Skip to content

Instantly share code, notes, and snippets.

@pfigel
Last active August 31, 2024 14:36
Show Gist options
  • Save pfigel/d4d533e3dd8ff981667405059df99b6b to your computer and use it in GitHub Desktop.
Save pfigel/d4d533e3dd8ff981667405059df99b6b to your computer and use it in GitHub Desktop.
Mastodon nsjail configuration
#!/usr/bin/env bash
nsjail --quiet --config /etc/nsjail/imagemagick-convert.cfg -- /usr/local/bin/convert "$@"
#!/usr/bin/env bash
nsjail --quiet --config /etc/nsjail/ffmpeg.cfg -- /usr/local/bin/ffmpeg "$@"
name: "ffmpeg"
description: "This policy allows to run ffmpeg or avconv inside a jail."
description: ""
description: "Run as:"
description: ""
description: "./nsjail --config ffmpeg.cfg -- /usr/bin/ffmpeg \\"
description: " -i /home/mastodon/live/tmp/rails_tmp/input.mp4"
mode: ONCE
hostname: "FFMPEG"
cwd: "/user"
time_limit: 180
# if you're experiencing issues, enable this log file. Make sure the file
# is writable.
# log_file: "/var/log/nsjail.log"
# /usr/local/lib does not seem to be included in the LD_LIBRARY_PATH within
# the jail by default. You probably won't need this if you're using a packaged
# version of ffmpeg.
envar: "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib"
envar: "HOME=/user"
envar: "TMP=/home/mastodon/live/tmp/rails_tmp"
rlimit_as: 2048
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 10
mount {
src: "/lib"
dst: "/lib"
is_bind: true
}
mount {
src: "/usr/lib"
dst: "/usr/lib"
is_bind: true
}
mount {
src: "/usr/local/lib"
dst: "/usr/local/lib"
is_bind: true
mandatory: false
}
mount {
src: "/lib64"
dst: "/lib64"
is_bind: true
mandatory: false
}
mount {
src: "/lib32"
dst: "/lib32"
is_bind: true
mandatory: false
}
mount {
src: "/usr/bin/ffmpeg"
dst: "/usr/bin/ffmpeg"
is_bind: true
mandatory: false
}
mount {
src: "/usr/local/bin/ffmpeg"
dst: "/usr/local/bin/ffmpeg"
is_bind: true
mandatory: false
}
mount {
src: "/usr/bin/avconv"
dst: "/usr/bin/avconv"
is_bind: true
mandatory: false
}
mount {
src: "/usr/local/bin/avconv"
dst: "/usr/local/bin/avconv"
is_bind: true
mandatory: false
}
mount {
src: "/home/mastodon/live/tmp/rails_tmp"
dst: "/home/mastodon/live/tmp/rails_tmp"
rw: true
is_bind: true
}
mount {
dst: "/user"
fstype: "tmpfs"
rw: true
}
seccomp_string: "POLICY ffmpeg {"
seccomp_string: " ALLOW {"
seccomp_string: " mmap, read, write, open, close, newstat, lseek,"
seccomp_string: " newfstat, mprotect, munmap, brk, rt_sigaction,"
seccomp_string: " rt_sigprocmask, ioctl, access, execve, fcntl,"
seccomp_string: " getdents, getrlimit, statfs, arch_prctl, futex,"
seccomp_string: " sched_getaffinity, set_tid_address, exit_group,"
seccomp_string: " set_robust_list, get_mempolicy, getrusage,"
seccomp_string: " select, getrandom, clone, getpriority,"
seccomp_string: " setpriority, madvise, exit, mremap"
seccomp_string: " }"
seccomp_string: "}"
seccomp_string: "USE ffmpeg DEFAULT KILL"
#!/usr/bin/env bash
nsjail --quiet --config /etc/nsjail/file.cfg -- /usr/bin/file "$@"
name: "file"
description: "This policy allows to run file(1) inside a jail."
