| name: "static-busybox-with-execveat" |
| description: "An example/demo policy which allows to execute /bin/busybox-static in an " |
| description: "empty (only /proc) mount namespace which doesn't even include busybox itself" |
| |
| mode: ONCE |
| hostname: "BUSYBOX" |
| cwd: "/" |
| |
| time_limit: 100 |
| |
| keep_env: false |
| envar: "TERM=linux" |
| envar: "PS1=$ " |
| |
| skip_setsid: true |
| |
| clone_newcgroup: true |
| |
| uidmap { |
| inside_id: "999999" |
| outside_id: "" |
| count: 1 |
| } |
| |
| gidmap { |
| inside_id: "999999" |
| outside_id: "" |
| count: 1 |
| } |
| |
| mount_proc: false |
| |
| mount { |
| dst: "/proc" |
| fstype: "proc" |
| rw: false |
| } |
| |
| seccomp_string: "ERRNO(0) { ptrace }" |
| seccomp_string: "DEFAULT ALLOW" |
| |
| exec_bin { |
| path: "/bin/busybox" |
| arg: "sh" |
| exec_fd: true |
| } |