nsjail/configs/bash-with-fake-geteuid.cfg

name: "bash-with-fake-geteuid"
description:
"An example policy which allows to execute /bin/bash and other commands in
a fairly restricted jail containing only some directories from the main
system, and with blocked __NR_syslog syscall. Also, __NR_geteuid returns -1337
value, which /usr/bin/id will show as euid=4294965959.

This is an example policy, hence it repeats many default values from the
https://github.com/google/nsjail/blob/master/config.proto PB schema"

mode: ONCE
hostname: "JAILED-BASH"
cwd: "/tmp"

bindhost: "::1"
max_conns_per_ip: 10
port: 31337

time_limit: 100
daemon: false

keep_env: false
envar: "ENVAR1=VALUE1"
envar: "ENVAR2=VALUE2"
envar: "TERM=linux"
envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "

keep_caps: true
silent: false
skip_setsid: true
pass_fd: 100
pass_fd: 3
pivot_root_only: false
disable_no_new_privs: false

rlimit_as: 128
rlimit_core: 0
rlimit_cpu: 10
rlimit_fsize: 0
rlimit_nofile: 32
rlimit_stack: 1

persona_addr_compat_layout: false
persona_mmap_page_zero: false
persona_read_implies_exec: false
persona_addr_limit_3gb: false
persona_addr_no_randomize: false

clone_newnet: true
clone_newuser: true
clone_newns: true
clone_newpid: true
clone_newipc: true
clone_newuts: true
clone_newcgroup: true

uidmap {
	inside_id: "0"
	outside_id: ""
	count: 1
}

gidmap {
	inside_id: "0"
	outside_id: ""
	count: 1
}

mount_proc: false

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
	rw: false
}

mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
	rw: false
}

mount {
	src: "/sbin"
	dst: "/sbin"
	is_bind: true
	rw: false
}

mount {
	src: "/usr"
	dst: "/usr"
	is_bind: true
	rw: false
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	rw: false
	mandatory: false
}

mount {
	src: "/lib32"
	dst: "/lib32"
	is_bind: true
	rw: false
	mandatory: false
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
	is_bind: false
}

mount {
	dst: "/dev"
	fstype: "tmpfs"
	options: "size=8388608"
	rw: true
	is_bind: false
}

mount {
	src: "/dev/null"
	dst: "/dev/null"
	rw: true
	is_bind: true
}

mount {
	dst: "/proc"
	fstype: "proc"
	rw: false
}

mount {
	src: "/nonexistent_777"
	dst: "/nonexistent_777"
	is_bind: true
	mandatory: false
}

seccomp_string: "
	POLICY example {
		ERRNO(1337) { geteuid },
		KILL { syslog }
	}
	USE example DEFAULT ALLOW
"

exec_bin {
	path: "/bin/bash"
	arg: "-i"
}
config: add name and description 2017-05-28 01:05:42 +08:00			`name: "bash-with-fake-geteuid"`
			`description:`
			`"An example policy which allows to execute /bin/bash and other commands in`
config: add name and description 2017-05-28 01:06:46 +08:00			`a fairly restricted jail containing only some directories from the main`
			`system, and with blocked __NR_syslog syscall. Also, __NR_geteuid returns -1337`
configs: better description for bash-with-fake-geteuid.cfg 2017-05-28 01:17:25 +08:00			`value, which /usr/bin/id will show as euid=4294965959.`

			`This is an example policy, hence it repeats many default values from the`
			`https://github.com/google/nsjail/blob/master/config.proto PB schema"`
config: add name and description 2017-05-28 01:05:42 +08:00
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`mode: ONCE`
config: implement keep caps 2017-05-29 01:17:48 +08:00			`hostname: "JAILED-BASH"`
			`cwd: "/tmp"`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00
			`bindhost: "::1"`
			`max_conns_per_ip: 10`
			`port: 31337`

			`time_limit: 100`
			`daemon: false`

			`keep_env: false`
			`envar: "ENVAR1=VALUE1"`
			`envar: "ENVAR2=VALUE2"`
configs/bash-with-fake-geteuid.cfg set TERM 2017-05-28 23:37:01 +08:00			`envar: "TERM=linux"`
configs/bash-with-fake-geteuid fancier PS1 2017-05-29 01:20:25 +08:00			`envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00
config: implement keep caps 2017-05-29 01:17:48 +08:00			`keep_caps: true`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`silent: false`
configs/bash-with-fake-geteuid skip_setsid for job control 2017-05-29 01:21:22 +08:00			`skip_setsid: true`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`pass_fd: 100`
			`pass_fd: 3`
			`pivot_root_only: false`
			`disable_no_new_privs: false`

			`rlimit_as: 128`
			`rlimit_core: 0`
			`rlimit_cpu: 10`
			`rlimit_fsize: 0`
			`rlimit_nofile: 32`
			`rlimit_stack: 1`

			`persona_addr_compat_layout: false`
			`persona_mmap_page_zero: false`
			`persona_read_implies_exec: false`
			`persona_addr_limit_3gb: false`
			`persona_addr_no_randomize: false`

			`clone_newnet: true`
			`clone_newuser: true`
			`clone_newns: true`
			`clone_newpid: true`
			`clone_newipc: true`
			`clone_newuts: true`
			`clone_newcgroup: true`

			`uidmap {`
config: implement keep caps 2017-05-29 01:17:48 +08:00			`inside_id: "0"`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`outside_id: ""`
			`count: 1`
			`}`

			`gidmap {`
config: implement keep caps 2017-05-29 01:17:48 +08:00			`inside_id: "0"`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`outside_id: ""`
			`count: 1`
			`}`

			`mount_proc: false`

			`mount {`
			`src: "/lib"`
			`dst: "/lib"`
			`is_bind: true`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: false`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`}`

			`mount {`
			`src: "/bin"`
			`dst: "/bin"`
			`is_bind: true`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: false`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`}`

			`mount {`
			`src: "/sbin"`
			`dst: "/sbin"`
			`is_bind: true`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: false`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`}`

			`mount {`
			`src: "/usr"`
			`dst: "/usr"`
			`is_bind: true`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: false`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`}`

			`mount {`
			`src: "/lib64"`
			`dst: "/lib64"`
			`is_bind: true`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: false`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`mandatory: false`
			`}`

			`mount {`
			`src: "/lib32"`
			`dst: "/lib32"`
			`is_bind: true`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: false`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`mandatory: false`
			`}`

			`mount {`
			`dst: "/tmp"`
			`fstype: "tmpfs"`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: true`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`is_bind: false`
			`}`

			`mount {`
			`dst: "/dev"`
			`fstype: "tmpfs"`
			`options: "size=8388608"`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: true`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`is_bind: false`
			`}`

			`mount {`
			`src: "/dev/null"`
			`dst: "/dev/null"`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: true`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`is_bind: true`
			`}`

			`mount {`
			`dst: "/proc"`
			`fstype: "proc"`
config: switch is_ro to rw 2017-05-28 07:24:55 +08:00			`rw: false`
configs: rename config1.example -> bash-with-fake-geteuid.cfg 2017-05-28 00:45:25 +08:00			`}`

			`mount {`
			`src: "/nonexistent_777"`
			`dst: "/nonexistent_777"`
			`is_bind: true`
			`mandatory: false`
			`}`

			`seccomp_string: "`
			`POLICY example {`
			`ERRNO(1337) { geteuid },`
			`KILL { syslog }`
			`}`
			`USE example DEFAULT ALLOW`
			`"`

			`exec_bin {`
			`path: "/bin/bash"`
			`arg: "-i"`
			`}`