2017-07-07 08:34:57 +08:00
|
|
|
name: "apache-with-cloned-net"
|
2017-07-07 18:08:26 +08:00
|
|
|
description: "
|
|
|
|
Tested under Ubuntu 17.04. Other Linux distros might use different
|
|
|
|
locations for the Apache's HTTPD configuration files and system
|
2017-07-07 08:34:57 +08:00
|
|
|
libraries.
|
|
|
|
|
|
|
|
On the basis of (GitHub's) @farconada work in:
|
|
|
|
https://github.com/google/nsjail/issues/31
|
|
|
|
|
|
|
|
Run as: sudo ./nsjail --config configs/apache.cfg
|
|
|
|
"
|
|
|
|
|
|
|
|
mode: ONCE
|
|
|
|
hostname: "APACHE-NSJ"
|
|
|
|
|
|
|
|
rlimit_as: 1024
|
|
|
|
rlimit_fsize: 1024
|
2017-07-08 01:11:56 +08:00
|
|
|
rlimit_cpu: -1
|
|
|
|
rlimit_nofile: 64
|
2017-07-07 08:34:57 +08:00
|
|
|
|
2017-07-07 18:08:26 +08:00
|
|
|
time_limit: 0
|
|
|
|
|
|
|
|
cap: "CAP_NET_BIND_SERVICE"
|
|
|
|
|
2017-07-07 08:34:57 +08:00
|
|
|
envar: "APACHE_RUN_DIR=/run/apache2"
|
|
|
|
envar: "APACHE_PID_FILE=/run/apache2/apache2.pid"
|
|
|
|
envar: "APACHE_RUN_USER=www-data"
|
|
|
|
envar: "APACHE_RUN_GROUP=www-data"
|
|
|
|
envar: "APACHE_LOG_DIR=/run/apache2"
|
2017-07-08 01:06:04 +08:00
|
|
|
envar: "APACHE_LOCK_DIR=/run/apache2"
|
2017-07-07 08:34:57 +08:00
|
|
|
|
|
|
|
uidmap {
|
|
|
|
inside_id: "1"
|
|
|
|
outside_id: "www-data"
|
|
|
|
}
|
|
|
|
|
|
|
|
gidmap {
|
|
|
|
inside_id: "1"
|
|
|
|
outside_id: "www-data"
|
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
src: "/etc/apache2"
|
|
|
|
dst: "/etc/apache2"
|
|
|
|
is_bind: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
src: "/etc/mime.types"
|
|
|
|
dst: "/etc/mime.types"
|
|
|
|
is_bind: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
src: "/etc/localtime"
|
|
|
|
dst: "/etc/localtime"
|
|
|
|
is_bind: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
src_content: "www-data:x:1:1:www-data:/var/www:/bin/false"
|
|
|
|
dst: "/etc/passwd"
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
src_content: "www-data:x:1:"
|
|
|
|
dst: "/etc/group"
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
dst: "/tmp"
|
|
|
|
fstype: "tmpfs"
|
|
|
|
rw: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
dst: "/run/apache2"
|
|
|
|
fstype: "tmpfs"
|
|
|
|
rw: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
src: "/dev/urandom"
|
|
|
|
dst: "/dev/urandom"
|
|
|
|
is_bind: true
|
|
|
|
rw: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
dst: "/dev/shm"
|
|
|
|
fstype: "tmpfs"
|
|
|
|
rw: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
dst: "/proc"
|
|
|
|
fstype: "proc"
|
|
|
|
}
|
2017-07-07 08:52:05 +08:00
|
|
|
mount {
|
|
|
|
src: "/lib64"
|
|
|
|
dst: "/lib64"
|
|
|
|
is_bind: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
src: "/lib"
|
|
|
|
dst: "/lib"
|
|
|
|
is_bind: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
src: "/usr/lib"
|
|
|
|
dst: "/usr/lib"
|
|
|
|
is_bind: true
|
|
|
|
}
|
|
|
|
mount {
|
|
|
|
src: "/var/www/html"
|
|
|
|
dst: "/var/www/html"
|
|
|
|
is_bind: true
|
|
|
|
}
|
2017-07-07 08:34:57 +08:00
|
|
|
mount {
|
|
|
|
src: "/usr/share/apache2"
|
|
|
|
dst: "/usr/share/apache2"
|
|
|
|
is_bind: true
|
|
|
|
}
|
2017-07-08 01:11:56 +08:00
|
|
|
mount {
|
|
|
|
src: "/var/lib/apache2"
|
|
|
|
dst: "/var/lib/apache2"
|
|
|
|
is_bind: true
|
|
|
|
}
|
2017-07-07 08:34:57 +08:00
|
|
|
mount {
|
|
|
|
src: "/usr/sbin/apache2"
|
|
|
|
dst: "/usr/sbin/apache2"
|
|
|
|
is_bind: true
|
|
|
|
}
|
|
|
|
|
|
|
|
seccomp_string: "
|
2017-07-07 08:37:33 +08:00
|
|
|
POLICY example {
|
|
|
|
KILL {
|
|
|
|
ptrace,
|
|
|
|
process_vm_readv,
|
|
|
|
process_vm_writev
|
|
|
|
}
|
2017-07-07 08:34:57 +08:00
|
|
|
}
|
|
|
|
USE example DEFAULT ALLOW
|
|
|
|
"
|
|
|
|
|
|
|
|
macvlan_iface: "enp0s31f6"
|
|
|
|
macvlan_vs_ip: "192.168.10.223"
|
|
|
|
macvlan_vs_nm: "255.255.255.0"
|
|
|
|
macvlan_vs_gw: "192.168.10.1"
|
|
|
|
|
|
|
|
exec_bin {
|
2017-07-07 18:08:26 +08:00
|
|
|
path: "/usr/sbin/apache2"
|
|
|
|
arg : "-DFOREGROUND"
|
2017-07-07 08:34:57 +08:00
|
|
|
}
|