2017-05-28 01:05:42 +08:00
|
|
|
name: "bash-with-fake-geteuid"
|
2017-09-14 04:03:21 +08:00
|
|
|
description: "An example/demo policy which allows to execute /bin/bash and other commands in "
|
|
|
|
description: "a fairly restricted jail containing only some directories from the main "
|
|
|
|
description: "system, and with blocked __NR_syslog syscall. Also, __NR_geteuid returns -1337 "
|
|
|
|
description: "value, which /usr/bin/id will show as euid=4294965959, and ptrace is blocked "
|
|
|
|
description: "but returns success, hence strange behavior of the strace command. "
|
|
|
|
description: "This is an example/demo policy, hence it repeats many default values from the "
|
|
|
|
description: "https://github.com/google/nsjail/blob/master/config.proto PB schema "
|
2017-05-28 01:05:42 +08:00
|
|
|
|
2017-05-28 00:45:25 +08:00
|
|
|
mode: ONCE
|
2017-05-29 01:17:48 +08:00
|
|
|
hostname: "JAILED-BASH"
|
|
|
|
cwd: "/tmp"
|
2017-05-28 00:45:25 +08:00
|
|
|
|
2017-06-20 05:52:56 +08:00
|
|
|
bindhost: "127.0.0.1"
|
2017-05-28 00:45:25 +08:00
|
|
|
max_conns_per_ip: 10
|
|
|
|
port: 31337
|
|
|
|
|
|
|
|
time_limit: 100
|
|
|
|
daemon: false
|
2017-06-21 23:52:16 +08:00
|
|
|
max_cpus: 1
|
2017-05-28 00:45:25 +08:00
|
|
|
|
|
|
|
keep_env: false
|
|
|
|
envar: "ENVAR1=VALUE1"
|
|
|
|
envar: "ENVAR2=VALUE2"
|
2017-05-28 23:37:01 +08:00
|
|
|
envar: "TERM=linux"
|
2017-05-29 01:22:03 +08:00
|
|
|
envar: "HOME=/"
|
2017-05-29 01:20:25 +08:00
|
|
|
envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "
|
2017-05-28 00:45:25 +08:00
|
|
|
|
2017-07-05 23:29:57 +08:00
|
|
|
keep_caps: true
|
2017-07-06 07:12:13 +08:00
|
|
|
cap: "CAP_NET_ADMIN"
|
|
|
|
cap: "CAP_NET_RAW"
|
2017-05-28 00:45:25 +08:00
|
|
|
silent: false
|
2017-05-29 01:21:22 +08:00
|
|
|
skip_setsid: true
|
2017-05-28 00:45:25 +08:00
|
|
|
pass_fd: 100
|
|
|
|
pass_fd: 3
|
|
|
|
disable_no_new_privs: false
|
|
|
|
|
|
|
|
rlimit_as: 128
|
|
|
|
rlimit_core: 0
|
|
|
|
rlimit_cpu: 10
|
|
|
|
rlimit_fsize: 0
|
|
|
|
rlimit_nofile: 32
|
2017-10-07 04:44:27 +08:00
|
|
|
rlimit_stack_type: SOFT
|
|
|
|
rlimit_nproc_type: SOFT
|
2017-05-28 00:45:25 +08:00
|
|
|
|
|
|
|
persona_addr_compat_layout: false
|
|
|
|
persona_mmap_page_zero: false
|
|
|
|
persona_read_implies_exec: false
|
|
|
|
persona_addr_limit_3gb: false
|
|
|
|
persona_addr_no_randomize: false
|
|
|
|
|
|
|
|
clone_newnet: true
|
|
|
|
clone_newuser: true
|
|
|
|
clone_newns: true
|
|
|
|
clone_newpid: true
|
|
|
|
clone_newipc: true
|
|
|
|
clone_newuts: true
|
|
|
|
clone_newcgroup: true
|
|
|
|
|
|
|
|
uidmap {
|
2017-05-29 01:17:48 +08:00
|
|
|
inside_id: "0"
|
2017-05-28 00:45:25 +08:00
|
|
|
outside_id: ""
|
|
|
|
count: 1
|
|
|
|
}
|
|
|
|
|
|
|
|
gidmap {
|
2017-05-29 01:17:48 +08:00
|
|
|
inside_id: "0"
|
2017-05-28 00:45:25 +08:00
|
|
|
outside_id: ""
|
|
|
|
count: 1
|
|
|
|
}
|
|
|
|
|
|
|
|
mount_proc: false
|
|
|
|
|
|
|
|
mount {
|
|
|
|
src: "/lib"
|
|
|
|
dst: "/lib"
|
|
|
|
is_bind: true
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: false
|