description: ""
description: "Run as:"
description: ""
description: "./nsjail --config file.cfg -- /usr/bin/file \\"
description: " -b --mime /home/mastodon/live/tmp/rails_tmp/input.mp4"
mode: ONCE
hostname: "FILE"
cwd: "/user"
time_limit: 10
# if you're experiencing issues, enable this log file. Make sure the file
# is writable.
# log_file: "/var/log/nsjail.log"
envar: "HOME=/user"
envar: "TMP=/home/mastodon/live/tmp/rails_tmp"
rlimit_as: 2048
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 10
mount {
src: "/lib"
dst: "/lib"
is_bind: true
}
mount {
src: "/usr/lib"
dst: "/usr/lib"
is_bind: true
}
mount {
src: "/lib64"
dst: "/lib64"
is_bind: true
mandatory: false
}
mount {
src: "/lib32"
dst: "/lib32"
is_bind: true
mandatory: false
}
mount {
src: "/usr/bin/file"
dst: "/usr/bin/file"
is_bind: true
}
mount {
src: "/etc/magic"
dst: "/etc/magic"
is_bind: true
}
mount {
src: "/usr/share/misc/magic.mgc"
dst: "/usr/share/misc/magic.mgc"
is_bind: true
}
mount {
src: "/home/mastodon/live/tmp/rails_tmp"
dst: "/home/mastodon/live/tmp/rails_tmp"
rw: true
is_bind: true
}
mount {
dst: "/user"
fstype: "tmpfs"
rw: true
}
seccomp_string: "POLICY file {"
seccomp_string: " ALLOW {"
seccomp_string: " read, write, open, close, newstat, newfstat,"
seccomp_string: " newlstat, mmap, mprotect, munmap, brk, access,"
seccomp_string: " execve, fcntl, arch_prctl, pread64, exit_group,"
seccomp_string: " madvise"
seccomp_string: " }"
seccomp_string: "}"
seccomp_string: "USE file DEFAULT KILL"
#!/usr/bin/env bash
nsjail --quiet --config /etc/nsjail/imagemagick-identify.cfg -- /usr/local/bin/identify "$@"
name: "imagemagick-convert"
description: "This policy allows to run ImageMagick's convert inside a jail."
description: ""
description: "Run as:"
description: ""
description: "./nsjail --config imagemagick-convert.cfg -- /usr/bin/convert \\"
description: " jpg:/home/mastodon/live/tmp/rails_tmp/input.jpg png:/home/mastodon/live/tmp/rails_tmp/output.png"
mode: ONCE
hostname: "IM-CONVERT"
cwd: "/user"
time_limit: 180
# if you're experiencing issues, enable this log file. Make sure the file
# is writable.
# log_file: "/var/log/nsjail.log"
# /usr/local/lib does not seem to be included in the LD_LIBRARY_PATH within
# the jail by default. You probably won't need this if you're using a packaged
# version of ImageMagick.
envar: "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib"
envar: "HOME=/user"
envar: "TMP=/home/mastodon/live/tmp/rails_tmp"
rlimit_as: 2048
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 520
mount {
src: "/lib"
dst: "/lib"
is_bind: true
}
mount {
src: "/usr/lib"
dst: "/usr/lib"
is_bind: true
}
mount {
src: "/usr/local/lib"
dst: "/usr/local/lib"
is_bind: true
mandatory: false
}
mount {
src: "/lib64"
dst: "/lib64"
is_bind: true
mandatory: false
}
mount {
src: "/lib32"
dst: "/lib32"
is_bind: true
mandatory: false
}
mount {
src: "/usr/bin/convert"
dst: "/usr/bin/convert"
is_bind: true
mandatory: false
}
mount {
src: "/usr/local/bin/convert"
dst: "/usr/local/bin/convert"
is_bind: true
mandatory: false
}
mount {
src: "/etc/ImageMagick-6"
dst: "/etc/ImageMagick-6"
is_bind: true
mandatory: false
}
mount {
src: "/etc/ImageMagick-7"
dst: "/etc/ImageMagick-7"
is_bind: true
mandatory: false
}
mount {
src: "/home/mastodon/live/tmp/rails_tmp"
dst: "/home/mastodon/live/tmp/rails_tmp"
rw: true
is_bind: true
}
mount {
dst: "/user"
fstype: "tmpfs"
rw: true
}
seccomp_string: "POLICY imagemagick_convert {"
seccomp_string: " ALLOW {"
seccomp_string: " read, write, open, openat, close, newstat, newfstat,"
seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk,"
seccomp_string: " rt_sigaction, rt_sigprocmask, pwrite64, access,"
seccomp_string: " getpid, execve, getdents, unlink, fchmod,"
seccomp_string: " getrlimit, getrusage, sysinfo, times, futex,"
seccomp_string: " arch_prctl, sched_getaffinity, set_tid_address,"
seccomp_string: " clock_gettime, set_robust_list, exit_group,"
seccomp_string: " clone, getcwd, pread64, readlink, prlimit64,"
seccomp_string: " mremap, madvise, gettid, tgkill"
seccomp_string: " }"
seccomp_string: "}"
seccomp_string: "USE imagemagick_convert DEFAULT KILL"
name: "imagemagick-identify"
description: "This policy allows to run ImageMagick's identify inside a jail."
