use new kafel features in configs and examples
This commit is contained in:
parent
758f90a279
commit
1bb58083c4
@ -243,7 +243,7 @@ drwxr-xr-x 4 65534 65534 20480 May 24 00:24 sbin
|
|||||||
### Even more contrained shell (with seccomp-bpf policies)
|
### Even more contrained shell (with seccomp-bpf policies)
|
||||||
|
|
||||||
<pre>
|
<pre>
|
||||||
$ ./nsjail --chroot / --seccomp_string 'POLICY a { ALLOW { write, execve, brk, access, mmap, open, newfstat, close, read, mprotect, arch_prctl, munmap, getuid, getgid, getpid, rt_sigaction, geteuid, getppid, getcwd, getegid, ioctl, fcntl, newstat, clone, wait4, rt_sigreturn, exit_group } } USE a DEFAULT KILL' -- /bin/sh -i
|
$ ./nsjail --chroot / --seccomp_string 'ALLOW { write, execve, brk, access, mmap, open, openat, newfstat, close, read, mprotect, arch_prctl, munmap, getuid, getgid, getpid, rt_sigaction, geteuid, getppid, getcwd, getegid, ioctl, fcntl, newstat, clone, wait4, rt_sigreturn, exit_group } DEFAULT KILL' -- /bin/sh -i
|
||||||
[2017-01-15T21:53:08+0100] Mode: STANDALONE_ONCE
|
[2017-01-15T21:53:08+0100] Mode: STANDALONE_ONCE
|
||||||
[2017-01-15T21:53:08+0100] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/bin/sh', bind:[::]:0, max_conns_per_ip:0, uid:(ns:1000, global:1000), gid:(ns:1000, global:1000), time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:false, tmpfs_size:4194304, disable_no_new_privs:false, pivot_root_only:false
|
[2017-01-15T21:53:08+0100] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/bin/sh', bind:[::]:0, max_conns_per_ip:0, uid:(ns:1000, global:1000), gid:(ns:1000, global:1000), time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:false, tmpfs_size:4194304, disable_no_new_privs:false, pivot_root_only:false
|
||||||
[2017-01-15T21:53:08+0100] Mount point: src:'/' dst:'/' type:'' flags:0x5001 options:''
|
[2017-01-15T21:53:08+0100] Mount point: src:'/' dst:'/' type:'' flags:0x5001 options:''
|
||||||
|
@ -117,14 +117,12 @@ mount {
|
|||||||
is_bind: true
|
is_bind: true
|
||||||
}
|
}
|
||||||
|
|
||||||
seccomp_string: " POLICY example {"
|
|
||||||
seccomp_string: " KILL {"
|
seccomp_string: " KILL {"
|
||||||
seccomp_string: " ptrace,"
|
seccomp_string: " ptrace,"
|
||||||
seccomp_string: " process_vm_readv,"
|
seccomp_string: " process_vm_readv,"
|
||||||
seccomp_string: " process_vm_writev"
|
seccomp_string: " process_vm_writev"
|
||||||
seccomp_string: " }"
|
seccomp_string: " }"
|
||||||
seccomp_string: " }"
|
seccomp_string: " DEFAULT ALLOW"
|
||||||
seccomp_string: " USE example DEFAULT ALLOW"
|
|
||||||
|
|
||||||
macvlan_iface: "enp0s31f6"
|
macvlan_iface: "enp0s31f6"
|
||||||
macvlan_vs_ip: "192.168.10.223"
|
macvlan_vs_ip: "192.168.10.223"
|
||||||
|
@ -172,12 +172,10 @@ mount {
|
|||||||
mandatory: false
|
mandatory: false
|
||||||
}
|
}
|
||||||
|
|
||||||
seccomp_string: "POLICY example { "
|
