diff --git a/README.md b/README.md index f018484..ea12994 100644 --- a/README.md +++ b/README.md @@ -243,7 +243,7 @@ drwxr-xr-x 4 65534 65534 20480 May 24 00:24 sbin ### Even more contrained shell (with seccomp-bpf policies)
-$ ./nsjail --chroot / --seccomp_string 'POLICY a { ALLOW { write, execve, brk, access, mmap, open, newfstat, close, read, mprotect, arch_prctl, munmap, getuid, getgid, getpid, rt_sigaction, geteuid, getppid, getcwd, getegid, ioctl, fcntl, newstat, clone, wait4, rt_sigreturn, exit_group } } USE a DEFAULT KILL' -- /bin/sh -i +$ ./nsjail --chroot / --seccomp_string 'ALLOW { write, execve, brk, access, mmap, open, openat, newfstat, close, read, mprotect, arch_prctl, munmap, getuid, getgid, getpid, rt_sigaction, geteuid, getppid, getcwd, getegid, ioctl, fcntl, newstat, clone, wait4, rt_sigreturn, exit_group } DEFAULT KILL' -- /bin/sh -i [2017-01-15T21:53:08+0100] Mode: STANDALONE_ONCE [2017-01-15T21:53:08+0100] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/bin/sh', bind:[::]:0, max_conns_per_ip:0, uid:(ns:1000, global:1000), gid:(ns:1000, global:1000), time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:false, tmpfs_size:4194304, disable_no_new_privs:false, pivot_root_only:false [2017-01-15T21:53:08+0100] Mount point: src:'/' dst:'/' type:'' flags:0x5001 options:'' diff --git a/configs/apache.cfg b/configs/apache.cfg index 68a36e0..f3ae838 100644 --- a/configs/apache.cfg +++ b/configs/apache.cfg @@ -117,14 +117,12 @@ mount { is_bind: true } -seccomp_string: " POLICY example {" -seccomp_string: " KILL {" -seccomp_string: " ptrace," -seccomp_string: " process_vm_readv," -seccomp_string: " process_vm_writev" -seccomp_string: " }" +seccomp_string: " KILL {" +seccomp_string: " ptrace," +seccomp_string: " process_vm_readv," +seccomp_string: " process_vm_writev" seccomp_string: " }" -seccomp_string: " USE example DEFAULT ALLOW" +seccomp_string: " DEFAULT ALLOW" macvlan_iface: "enp0s31f6" macvlan_vs_ip: "192.168.10.223" diff --git a/configs/bash-with-fake-geteuid.cfg b/configs/bash-with-fake-geteuid.cfg index 660cb4d..c0046ba 100644 --- a/configs/bash-with-fake-geteuid.cfg +++ b/configs/bash-with-fake-geteuid.cfg @@ -172,12 +172,10 @@ mount { mandatory: false } -seccomp_string: "POLICY example { " -seccomp_string: " ERRNO(1337) { geteuid }, " -seccomp_string: " ERRNO(0) { ptrace }, " -seccomp_string: " KILL { syslog } " -seccomp_string: "} " -seccomp_string: "USE example DEFAULT ALLOW" +seccomp_string: "ERRNO(1337) { geteuid } " +seccomp_string: "ERRNO(0) { ptrace } " +seccomp_string: "KILL { syslog } " +seccomp_string: "DEFAULT ALLOW " exec_bin { path: "/bin/bash" diff --git a/configs/demo-dont-use-chrome-with-net.cfg b/configs/demo-dont-use-chrome-with-net.cfg index 9a17f33..f7aeb1a 100644 --- a/configs/demo-dont-use-chrome-with-net.cfg +++ b/configs/demo-dont-use-chrome-with-net.cfg @@ -165,14 +165,12 @@ mount { is_bind: true } -seccomp_string: " POLICY example {" -seccomp_string: " KILL {" -seccomp_string: " ptrace," -seccomp_string: " process_vm_readv," -seccomp_string: " process_vm_writev" -seccomp_string: " }" +seccomp_string: " KILL {" +seccomp_string: " ptrace," +seccomp_string: " process_vm_readv," +seccomp_string: " process_vm_writev" seccomp_string: " }" -seccomp_string: " USE example DEFAULT ALLOW" +seccomp_string: " DEFAULT ALLOW" exec_bin { path: "/opt/google/chrome/google-chrome" diff --git a/configs/firefox-with-cloned-net.cfg b/configs/firefox-with-cloned-net.cfg index 627c9a1..e7cb5bf 100644 --- a/configs/firefox-with-cloned-net.cfg +++ b/configs/firefox-with-cloned-net.cfg @@ -164,14 +164,12 @@ mount { is_bind: true } -seccomp_string: "POLICY example {" -seccomp_string: " KILL {" -seccomp_string: " ptrace," -seccomp_string: " process_vm_readv," -seccomp_string: " process_vm_writev" -seccomp_string: " }" +seccomp_string: "KILL {" +seccomp_string: " ptrace," +seccomp_string: " process_vm_readv," +seccomp_string: " process_vm_writev" seccomp_string: "}" -seccomp_string: "USE example DEFAULT ALLOW" +seccomp_string: "DEFAULT ALLOW" macvlan_iface: "enp0s31f6" macvlan_vs_ip: "192.168.10.223" diff --git a/configs/firefox-with-net.cfg b/configs/firefox-with-net.cfg index b5e0f36..75149b4 100644 --- a/configs/firefox-with-net.cfg +++ b/configs/firefox-with-net.cfg @@ -156,14 +156,12 @@ mount { is_bind: true } -seccomp_string: "POLICY example {" -seccomp_string: " KILL {" -seccomp_string: " ptrace," -seccomp_string: " process_vm_readv," -seccomp_string: " process_vm_writev" -seccomp_string: " }" +seccomp_string: "KILL {" +seccomp_string: " ptrace," +seccomp_string: " process_vm_readv," +seccomp_string: " process_vm_writev" seccomp_string: "}" -seccomp_string: "USE example DEFAULT ALLOW" +seccomp_string: "DEFAULT ALLOW" exec_bin { path: "/usr/lib/firefox/firefox" diff --git a/configs/home-documents-with-xorg-no-net.cfg b/configs/home-documents-with-xorg-no-net.cfg index a5dc2ca..afd7168 100644 --- a/configs/home-documents-with-xorg-no-net.cfg +++ b/configs/home-documents-with-xorg-no-net.cfg @@ -126,11 +126,9 @@ mount { is_bind: true } -seccomp_string: "POLICY example {" -seccomp_string: " KILL {" -seccomp_string: " ptrace," -seccomp_string: " process_vm_readv," -seccomp_string: " process_vm_writev" -seccomp_string: " }" +seccomp_string: "KILL {" +seccomp_string: " ptrace," +seccomp_string: " process_vm_readv," +seccomp_string: " process_vm_writev" seccomp_string: "}" -seccomp_string: "USE example DEFAULT ALLOW" +seccomp_string: "DEFAULT ALLOW" diff --git a/configs/imagemagick-convert.cfg b/configs/imagemagick-convert.cfg index ed95620..dfe702d 100644 --- a/configs/imagemagick-convert.cfg +++ b/configs/imagemagick-convert.cfg @@ -70,19 +70,17 @@ mount { mandatory: false } -seccomp_string: "POLICY imagemagick_convert {" -seccomp_string: " ALLOW {" -seccomp_string: " read, write, open, openat, close, newstat, newfstat," -seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk," -seccomp_string: " rt_sigaction, rt_sigprocmask, pwrite64, access," -seccomp_string: " getpid, execveat, getdents, unlink, fchmod," -seccomp_string: " getrlimit, getrusage, sysinfo, times, futex," -seccomp_string: " arch_prctl, sched_getaffinity, set_tid_address," -seccomp_string: " clock_gettime, set_robust_list, exit_group," -seccomp_string: " clone, getcwd, pread64, readlink, prlimit64" -seccomp_string: " }" +seccomp_string: "ALLOW {" +seccomp_string: " read, write, open, openat, close, newstat, newfstat," +seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk," +seccomp_string: " rt_sigaction, rt_sigprocmask, pwrite64, access," +seccomp_string: " getpid, execveat, getdents, unlink, fchmod," +seccomp_string: " getrlimit, getrusage, sysinfo, times, futex," +seccomp_string: " arch_prctl, sched_getaffinity, set_tid_address," +seccomp_string: " clock_gettime, set_robust_list, exit_group," +seccomp_string: " clone, getcwd, pread64, readlink, prlimit64" seccomp_string: "}" -seccomp_string: "USE imagemagick_convert DEFAULT KILL" +seccomp_string: "DEFAULT KILL" exec_bin { path: "/usr/bin/convert" diff --git a/configs/static-busybox-with-execveat.cfg b/configs/static-busybox-with-execveat.cfg index 56b7cf1..0d0a49e 100644 --- a/configs/static-busybox-with-execveat.cfg +++ b/configs/static-busybox-with-execveat.cfg @@ -36,10 +36,8 @@ mount { rw: false } -seccomp_string: "POLICY example { " -seccomp_string: " ERRNO(0) { ptrace } " -seccomp_string: "} " -seccomp_string: "USE example DEFAULT ALLOW " +seccomp_string: "ERRNO(0) { ptrace }" +seccomp_string: "DEFAULT ALLOW" exec_bin { path: "/bin/busybox" diff --git a/configs/xchat-with-net.cfg b/configs/xchat-with-net.cfg index 6ff49f5..a8d2c8d 100644 --- a/configs/xchat-with-net.cfg +++ b/configs/xchat-with-net.cfg @@ -128,14 +128,12 @@ mount { is_bind: true } -seccomp_string: "POLICY example {" -seccomp_string: " KILL {" -seccomp_string: " ptrace," -seccomp_string: " process_vm_readv," -seccomp_string: " process_vm_writev" -seccomp_string: " }" +seccomp_string: "KILL {" +seccomp_string: " ptrace," +seccomp_string: " process_vm_readv," +seccomp_string: " process_vm_writev" seccomp_string: "}" -seccomp_string: "USE example DEFAULT ALLOW" +seccomp_string: "DEFAULT ALLOW" exec_bin { path: "/usr/bin/xchat"