configs/static-busybox-with-execveat.cfg - platform/external/nsjail - Git at Google

 name: "static-busybox-with-execveat"
 description: "An example/demo policy which allows to execute /bin/busybox-static in an "
 description: "empty (only /proc) mount namespace which doesn't even include busybox itself"

 mode: ONCE
 hostname: "BUSYBOX"
 cwd: "/"

 time_limit: 100

 keep_env: false
 envar: "TERM=linux"
 envar: "PS1=$ "

 skip_setsid: true

 clone_newcgroup: true

 uidmap {
 	inside_id: "999999"
 	outside_id: ""
 	count: 1
 }

 gidmap {
 	inside_id: "999999"
 	outside_id: ""
 	count: 1
 }

 mount_proc: false

 mount {
 	dst: "/proc"
 	fstype: "proc"
 	rw: false
 }

 seccomp_string: "ERRNO(0) { ptrace }"
 seccomp_string: "DEFAULT ALLOW"

 exec_bin {
 	path: "/bin/busybox"
 	arg: "sh"
 	exec_fd: true
 }
	name: "static-busybox-with-execveat"
	description: "An example/demo policy which allows to execute /bin/busybox-static in an "
	description: "empty (only /proc) mount namespace which doesn't even include busybox itself"

	mode: ONCE
	hostname: "BUSYBOX"
	cwd: "/"

	time_limit: 100

	keep_env: false
	envar: "TERM=linux"
	envar: "PS1=$ "

	skip_setsid: true

	clone_newcgroup: true

	uidmap {
	inside_id: "999999"
	outside_id: ""
	count: 1
	}

	gidmap {
	inside_id: "999999"
	outside_id: ""
	count: 1
	}

	mount_proc: false

	mount {
	dst: "/proc"
	fstype: "proc"
	rw: false
	}

	seccomp_string: "ERRNO(0) { ptrace }"
	seccomp_string: "DEFAULT ALLOW"

	exec_bin {
	path: "/bin/busybox"
	arg: "sh"
	exec_fd: true
	}