2017-05-28 00:45:25 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
src: "/bin"
|
|
|
|
dst: "/bin"
|
|
|
|
is_bind: true
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: false
|
2017-05-28 00:45:25 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
src: "/sbin"
|
|
|
|
dst: "/sbin"
|
|
|
|
is_bind: true
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: false
|
2017-05-28 00:45:25 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
src: "/usr"
|
|
|
|
dst: "/usr"
|
|
|
|
is_bind: true
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: false
|
2017-05-28 00:45:25 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
src: "/lib64"
|
|
|
|
dst: "/lib64"
|
|
|
|
is_bind: true
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: false
|
2017-05-28 00:45:25 +08:00
|
|
|
mandatory: false
|
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
src: "/lib32"
|
|
|
|
dst: "/lib32"
|
|
|
|
is_bind: true
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: false
|
2017-05-28 00:45:25 +08:00
|
|
|
mandatory: false
|
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
dst: "/tmp"
|
|
|
|
fstype: "tmpfs"
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: true
|
2017-05-28 00:45:25 +08:00
|
|
|
is_bind: false
|
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
dst: "/dev"
|
|
|
|
fstype: "tmpfs"
|
|
|
|
options: "size=8388608"
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: true
|
2017-05-28 00:45:25 +08:00
|
|
|
is_bind: false
|
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
src: "/dev/null"
|
|
|
|
dst: "/dev/null"
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: true
|
2017-05-28 00:45:25 +08:00
|
|
|
is_bind: true
|
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
|
|
|
dst: "/proc"
|
|
|
|
fstype: "proc"
|
2017-05-28 07:24:55 +08:00
|
|
|
rw: false
|
2017-05-28 00:45:25 +08:00
|
|
|
}
|
|
|
|
|
2017-05-29 09:29:14 +08:00
|
|
|
mount {
|
|
|
|
src_content: "This file was created dynamically"
|
|
|
|
dst: "/DYNAMIC_FILE"
|
|
|
|
}
|
|
|
|
|
2017-05-28 00:45:25 +08:00
|
|
|
mount {
|
|
|
|
src: "/nonexistent_777"
|
|
|
|
dst: "/nonexistent_777"
|
|
|
|
is_bind: true
|
|
|
|
mandatory: false
|
|
|
|
}
|
|
|
|
|
2017-07-02 09:39:56 +08:00
|
|
|
mount {
|
|
|
|
src: "/proc/self/fd"
|
|
|
|
dst: "/dev/fd"
|
|
|
|
is_symlink: true
|
|
|
|
}
|
|
|
|
|
|
|
|
mount {
|
2018-02-20 22:54:28 +08:00
|
|
|
src: "/some/unimportant/target"
|
2017-07-02 09:39:56 +08:00
|
|
|
dst: "/proc/no/symlinks/can/be/created/in/proc"
|
|
|
|
is_symlink: true
|
|
|
|
mandatory: false
|
|
|
|
}
|
|
|
|
|
2017-09-27 21:49:12 +08:00
|
|
|
seccomp_string: "POLICY example { "
|
|
|
|
seccomp_string: " ERRNO(1337) { geteuid }, "
|
|
|
|
seccomp_string: " ERRNO(0) { ptrace }, "
|
|
|
|
seccomp_string: " KILL { syslog } "
|
|
|
|
seccomp_string: "} "
|
|
|
|
seccomp_string: "USE example DEFAULT ALLOW"
|
2017-05-28 00:45:25 +08:00
|
|
|
|
|
|
|
exec_bin {
|
|
|
|
path: "/bin/bash"
|
2017-06-12 08:16:27 +08:00
|
|
|
arg0: "sh"
|
2017-05-28 00:45:25 +08:00
|
|
|
arg: "-i"
|
|
|
|
}
|