blob: ef873e1c456c2364ee62d6b86687a3efde6bc0b6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
# Example config for nsjail
name: "bash-with-fake-geteuid"
description: "An example/demo policy which allows to execute /bin/bash and other commands in "
description: "a fairly restricted jail containing only some directories from the main "
description: "system, and with blocked __NR_syslog syscall. Also, __NR_geteuid returns -1337 "
description: "value, which /usr/bin/id will show as euid=4294965959, and ptrace is blocked "
description: "but returns success, hence strange behavior of the strace command. "
description: "This is an example/demo policy, hence it repeats many default values from the "
description: "https://github.com/google/nsjail/blob/master/config.proto PB schema "
mode: ONCE
hostname: "JAILED-BASH"
cwd: "/tmp"
bindhost: "127.0.0.1"
max_conns_per_ip: 10
port: 31337
time_limit: 100
daemon: false
max_cpus: 1
keep_env: false
envar: "ENVAR1=VALUE1"
envar: "ENVAR2=VALUE2"
envar: "TERM=linux"
envar: "HOME=/"
envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "
keep_caps: true
cap: "CAP_NET_ADMIN"
cap: "CAP_NET_RAW"
silent: false
stderr_to_null: false
skip_setsid: true
pass_fd: 100
pass_fd: 3
disable_no_new_privs: false
rlimit_as: 128
rlimit_core: 0
rlimit_cpu: 10
rlimit_fsize: 0
rlimit_nofile: 32
rlimit_stack_type: SOFT
rlimit_nproc_type: SOFT
persona_addr_compat_layout: false
persona_mmap_page_zero: false
persona_read_implies_exec: false
persona_addr_limit_3gb: false
persona_addr_no_randomize: false
clone_newnet: true
clone_newuser: true
clone_newns: true
clone_newpid: true
clone_newipc: true
clone_newuts: true
clone_newcgroup: true
uidmap {
inside_id: "0"
outside_id: ""
count: 1
}
gidmap {
inside_id: "0"
outside_id: ""
count: 1
}
mount_proc: false
mount {
src: "/lib"
dst: "/lib"
is_bind: true
rw: false
}
mount {
src: "/bin"
dst: "/bin"
is_bind: true
rw: false
}
mount {
src: "/sbin"
dst: "/sbin"
is_bind: true
rw: false
}
mount {
src: "/usr"
dst: "/usr"
is_bind: true
rw: false
}
mount {
src: "/lib64"
dst: "/lib64"
is_bind: true
rw: false
mandatory: false
}
mount {
src: "/lib32"
dst: "/lib32"
is_bind: true
rw: false
mandatory: false
}
mount {
dst: "/tmp"
fstype: "tmpfs"
rw: true
is_bind: false
noexec: true
nodev: true
nosuid: true
}
mount {
dst: "/dev"
fstype: "tmpfs"
options: "size=8388608"
rw: true
is_bind: false
}
mount {
src: "/dev/null"
dst: "/dev/null"
rw: true
is_bind: true
}
mount {
dst: "/proc"
fstype: "proc"
rw: false
}
mount {
src_content: "This file was created dynamically"
dst: "/DYNAMIC_FILE"
}
mount {
src: "/nonexistent_777"
dst: "/nonexistent_777"
is_bind: true
mandatory: false
}
mount {
src: "/proc/self/fd"
dst: "/dev/fd"
is_symlink: true
}
mount {
src: "/some/unimportant/target"
dst: "/proc/no/symlinks/can/be/created/in/proc"
is_symlink: true
mandatory: false
}
seccomp_string: "ERRNO(1337) { geteuid } "
seccomp_string: "ERRNO(0) { ptrace } "
seccomp_string: "KILL_PROCESS { syslog } "
seccomp_string: "DEFAULT ALLOW "
exec_bin {
path: "/bin/bash"
arg0: "sh"
arg: "-i"
}
|
