configs/apache.cfg - platform/external/nsjail - Git at Google

 # Example config for nsjail

 name: "apache-with-cloned-net"

 description: "Tested under Ubuntu 17.04. Other Linux distros might "
 description: "use different locations for the Apache's HTTPD configuration "
 description: "files and system libraries"
 description: "Run as: sudo ./nsjail --config configs/apache.cfg"

 mode: ONCE
 hostname: "APACHE-NSJ"

 rlimit_as: 1024
 rlimit_fsize: 1024
 rlimit_cpu_type: INF
 rlimit_nofile: 64

 time_limit: 0

 cap: "CAP_NET_BIND_SERVICE"

 envar: "APACHE_RUN_DIR=/run/apache2"
 envar: "APACHE_PID_FILE=/run/apache2/apache2.pid"
 envar: "APACHE_RUN_USER=www-data"
 envar: "APACHE_RUN_GROUP=www-data"
 envar: "APACHE_LOG_DIR=/run/apache2"
 envar: "APACHE_LOCK_DIR=/run/apache2"

 uidmap {
 	inside_id: "1"
 	outside_id: "www-data"
 }

 gidmap {
 	inside_id: "1"
 	outside_id: "www-data"
 }

 mount {
 	src: "/etc/apache2"
 	dst: "/etc/apache2"
 	is_bind: true
 }
 mount {
 	src: "/etc/mime.types"
 	dst: "/etc/mime.types"
 	is_bind: true
 }
 mount {
 	src: "/etc/localtime"
 	dst: "/etc/localtime"
 	is_bind: true
 }
 mount {
 	src_content: "www-data:x:1:1:www-data:/var/www:/bin/false"
 	dst: "/etc/passwd"
 }
 mount {
 	src_content: "www-data:x:1:"
 	dst: "/etc/group"
 }
 mount {
 	dst: "/tmp"
 	fstype: "tmpfs"
 	rw: true
 }
 mount {
 	dst: "/run/apache2"
 	fstype: "tmpfs"
 	rw: true
 }
 mount {
 	src: "/dev/urandom"
 	dst: "/dev/urandom"
 	is_bind: true
 	rw: true
 }
 mount {
 	dst: "/dev/shm"
 	fstype: "tmpfs"
 	rw: true
 }
 mount {
 	dst: "/proc"
 	fstype: "proc"
 }
 mount {
 	src: "/lib64"
 	dst: "/lib64"
 	is_bind: true
 }
 mount {
 	src: "/lib"
 	dst: "/lib"
 	is_bind: true
 }
 mount {
 	src: "/usr/lib"
 	dst: "/usr/lib"
 	is_bind: true
 }
 mount {
 	src: "/var/www/html"
 	dst: "/var/www/html"
 	is_bind: true
 }
 mount {
 	src: "/usr/share/apache2"
 	dst: "/usr/share/apache2"
 	is_bind: true
 }
 mount {
 	src: "/var/lib/apache2"
 	dst: "/var/lib/apache2"
 	is_bind: true
 }
 mount {
 	src: "/usr/sbin/apache2"
 	dst: "/usr/sbin/apache2"
 	is_bind: true
 }

 seccomp_string: "	KILL_PROCESS {"
 seccomp_string: "		ptrace,"
 seccomp_string: "		process_vm_readv,"
 seccomp_string: "		process_vm_writev"
 seccomp_string: "	}"
 seccomp_string: "	DEFAULT ALLOW"

 macvlan_iface: "enp0s31f6"
 macvlan_vs_ip: "192.168.10.223"
 macvlan_vs_nm: "255.255.255.0"
 macvlan_vs_gw: "192.168.10.1"

 exec_bin {
 	path: "/usr/sbin/apache2"
 	arg : "-DFOREGROUND"
 }
	# Example config for nsjail

	name: "apache-with-cloned-net"

	description: "Tested under Ubuntu 17.04. Other Linux distros might "
	description: "use different locations for the Apache's HTTPD configuration "
	description: "files and system libraries"
	description: "Run as: sudo ./nsjail --config configs/apache.cfg"

	mode: ONCE
	hostname: "APACHE-NSJ"

	rlimit_as: 1024
	rlimit_fsize: 1024
	rlimit_cpu_type: INF
	rlimit_nofile: 64

	time_limit: 0

	cap: "CAP_NET_BIND_SERVICE"

	envar: "APACHE_RUN_DIR=/run/apache2"
	envar: "APACHE_PID_FILE=/run/apache2/apache2.pid"
	envar: "APACHE_RUN_USER=www-data"
	envar: "APACHE_RUN_GROUP=www-data"
	envar: "APACHE_LOG_DIR=/run/apache2"
	envar: "APACHE_LOCK_DIR=/run/apache2"

	uidmap {
	inside_id: "1"
	outside_id: "www-data"
	}

	gidmap {
	inside_id: "1"
	outside_id: "www-data"
	}

	mount {
	src: "/etc/apache2"
	dst: "/etc/apache2"
	is_bind: true
	}
	mount {
	src: "/etc/mime.types"
	dst: "/etc/mime.types"
	is_bind: true
	}
	mount {
	src: "/etc/localtime"
	dst: "/etc/localtime"
	is_bind: true
	}
	mount {
	src_content: "www-data:x:1:1:www-data:/var/www:/bin/false"
	dst: "/etc/passwd"
	}
	mount {
	src_content: "www-data:x:1:"
	dst: "/etc/group"
	}
	mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
	}
	mount {
	dst: "/run/apache2"
	fstype: "tmpfs"
	rw: true
	}
	mount {
	src: "/dev/urandom"
	dst: "/dev/urandom"
	is_bind: true
	rw: true
	}
	mount {
	dst: "/dev/shm"
	fstype: "tmpfs"
	rw: true
	}
	mount {
	dst: "/proc"
	fstype: "proc"
	}
	mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	}
	mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
	}
	mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
	}
	mount {
	src: "/var/www/html"
	dst: "/var/www/html"
	is_bind: true
	}
	mount {
	src: "/usr/share/apache2"
	dst: "/usr/share/apache2"
	is_bind: true
	}
	mount {
	src: "/var/lib/apache2"
	dst: "/var/lib/apache2"
	is_bind: true
	}
	mount {
	src: "/usr/sbin/apache2"
	dst: "/usr/sbin/apache2"
	is_bind: true
	}

	seccomp_string: " KILL_PROCESS {"
	seccomp_string: " ptrace,"
	seccomp_string: " process_vm_readv,"
	seccomp_string: " process_vm_writev"
	seccomp_string: " }"
	seccomp_string: " DEFAULT ALLOW"

	macvlan_iface: "enp0s31f6"
	macvlan_vs_ip: "192.168.10.223"
	macvlan_vs_nm: "255.255.255.0"
	macvlan_vs_gw: "192.168.10.1"

	exec_bin {
	path: "/usr/sbin/apache2"
	arg : "-DFOREGROUND"
	}