exist for the current app, run 'default.rules'
execute-apprules

# this one is critical, move the app into its little 'jail'
bind $APPHOME $HOME
# undo the bind from above
try umount /var/tmp

# backup of /run
bind /run /var/tmp
# blank out /run
tmpfs /run
# then bring back stuff we actually need
copy /var/tmp/user/$USERID/KSMserver* /run/user/$USERID/
# wayland support
try bind /var/tmp/user/$USERID/wayland-0 /run/user/$USERID/wayland-0
try bind /var/tmp/user/$USERID/wayland-1 /run/user/$USERID/wayland-1
try bind /var/tmp/user/$USERID/wayland-0.lock /run/user/$USERID/wayland-0.lock
try bind /var/tmp/user/$USERID/wayland-1.lock /run/user/$USERID/wayland-1.lock
try copy /var/tmp/user/$USERID/xauth_* /run/user/$USERID/

if allowed dbus
    bind /var/tmp/user/$USERID/bus /run/dbus/user-global
    # the targets should not be changed, the runner will
    # start the dbus proxy expecting these path.
endif
if allowed dbus-system
    bind /var/tmp/dbus/system_bus_socket /run/dbus/system-global
    # same as above, dbus proxy can be started.
endif
if allowed ssh
    try copy /var/tmp/user/$USERID/ssh-agent /run/user/$USERID/ssh-agent
endif

# give access to pipewire and pulse
if allowed audio
    try bind /var/tmp/user/$USERID/pipewire-0 /run/user/$USERID/pipewire-0
    try bind /var/tmp/user/$USERID/pipewire-0.lock /run/user/$USERID/pipewire-0.lock
    try bind /var/tmp/user/$USERID/pipewire-0-manager /run/user/$USERID/pipewire-0-manager
    try bind /var/tmp/user/$USERID/pipewire-0-manager.lock /run/user/$USERID/pipewire-0-manager.lock
    try bind /var/tmp/user/$USERID/pulse /run/user/$USERID/pulse
endif

if allowed media
    bind /var/tmp/media /run/media
endif
if allowed docker
    try bind /var/tmp/docker/ /run/docker
    try bind /var/tmp/docker.pid /run/docker.pid
    try bind /var/tmp/docker.sock /run/docker.sock
endif

# only relevant if there is a VPN setup, but harmless otherwise
try bind /var/tmp/run/netns/iso-jail$JAILID /var/run/netns/

try umount /var/tmp
# overwrite /var/tmp making its content invisible
tmpfs /var/tmp

if allowed homedir
    # hide some stuff.
    # notice that the 'try' here is so 'tmpfs'
    # doesn't attempt to create a directory first.
    try tmpfs $HOME/shared/.config
    try tmpfs $HOME/shared/.local
    try tmpfs $HOME/shared/.cache
    try tmpfs $HOME/shared/.docker
    try tmpfs $HOME/shared/.gnupg
endif

# env vars

setEnv XDG_CONFIG_HOME=$HOME/config
setEnv XDG_DATA_HOME=$HOME/data
setEnv XDG_CONFIG_DIRS=$HOME/config:/etc/xdg

if denied git
    unsetEnv GIT_COMMITTER_NAME
    unsetEnv GIT_AUTHOR_NAME
    unsetEnv EMAIL
endif
unsetEnv PAM_KWALLETS_LOGIN
unsetEnv MAIL
unsetEnv SYSTEMD_EXEC_PID

if denied dbus
    unsetEnv DBUS_SESSION_BUS_ADDRESS
endif

if denied ssh
    unsetEnv SSH_AGENT
    unsetEnv SSH_AGENT_PID
    unsetEnv SSH_AUTH_SOCK
endif

