# sydbox example configuration for Exherbo
# vim: set et sw=4 sts=4 tw=100 ft=desktop :

# Global options are specified in the main group
[main]
# whether sydbox should colourize messages
# defaults to true
colour = true

# whether sydbox should lock magic commands
# this is equal to the -L/--lock command line switch.
lock = false

# whether sydbox should wait for all children, not just eldest, to exit before exiting.
# Setting this false creates a possible security problem where a child can do something like:
# (
#   while true; do
#       if ! pidof sydbox >/dev/null 2>&1; then
#           call_function_that_violates_access
#           break
#       fi
#   done
# ) &
wait_all = true

# Add /proc/PID to allowed paths.
# There's no way to add this path using prefixes because PID varies between children.
# Defaults to true.
allow_proc_pid = true

# Use lstat() wrapper for too long paths
# Don't unset this unless you know what you're doing!
# Defaults to true
wrap_lstat = true

# A list of path patterns that will suppress access violations.
# filters = /usr/lib*/python*/site-packages/*.pyc

# Logging options are specified under the log group.
[log]
# log file, by default logs go to standard error.
# file = /var/log/sydbox.log

# the verbosity of messages, defaults to 1
# 1 - error
# 2 - warning
# 3 - normal
# 4 - verbose
# 5 - debug
# 6 - crazy debug
level = 1

# Sandboxing options are specified under the sandbox group
[sandbox]
# whether sydbox should do path sandboxing
# defaults to true
path = true

# whether sydbox should do execve(2) sandboxing
# defaults to false
exec = false

# whether sydbox should do network sandboxing
# defaults to false
network = false

# Filesystem prefixes are specified under the prefix group
[prefix]
# List of path prefixes that processes are allowed to write
# write = /tmp;/var/tmp;${CCACHE_DIR}

# List of path prefixes that processes can execute, only useful when execve(2) sandboxing is on.
# exec = ${PALUDIS_EBUILD_DIR}/utils/locked_pipe_command

# Network specific options are specified in the net group
[net]
# whether sydbox should automatically whitelist bind addresses for connect()
# default to false
auto_whitelist_bind = false

# whitelisting addresses:
# Sydbox has two whitelists one for bind() and one for connect() and sendto() etc.
# A whitelist is a semicolon delimited list of addresses in one of the possible forms:
# unix://path/to/socket
# inet://ipv4_address/netmask@PORT_RANGE
# inet://ipv6_address/netmask@PORT_RANGE
# where /netmask can be omitted.
# PORT_RANGE can either be a number of two numbers in the form BEGIN-END.
# Examples:
# whitelist_bind = inet://127.0.0.1/8@1024-65535;inet6://::1@1024-65535
# whitelist_connect = unix:///var/run/nscd/socket