description: ""
description: "Run as:"
description: ""
description: "./nsjail --config imagemagick-identify.cfg -- /usr/bin/identify \\"
description: "-format %m /home/mastodon/live/tmp/rails_tmp/input.jpg"
mode: ONCE
hostname: "IM-IDENTIFY"
cwd: "/user"
time_limit: 10
# if you're experiencing issues, enable this log file. Make sure the file
# is writable.
# log_file: "/var/log/nsjail.log"
# /usr/local/lib does not seem to be included in the LD_LIBRARY_PATH within
# the jail by default. You probably won't need this if you're using a packaged
# version of ImageMagick.
envar: "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib"
envar: "HOME=/user"
envar: "TMP=/home/mastodon/live/tmp/rails_tmp"
rlimit_as: 2048
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 16
mount {
src: "/lib"
dst: "/lib"
is_bind: true
}
mount {
src: "/usr/lib"
dst: "/usr/lib"
is_bind: true
}
mount {
src: "/usr/local/lib"
dst: "/usr/local/lib"
is_bind: true
mandatory: false
}
mount {
src: "/lib64"
dst: "/lib64"
is_bind: true
mandatory: false
}
mount {
src: "/lib32"
dst: "/lib32"
is_bind: true
mandatory: false
}
mount {
src: "/usr/bin/identify"
dst: "/usr/bin/identify"
is_bind: true
mandatory: false
}
mount {
src: "/usr/local/bin/identify"
dst: "/usr/local/bin/identify"
is_bind: true
mandatory: false
}
mount {
src: "/etc/ImageMagick-6"
dst: "/etc/ImageMagick-6"
is_bind: true
mandatory: false
}
mount {
src: "/etc/ImageMagick-7"
dst: "/etc/ImageMagick-7"
is_bind: true
mandatory: false
}
mount {
src: "/home/mastodon/live/tmp/rails_tmp"
dst: "/home/mastodon/live/tmp/rails_tmp"
rw: true
is_bind: true
}
mount {
dst: "/user"
fstype: "tmpfs"
rw: true
}
seccomp_string: "POLICY imagemagick_identify {"
seccomp_string: " ALLOW {"
seccomp_string: " open, openat, read, write, close, newstat, newfstat,"
seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk,"
seccomp_string: " rt_sigaction, rt_sigprocmask, access, getpid,"
seccomp_string: " execve, getdents, getcwd, readlink, getrlimit,"
seccomp_string: " sysinfo, times, arch_prctl, sched_getaffinity,"
seccomp_string: " set_tid_address, set_robust_list, exit_group,"
seccomp_string: " futex, pwrite64, unlink, getrusage, fchmod,"
seccomp_string: " clock_gettime, symlink, clone, wait4, mremap,"
seccomp_string: " prlimit64, madvise, gettid, pread64"
seccomp_string: " }"
seccomp_string: "}"
seccomp_string: "USE imagemagick_identify DEFAULT KILL"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment