| # Example config for nsjail |
| |
| name: "apache-with-cloned-net" |
| |
| description: "Tested under Ubuntu 17.04. Other Linux distros might " |
| description: "use different locations for the Apache's HTTPD configuration " |
| description: "files and system libraries" |
| description: "Run as: sudo ./nsjail --config configs/apache.cfg" |
| |
| mode: ONCE |
| hostname: "APACHE-NSJ" |
| |
| rlimit_as: 1024 |
| rlimit_fsize: 1024 |
| rlimit_cpu_type: INF |
| rlimit_nofile: 64 |
| |
| time_limit: 0 |
| |
| cap: "CAP_NET_BIND_SERVICE" |
| |
| envar: "APACHE_RUN_DIR=/run/apache2" |
| envar: "APACHE_PID_FILE=/run/apache2/apache2.pid" |
| envar: "APACHE_RUN_USER=www-data" |
| envar: "APACHE_RUN_GROUP=www-data" |
| envar: "APACHE_LOG_DIR=/run/apache2" |
| envar: "APACHE_LOCK_DIR=/run/apache2" |
| |
| uidmap { |
| inside_id: "1" |
| outside_id: "www-data" |
| } |
| |
| gidmap { |
| inside_id: "1" |
| outside_id: "www-data" |
| } |
| |
| mount { |
| src: "/etc/apache2" |
| dst: "/etc/apache2" |
| is_bind: true |
| } |
| mount { |
| src: "/etc/mime.types" |
| dst: "/etc/mime.types" |
| is_bind: true |
| } |
| mount { |
| src: "/etc/localtime" |
| dst: "/etc/localtime" |
| is_bind: true |
| } |
| mount { |
| src_content: "www-data:x:1:1:www-data:/var/www:/bin/false" |
| dst: "/etc/passwd" |
| } |
| mount { |
| src_content: "www-data:x:1:" |
| dst: "/etc/group" |
| } |
| mount { |
| dst: "/tmp" |
| fstype: "tmpfs" |
| rw: true |
| } |
| mount { |
| dst: "/run/apache2" |
| fstype: "tmpfs" |
| rw: true |
| } |
| mount { |
| src: "/dev/urandom" |
| dst: "/dev/urandom" |
| is_bind: true |
| rw: true |
| } |
| mount { |
| dst: "/dev/shm" |
| fstype: "tmpfs" |
| rw: true |
| } |
| mount { |
| dst: "/proc" |
| fstype: "proc" |
| } |
| mount { |
| src: "/lib64" |
| dst: "/lib64" |
| is_bind: true |
| } |
| mount { |
| src: "/lib" |
| dst: "/lib" |
| is_bind: true |
| } |
| mount { |
| src: "/usr/lib" |
| dst: "/usr/lib" |
| is_bind: true |
| } |
| mount { |
| src: "/var/www/html" |
| dst: "/var/www/html" |
| is_bind: true |
| } |
| mount { |
| src: "/usr/share/apache2" |
| dst: "/usr/share/apache2" |
| is_bind: true |
| } |
| mount { |
| src: "/var/lib/apache2" |
| dst: "/var/lib/apache2" |
| is_bind: true |
| } |
| mount { |
| src: "/usr/sbin/apache2" |
| dst: "/usr/sbin/apache2" |
| is_bind: true |
| } |
| |
| seccomp_string: " KILL_PROCESS {" |
| seccomp_string: " ptrace," |
| seccomp_string: " process_vm_readv," |
| seccomp_string: " process_vm_writev" |
| seccomp_string: " }" |
| seccomp_string: " DEFAULT ALLOW" |
| |
| macvlan_iface: "enp0s31f6" |
| macvlan_vs_ip: "192.168.10.223" |
| macvlan_vs_nm: "255.255.255.0" |
| macvlan_vs_gw: "192.168.10.1" |
| |
| exec_bin { |
| path: "/usr/sbin/apache2" |
| arg : "-DFOREGROUND" |
| } |