| name: "bash-with-fake-geteuid" |
| description: "An example/demo policy which allows to execute /bin/bash and other commands in " |
| description: "a fairly restricted jail containing only some directories from the main " |
| description: "system, and with blocked __NR_syslog syscall. Also, __NR_geteuid returns -1337 " |
| description: "value, which /usr/bin/id will show as euid=4294965959, and ptrace is blocked " |
| description: "but returns success, hence strange behavior of the strace command. " |
| description: "This is an example/demo policy, hence it repeats many default values from the " |
| description: "https://github.com/google/nsjail/blob/master/config.proto PB schema " |
| |
| mode: ONCE |
| hostname: "JAILED-BASH" |
| cwd: "/tmp" |
| |
| bindhost: "127.0.0.1" |
| max_conns_per_ip: 10 |
| port: 31337 |
| |
| time_limit: 100 |
| daemon: false |
| max_cpus: 1 |
| |
| keep_env: false |
| envar: "ENVAR1=VALUE1" |
| envar: "ENVAR2=VALUE2" |
| envar: "TERM=linux" |
| envar: "HOME=/" |
| envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ " |
| |
| keep_caps: true |
| cap: "CAP_NET_ADMIN" |
| cap: "CAP_NET_RAW" |
| silent: false |
| stderr_to_null: false |
| skip_setsid: true |
| pass_fd: 100 |
| pass_fd: 3 |
| disable_no_new_privs: false |
| |
| rlimit_as: 128 |
| rlimit_core: 0 |
| rlimit_cpu: 10 |
| rlimit_fsize: 0 |
| rlimit_nofile: 32 |
| rlimit_stack_type: SOFT |
| rlimit_nproc_type: SOFT |
| |
| persona_addr_compat_layout: false |
| persona_mmap_page_zero: false |
| persona_read_implies_exec: false |
| persona_addr_limit_3gb: false |
| persona_addr_no_randomize: false |
| |
| clone_newnet: true |
| clone_newuser: true |
| clone_newns: true |
| clone_newpid: true |
| clone_newipc: true |
| clone_newuts: true |
| clone_newcgroup: true |
| |
| uidmap { |
| inside_id: "0" |
| outside_id: "" |
| count: 1 |
| } |
| |
| gidmap { |
| inside_id: "0" |
| outside_id: "" |
| count: 1 |
| } |
| |
| mount_proc: false |
| |
| mount { |
| src: "/lib" |
| dst: "/lib" |
| is_bind: true |
| rw: false |
| } |
| |
| mount { |
| src: "/bin" |
| dst: "/bin" |
| is_bind: true |
| rw: false |
| } |
| |
| mount { |
| src: "/sbin" |
| dst: "/sbin" |
| is_bind: true |
| rw: false |
| } |
| |
| mount { |
| src: "/usr" |
| dst: "/usr" |
| is_bind: true |
| rw: false |
| } |
| |
| mount { |
| src: "/lib64" |
| dst: "/lib64" |
| is_bind: true |
| rw: false |
| mandatory: false |
| } |
| |
| mount { |
| src: "/lib32" |
| dst: "/lib32" |
| is_bind: true |
| rw: false |
| mandatory: false |
| } |
| |
| mount { |
| dst: "/tmp" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| noexec: true |
| nodev: true |
| nosuid: true |
| } |
| |
| mount { |
| dst: "/dev" |
| fstype: "tmpfs" |
| options: "size=8388608" |
| rw: true |
| is_bind: false |
| } |
| |
| mount { |
| src: "/dev/null" |
| dst: "/dev/null" |
| rw: true |
| is_bind: true |
| } |
| |
| mount { |
| dst: "/proc" |
| fstype: "proc" |
| rw: false |
| } |
| |
| mount { |
| src_content: "This file was created dynamically" |
| dst: "/DYNAMIC_FILE" |
| } |
| |
| mount { |
| src: "/nonexistent_777" |
| dst: "/nonexistent_777" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/proc/self/fd" |
| dst: "/dev/fd" |
| is_symlink: true |
| } |
| |
| mount { |
| src: "/some/unimportant/target" |
| dst: "/proc/no/symlinks/can/be/created/in/proc" |
| is_symlink: true |
| mandatory: false |
| } |
| |
| seccomp_string: "ERRNO(1337) { geteuid } " |
| seccomp_string: "ERRNO(0) { ptrace } " |
| seccomp_string: "KILL { syslog } " |
| seccomp_string: "DEFAULT ALLOW " |
| |
| exec_bin { |
| path: "/bin/bash" |
| arg0: "sh" |
| arg: "-i" |
| } |