seccomp_string: "ERRNO(1337) { geteuid } "
|
||||||
seccomp_string: " ERRNO(1337) { geteuid }, "
|
seccomp_string: "ERRNO(0) { ptrace } "
|
||||||
seccomp_string: " ERRNO(0) { ptrace }, "
|
|
||||||
seccomp_string: "KILL { syslog } "
|
seccomp_string: "KILL { syslog } "
|
||||||
seccomp_string: "} "
|
seccomp_string: "DEFAULT ALLOW "
|
||||||
seccomp_string: "USE example DEFAULT ALLOW"
|
|
||||||
|
|
||||||
exec_bin {
|
exec_bin {
|
||||||
path: "/bin/bash"
|
path: "/bin/bash"
|
||||||
|
@ -165,14 +165,12 @@ mount {
|
|||||||
is_bind: true
|
is_bind: true
|
||||||
}
|
}
|
||||||
|
|
||||||
seccomp_string: " POLICY example {"
|
|
||||||
seccomp_string: " KILL {"
|
seccomp_string: " KILL {"
|
||||||
seccomp_string: " ptrace,"
|
seccomp_string: " ptrace,"
|
||||||
seccomp_string: " process_vm_readv,"
|
seccomp_string: " process_vm_readv,"
|
||||||
seccomp_string: " process_vm_writev"
|
seccomp_string: " process_vm_writev"
|
||||||
seccomp_string: " }"
|
seccomp_string: " }"
|
||||||
seccomp_string: " }"
|
seccomp_string: " DEFAULT ALLOW"
|
||||||
seccomp_string: " USE example DEFAULT ALLOW"
|
|
||||||
|
|
||||||
exec_bin {
|
exec_bin {
|
||||||
path: "/opt/google/chrome/google-chrome"
|
path: "/opt/google/chrome/google-chrome"
|
||||||
|
@ -164,14 +164,12 @@ mount {
|
|||||||
is_bind: true
|
is_bind: true
|
||||||
}
|
}
|
||||||
|
|
||||||
seccomp_string: "POLICY example {"
|
|
||||||
seccomp_string: "KILL {"
|
seccomp_string: "KILL {"
|
||||||
seccomp_string: " ptrace,"
|
seccomp_string: " ptrace,"
|
||||||
seccomp_string: " process_vm_readv,"
|
seccomp_string: " process_vm_readv,"
|
||||||
seccomp_string: " process_vm_writev"
|
seccomp_string: " process_vm_writev"
|
||||||
seccomp_string: "}"
|
seccomp_string: "}"
|
||||||
seccomp_string: "}"
|
seccomp_string: "DEFAULT ALLOW"
|
||||||
seccomp_string: "USE example DEFAULT ALLOW"
|
|
||||||
|
|
||||||
macvlan_iface: "enp0s31f6"
|
macvlan_iface: "enp0s31f6"
|
||||||
macvlan_vs_ip: "192.168.10.223"
|
macvlan_vs_ip: "192.168.10.223"
|
||||||
|
@ -156,14 +156,12 @@ mount {
|
|||||||
is_bind: true
|
is_bind: true
|
||||||
}
|
}
|
||||||
|
|
||||||
seccomp_string: "POLICY example {"
|
|
||||||
seccomp_string: "KILL {"
|
seccomp_string: "KILL {"
|
||||||
seccomp_string: " ptrace,"
|
seccomp_string: " ptrace,"
|
||||||
seccomp_string: " process_vm_readv,"
|
seccomp_string: " process_vm_readv,"
|
||||||
seccomp_string: " process_vm_writev"
|
seccomp_string: " process_vm_writev"
|
||||||
seccomp_string: "}"
|
seccomp_string: "}"
|
||||||
seccomp_string: "}"
|
seccomp_string: "DEFAULT ALLOW"
|
||||||
seccomp_string: "USE example DEFAULT ALLOW"
|
|
||||||
|
|
||||||
exec_bin {
|
exec_bin {
|
||||||
path: "/usr/lib/firefox/firefox"
|
path: "/usr/lib/firefox/firefox"
|
||||||
|
@ -126,11 +126,9 @@ mount {
|
|||||||
is_bind: true
|
is_bind: true
|
||||||
}
|
}
|
||||||
|
|
||||||
