синтаксис файла профиля безопасности и информация о создании новых профилей приложений (Security profile file syntax, and information about building new application profiles.)
Networking
Networking features available in profile files.
defaultgw address
Use this address as default gateway in the new network
namespace.
dns address
Set a DNS server for the sandbox. Up to three DNS servers
can be defined.
hostname name
Set a hostname for the sandbox.
hosts-file file
Use file as /etc/hosts.
ip address
Assign IP addresses to the last network interface defined
by a net command. A default gateway is assigned by
default.
Example:
net eth0
ip 10.10.20.56
ip none
No IP address and no default gateway are configured for
the last interface defined by a net command. Use this
option in case you intend to start an external DHCP client
in the sandbox.
Example:
net eth0
ip none
ip dhcp
Acquire an IP address and default gateway for the last
interface defined by a net command, as well as set the DNS
servers according to the DHCP response. This command
requires the ISC dhclient DHCP client to be installed and
will start it automatically inside the sandbox.
Example:
net br0
ip dhcp
This command should not be used in conjunction with the
dns command if the DHCP server is set to configure DNS
servers for the clients, because the manually specified
DNS servers will be overwritten.
The DHCP client will NOT release the DHCP lease when the
sandbox terminates. If your DHCP server requires leases
to be explicitly released, consider running a DHCP client
and releasing the lease manually in conjunction with the
net none command.
ip6 address
Assign IPv6 addresses to the last network interface
defined by a net command.
Example:
net eth0
ip6 2001:0db8:0:f101::1/64
ip6 dhcp
Acquire an IPv6 address and default gateway for the last
interface defined by a net command, as well as set the DNS
servers according to the DHCP response. This command
requires the ISC dhclient DHCP client to be installed and
will start it automatically inside the sandbox.
Example:
net br0
ip6 dhcp
This command should not be used in conjunction with the
dns command if the DHCP server is set to configure DNS
servers for the clients, because the manually specified
DNS servers will be overwritten.
The DHCP client will NOT release the DHCP lease when the
sandbox terminates. If your DHCP server requires leases
to be explicitly released, consider running a DHCP client
and releasing the lease manually.
iprange address,address
Assign an IP address in the provided range to the last
network interface defined by a net command. A default
gateway is assigned by default.
Example:
net eth0
iprange 192.168.1.150,192.168.1.160
mac address
Assign MAC addresses to the last network interface defined
by a net command.
mtu number
Assign a MTU value to the last network interface defined
by a net command.
net bridge_interface
Enable a new network namespace and connect it to this
bridge interface. Unless specified with option --ip and
--defaultgw, an IP address and a default gateway will be
assigned automatically to the sandbox. The IP address is
verified using ARP before assignment. The address
configured as default gateway is the bridge device IP
address. Up to four --net bridge devices can be defined.
Mixing bridge and macvlan devices is allowed.
net ethernet_interface|wireless_interface
Enable a new network namespace and connect it to this
ethernet interface using the standard Linux macvlan or
ipvlan driver. Unless specified with option --ip and
--defaultgw, an IP address and a default gateway will be
assigned automatically to the sandbox. The IP address is
verified using ARP before assignment. The address
configured as default gateway is the default gateway of
the host. Up to four --net devices can be defined. Mixing
bridge and macvlan devices is allowed.
net none
Enable a new, unconnected network namespace. The only
interface available in the new namespace is a new loopback
interface (lo). Use this option to deny network access to
programs that don't really need network access.
net tap_interface
Enable a new network namespace and connect it to this
ethernet tap interface using the standard Linux macvlan
driver. If the tap interface is not configured, the
sandbox will not try to configure the interface inside the
sandbox. Please use ip, netmask and defaultgw to specify
the configuration.
netfilter
If a new network namespace is created, enabled default
network filter.
netfilter filename
If a new network namespace is created, enabled the network
filter in filename.
netmask address
Use this option when you want to assign an IP address in a
new namespace and the parent interface specified by --net
is not configured. An IP address and a default gateway
address also have to be added.
netns namespace
Run the program in a named, persistent network namespace.
These can be created and configured using "ip netns".
veth-name name
Use this name for the interface connected to the bridge
for --net=bridge_interface commands, instead of the
default one.
