# Default ruleset to get a simple application running # The commands are: # # bind # take from the current filesystem a single directory and make it # available elsewhere. See the -rbind argument on /usr/bin/mount # tmpfs # create a tmpfs on the full path 'target'. Useful to hide sensitive # content. # umount # un-mount a mounted 'drive'. # # try # Prefix any command with 'try' to make its failure non-fatal. # Things like 'copy' or tmpfs also not auto-create a target # directory if this is a 'try' # # ---- replacement variables. # $HOME the actual homedir of the user # $APPHOME the location of the app-jail # # Notice that those variables are set at the start, as you do binds # etc they may change and the variables will not be auto-updated to # follow. # # ---- conditionals # if [denied|allowed] # # do stuff # endif # copy $HOME/.config/kdedefaults/kdeglobals $APPHOME/config/kdefaults/ copy $HOME/.config/kdeglobals $APPHOME/config/ bind /tmp /var/tmp umount /tmp tmpfs /tmp # x11 support try bind /var/tmp/.X11-unix /tmp/.X11-unix # xauth was in /tmp before wayland. try copy /var/tmp/xauth_* /tmp/ # KDE sessions management server try bind /var/tmp/.ICE-unix /tmp/.ICE-unix setPermissionDefault dbus allowed setPermissionDefault docker denied setPermissionDefault dbus-system denied setPermissionDefault git denied setPermissionDefault ssh denied # Give access to documents in homedir in the 'shared' dir. setPermissionDefault homedir allowed # media is 'mounts', like a USB device setPermissionDefault media allowed # access to things like pulseaudio and pipewire setPermissionDefault audio allowed # if there are specific rules for the current app, # execute them here. # If no rules exist for the current app, run 'default.rules' execute-apprules # this one is critical, move the app into its little 'jail' bind $APPHOME $HOME # undo the bind from above try umount /var/tmp # backup of /run bind /run /var/tmp # blank out /run tmpfs /run # then bring back stuff we actually need copy /var/tmp/user/$USERID/KSMserver* /run/user/$USERID/ # wayland support try bind /var/tmp/user/$USERID/wayland-0 /run/user/$USERID/wayland-0 try bind /var/tmp/user/$USERID/wayland-1 /run/user/$USERID/wayland-1 try bind /var/tmp/user/$USERID/wayland-0.lock /run/user/$USERID/wayland-0.lock try bind /var/tmp/user/$USERID/wayland-1.lock /run/user/$USERID/wayland-1.lock try copy /var/tmp/user/$USERID/xauth_* /run/user/$USERID/ if allowed dbus bind /var/tmp/user/$USERID/bus /run/dbus/user-global # the targets should not be changed, the runner will # start the dbus proxy expecting these path. endif if allowed dbus-system bind /var/tmp/dbus/system_bus_socket /run/dbus/system-global # same as above, dbus proxy can be started. endif if allowed ssh try copy /var/tmp/user/$USERID/ssh-agent /run/user/$USERID/ssh-agent endif # give access to pipewire and pulse if allowed audio try bind /var/tmp/user/$USERID/pipewire-0 /run/user/$USERID/pipewire-0 try bind /var/tmp/user/$USERID/pipewire-0.lock /run/user/$USERID/pipewire-0.lock try bind /var/tmp/user/$USERID/pipewire-0-manager /run/user/$USERID/pipewire-0-manager try bind /var/tmp/user/$USERID/pipewire-0-manager.lock /run/user/$USERID/pipewire-0-manager.lock try bind /var/tmp/user/$USERID/pulse /run/user/$USERID/pulse endif if allowed media bind /var/tmp/media /run/media endif if allowed docker try bind /var/tmp/docker/ /run/docker try bind /var/tmp/docker.pid /run/docker.pid try bind /var/tmp/docker.sock /run/docker.sock endif # only relevant if there is a VPN setup, but harmless otherwise try bind /var/tmp/run/netns/iso-jail$JAILID /var/run/netns/ try umount /var/tmp # overwrite /var/tmp making its content invisible tmpfs /var/tmp if allowed homedir # hide some stuff. # notice that the 'try' here is so 'tmpfs' # doesn't attempt to create a directory first. try tmpfs $HOME/shared/.config try tmpfs $HOME/shared/.local try tmpfs $HOME/shared/.cache try tmpfs $HOME/shared/.docker try tmpfs $HOME/shared/.gnupg endif # env vars setEnv XDG_CONFIG_HOME=$HOME/config setEnv XDG_DATA_HOME=$HOME/data setEnv XDG_CONFIG_DIRS=$HOME/config:/etc/xdg if denied git unsetEnv GIT_COMMITTER_NAME unsetEnv GIT_AUTHOR_NAME unsetEnv EMAIL endif unsetEnv PAM_KWALLETS_LOGIN unsetEnv MAIL unsetEnv SYSTEMD_EXEC_PID if denied dbus unsetEnv DBUS_SESSION_BUS_ADDRESS endif if denied ssh unsetEnv SSH_AGENT unsetEnv SSH_AGENT_PID unsetEnv SSH_AUTH_SOCK endif tmpfs /var/log