seccomp_string: "POLICY example {"
|
|
||||||
seccomp_string: "KILL {"
|
seccomp_string: "KILL {"
|
||||||
seccomp_string: " ptrace,"
|
seccomp_string: " ptrace,"
|
||||||
seccomp_string: " process_vm_readv,"
|
seccomp_string: " process_vm_readv,"
|
||||||
seccomp_string: " process_vm_writev"
|
seccomp_string: " process_vm_writev"
|
||||||
seccomp_string: "}"
|
seccomp_string: "}"
|
||||||
seccomp_string: "}"
|
seccomp_string: "DEFAULT ALLOW"
|
||||||
seccomp_string: "USE example DEFAULT ALLOW"
|
|
||||||
|
@ -70,7 +70,6 @@ mount {
|
|||||||
mandatory: false
|
mandatory: false
|
||||||
}
|
}
|
||||||
|
|
||||||
seccomp_string: "POLICY imagemagick_convert {"
|
|
||||||
seccomp_string: "ALLOW {"
|
seccomp_string: "ALLOW {"
|
||||||
seccomp_string: " read, write, open, openat, close, newstat, newfstat,"
|
seccomp_string: " read, write, open, openat, close, newstat, newfstat,"
|
||||||
seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk,"
|
seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk,"
|
||||||
@ -81,8 +80,7 @@ seccomp_string: " arch_prctl, sched_getaffinity, set_tid_address,"
|
|||||||
seccomp_string: " clock_gettime, set_robust_list, exit_group,"
|
seccomp_string: " clock_gettime, set_robust_list, exit_group,"
|
||||||
seccomp_string: " clone, getcwd, pread64, readlink, prlimit64"
|
seccomp_string: " clone, getcwd, pread64, readlink, prlimit64"
|
||||||
seccomp_string: "}"
|
seccomp_string: "}"
|
||||||
seccomp_string: "}"
|
seccomp_string: "DEFAULT KILL"
|
||||||
seccomp_string: "USE imagemagick_convert DEFAULT KILL"
|
|
||||||
|
|
||||||
exec_bin {
|
exec_bin {
|
||||||
path: "/usr/bin/convert"
|
path: "/usr/bin/convert"
|
||||||
|
@ -36,10 +36,8 @@ mount {
|
|||||||
rw: false
|
rw: false
|
||||||
}
|
}
|
||||||
|
|
||||||
seccomp_string: "POLICY example { "
|
|
||||||
seccomp_string: "ERRNO(0) { ptrace }"
|
seccomp_string: "ERRNO(0) { ptrace }"
|
||||||
seccomp_string: "} "
|
seccomp_string: "DEFAULT ALLOW"
|
||||||
seccomp_string: "USE example DEFAULT ALLOW "
|
|
||||||
|
|
||||||
exec_bin {
|
exec_bin {
|
||||||
path: "/bin/busybox"
|
path: "/bin/busybox"
|
||||||
|
@ -128,14 +128,12 @@ mount {
|
|||||||
is_bind: true
|
is_bind: true
|
||||||
}
|
}
|
||||||
|
|
||||||
seccomp_string: "POLICY example {"
|
|
||||||
seccomp_string: "KILL {"
|
seccomp_string: "KILL {"
|
||||||
seccomp_string: " ptrace,"
|
seccomp_string: " ptrace,"
|
||||||
seccomp_string: " process_vm_readv,"
|
seccomp_string: " process_vm_readv,"
|
||||||
seccomp_string: " process_vm_writev"
|
seccomp_string: " process_vm_writev"
|
||||||
seccomp_string: "}"
|
seccomp_string: "}"
|
||||||
seccomp_string: "}"
|
seccomp_string: "DEFAULT ALLOW"
|
||||||
seccomp_string: "USE example DEFAULT ALLOW"
|
|
||||||
|
|
||||||
exec_bin {
|
exec_bin {
|
||||||
path: "/usr/bin/xchat"
|
path: "/usr/bin/xchat"
|
||||||
|
Loading…
Reference in New Issue
Block a user