tmpfs /var/log
Have app-specific rules 2024-02-19 10:47:36 +01:00			`# Default ruleset to get a simple application running`
			`# The commands are:`
			`#`
			`# bind <from> <to>`
			`# take from the current filesystem a single directory and make it`
			`# available elsewhere. See the -rbind argument on /usr/bin/mount`
			`# tmpfs <target>`
			`# create a tmpfs on the full path 'target'. Useful to hide sensitive`
			`# content.`
			`# umount <path>`
			`# un-mount a mounted 'drive'.`
			`#`
			`# try`
			`# Prefix any command with 'try' to make its failure non-fatal.`
			`# Things like 'copy' or tmpfs also not auto-create a target`
			`# directory if this is a 'try'`
			`#`
			`# ---- replacement variables.`
			`# $HOME the actual homedir of the user`
			`# $APPHOME the location of the app-jail`
			`#`
			`# Notice that those variables are set at the start, as you do binds`
			`# etc they may change and the variables will not be auto-updated to`
			`# follow.`
			`#`
			`# ---- conditionals`
			`# if [denied\|allowed] <keyword>`
			`# # do stuff`
			`# endif`
Add dbus-proxy support 2024-02-20 19:14:25 +01:00			`#`
Have app-specific rules 2024-02-19 10:47:36 +01:00
			`copy $HOME/.config/kdedefaults/kdeglobals $APPHOME/config/kdefaults/`
			`copy $HOME/.config/kdeglobals $APPHOME/config/`

			`bind /tmp /var/tmp`
			`umount /tmp`
			`tmpfs /tmp`
			`# x11 support`
			`try bind /var/tmp/.X11-unix /tmp/.X11-unix`
Another change after wayland 2024-05-23 22:27:51 +02:00			`# xauth was in /tmp before wayland.`
Have app-specific rules 2024-02-19 10:47:36 +01:00			`try copy /var/tmp/xauth_* /tmp/`
Add audio permission and copy kde session server 2024-02-26 10:49:40 +01:00			`# KDE sessions management server`
			`try bind /var/tmp/.ICE-unix /tmp/.ICE-unix`
Have app-specific rules 2024-02-19 10:47:36 +01:00
Add dbus-proxy support 2024-02-20 19:14:25 +01:00			`setPermissionDefault dbus allowed`
Add docker support 2024-05-02 23:17:17 +02:00			`setPermissionDefault docker denied`
Add dbus-proxy support 2024-02-20 19:14:25 +01:00			`setPermissionDefault dbus-system denied`
Have app-specific rules 2024-02-19 10:47:36 +01:00			`setPermissionDefault git denied`
			`setPermissionDefault ssh denied`
Add audio permission and copy kde session server 2024-02-26 10:49:40 +01:00			`# Give access to documents in homedir in the 'shared' dir.`
Have app-specific rules 2024-02-19 10:47:36 +01:00			`setPermissionDefault homedir allowed`
Add support for 'media' permission 2024-02-19 12:30:57 +01:00			`# media is 'mounts', like a USB device`
			`setPermissionDefault media allowed`
Add audio permission and copy kde session server 2024-02-26 10:49:40 +01:00			`# access to things like pulseaudio and pipewire`
			`setPermissionDefault audio allowed`
Have app-specific rules 2024-02-19 10:47:36 +01:00
			`# if there are specific rules for the current app,`
			`# execute them here.`
Add dbus-proxy support 2024-02-20 19:14:25 +01:00			`# If no rules exist for the current app, run 'default.rules'`
Have app-specific rules 2024-02-19 10:47:36 +01:00			`execute-apprules`

			`# this one is critical, move the app into its little 'jail'`
			`bind $APPHOME $HOME`
			`# undo the bind from above`
Make a start with /run 2024-02-19 12:07:37 +01:00			`try umount /var/tmp`

			`# backup of /run`
			`bind /run /var/tmp`
			`# blank out /run`
			`tmpfs /run`
			`# then bring back stuff we actually need`
Add audio permission and copy kde session server 2024-02-26 10:49:40 +01:00			`copy /var/tmp/user/$USERID/KSMserver* /run/user/$USERID/`
Add wayland support 2024-05-23 20:09:41 +02:00			`# wayland support`
			`try bind /var/tmp/user/$USERID/wayland-0 /run/user/$USERID/wayland-0`
Seems that hyprland always uses 1 2025-11-18 21:37:30 +01:00			`try bind /var/tmp/user/$USERID/wayland-1 /run/user/$USERID/wayland-1`
add VPN feature 2026-04-11 14:54:32 +02:00			`try bind /var/tmp/user/$USERID/wayland-0.lock /run/user/$USERID/wayland-0.lock`
Seems that hyprland always uses 1 2025-11-18 21:37:30 +01:00			`try bind /var/tmp/user/$USERID/wayland-1.lock /run/user/$USERID/wayland-1.lock`
Another change after wayland 2024-05-23 22:27:51 +02:00			`try copy /var/tmp/user/$USERID/xauth_* /run/user/$USERID/`
Add wayland support 2024-05-23 20:09:41 +02:00
Make a start with /run 2024-02-19 12:07:37 +01:00			`if allowed dbus`
Add dbus-proxy support 2024-02-20 19:14:25 +01:00			`bind /var/tmp/user/$USERID/bus /run/dbus/user-global`
			`# the targets should not be changed, the runner will`
Add audio permission and copy kde session server 2024-02-26 10:49:40 +01:00			`# start the dbus proxy expecting these path.`
Add dbus-proxy support 2024-02-20 19:14:25 +01:00			`endif`
			`if allowed dbus-system`
			`bind /var/tmp/dbus/system_bus_socket /run/dbus/system-global`
			`# same as above, dbus proxy can be started.`
Make a start with /run 2024-02-19 12:07:37 +01:00			`endif`
			`if allowed ssh`
Make ssh agent file copying a 'try' 2024-03-09 11:08:52 +01:00			`try copy /var/tmp/user/$USERID/ssh-agent /run/user/$USERID/ssh-agent`
Make a start with /run 2024-02-19 12:07:37 +01:00			`endif`

