2017-10-20 20:46:43 +08:00
|
|
|
name: "static-busybox-with-execveat"
|
|
|
|
description: "An example/demo policy which allows to execute /bin/busybox-static in an "
|
|
|
|
description: "empty (only /proc) mount namespace which doesn't even include busybox itself"
|
2017-10-18 23:57:52 +08:00
|
|
|
|
|
|
|
mode: ONCE
|
|
|
|
hostname: "BUSYBOX"
|
|
|
|
cwd: "/"
|
|
|
|
|
|
|
|
time_limit: 100
|
|
|
|
|
|
|
|
keep_env: false
|
|
|
|
envar: "TERM=linux"
|
|
|
|
envar: "PS1=$ "
|
|
|
|
|
|
|
|
skip_setsid: true
|
|
|
|
|
|
|
|
clone_newcgroup: true
|
|
|
|
|
|
|
|
uidmap {
|
|
|
|
inside_id: "999999"
|
|
|
|
outside_id: ""
|
|
|
|
count: 1
|
|
|
|
}
|
|
|
|
|
|
|
|
gidmap {
|
|
|
|
inside_id: "999999"
|
|
|
|
outside_id: ""
|
|
|
|
count: 1
|
|
|
|
}
|
|
|
|
|
|
|
|
mount_proc: false
|
|
|
|
|
|
|
|
mount {
|
|
|
|
dst: "/proc"
|
|
|
|
fstype: "proc"
|
|
|
|
rw: false
|
|
|
|
}
|
|
|
|
|
2018-09-06 17:14:24 +08:00
|
|
|
seccomp_string: "ERRNO(0) { ptrace }"
|
|
|
|
seccomp_string: "DEFAULT ALLOW"
|
2017-10-18 23:57:52 +08:00
|
|
|
|
|
|
|
exec_bin {
|
|
|
|
path: "/bin/busybox"
|
|
|
|
arg: "sh"
|
|
|
|
exec_fd: true
|
|
|
|
}
|