Add audio permission and copy kde session server 2024-02-26 10:49:40 +01:00			`# give access to pipewire and pulse`
			`if allowed audio`
			`try bind /var/tmp/user/$USERID/pipewire-0 /run/user/$USERID/pipewire-0`
			`try bind /var/tmp/user/$USERID/pipewire-0.lock /run/user/$USERID/pipewire-0.lock`
			`try bind /var/tmp/user/$USERID/pipewire-0-manager /run/user/$USERID/pipewire-0-manager`
			`try bind /var/tmp/user/$USERID/pipewire-0-manager.lock /run/user/$USERID/pipewire-0-manager.lock`
			`try bind /var/tmp/user/$USERID/pulse /run/user/$USERID/pulse`
			`endif`
Make a start with /run 2024-02-19 12:07:37 +01:00
Add support for 'media' permission 2024-02-19 12:30:57 +01:00			`if allowed media`
			`bind /var/tmp/media /run/media`
			`endif`
Add docker support 2024-05-02 23:17:17 +02:00			`if allowed docker`
			`try bind /var/tmp/docker/ /run/docker`
			`try bind /var/tmp/docker.pid /run/docker.pid`
			`try bind /var/tmp/docker.sock /run/docker.sock`
			`endif`
Add support for 'media' permission 2024-02-19 12:30:57 +01:00
add VPN feature 2026-04-11 14:54:32 +02:00			`# only relevant if there is a VPN setup, but harmless otherwise`
			`try bind /var/tmp/run/netns/iso-jail$JAILID /var/run/netns/`

Have app-specific rules 2024-02-19 10:47:36 +01:00			`try umount /var/tmp`
			`# overwrite /var/tmp making its content invisible`
			`tmpfs /var/tmp`

			`if allowed homedir`
			`# hide some stuff.`
			`# notice that the 'try' here is so 'tmpfs'`
			`# doesn't attempt to create a directory first.`
			`try tmpfs $HOME/shared/.config`
			`try tmpfs $HOME/shared/.local`
			`try tmpfs $HOME/shared/.cache`
			`try tmpfs $HOME/shared/.docker`
			`try tmpfs $HOME/shared/.gnupg`
			`endif`

			`# env vars`

			`setEnv XDG_CONFIG_HOME=$HOME/config`
			`setEnv XDG_DATA_HOME=$HOME/data`
			`setEnv XDG_CONFIG_DIRS=$HOME/config:/etc/xdg`

			`if denied git`
			`unsetEnv GIT_COMMITTER_NAME`
			`unsetEnv GIT_AUTHOR_NAME`
			`unsetEnv EMAIL`
			`endif`
			`unsetEnv PAM_KWALLETS_LOGIN`
			`unsetEnv MAIL`
			`unsetEnv SYSTEMD_EXEC_PID`

			`if denied dbus`
			`unsetEnv DBUS_SESSION_BUS_ADDRESS`
			`endif`

			`if denied ssh`
			`unsetEnv SSH_AGENT`
			`unsetEnv SSH_AGENT_PID`
			`unsetEnv SSH_AUTH_SOCK`
			`endif`
Also hide /var/log 2024-02-26 11:27:12 +01:00
			`tmpfs /var/log`