use new kafel features in configs and examples

2018-09-06 11:14:24 +02:00 · 2018-09-06 11:14:24 +02:00 · 1bb58083c4
commit 1bb58083c4
parent 758f90a279
10 changed files with 47 additions and 65 deletions
--- a/README.md
+++ b/README.md
@ -243,7 +243,7 @@ drwxr-xr-x   4 65534 65534 20480 May 24 00:24 sbin
 ### Even more contrained shell (with seccomp-bpf policies)
 <pre>
-$ ./nsjail --chroot / --seccomp_string 'POLICY a { ALLOW { write, execve, brk, access, mmap, open, newfstat, close, read, mprotect, arch_prctl, munmap, getuid, getgid, getpid, rt_sigaction, geteuid, getppid, getcwd, getegid, ioctl, fcntl, newstat, clone, wait4, rt_sigreturn, exit_group } } USE a DEFAULT KILL' -- /bin/sh -i
+$ ./nsjail --chroot / --seccomp_string 'ALLOW { write, execve, brk, access, mmap, open, openat, newfstat, close, read, mprotect, arch_prctl, munmap, getuid, getgid, getpid, rt_sigaction, geteuid, getppid, getcwd, getegid, ioctl, fcntl, newstat, clone, wait4, rt_sigreturn, exit_group } DEFAULT KILL' -- /bin/sh -i
 [2017-01-15T21:53:08+0100] Mode: STANDALONE_ONCE
 [2017-01-15T21:53:08+0100] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/bin/sh', bind:[::]:0, max_conns_per_ip:0, uid:(ns:1000, global:1000), gid:(ns:1000, global:1000), time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:false, tmpfs_size:4194304, disable_no_new_privs:false, pivot_root_only:false
 [2017-01-15T21:53:08+0100] Mount point: src:'/' dst:'/' type:'' flags:0x5001 options:''
--- a/configs/apache.cfg
+++ b/configs/apache.cfg
@ -117,14 +117,12 @@ mount {
 	is_bind: true
 }
-seccomp_string: "	POLICY example {"
+seccomp_string: "	KILL {"
-seccomp_string: "		KILL {"
+seccomp_string: "		ptrace,"
-seccomp_string: "			ptrace,"
+seccomp_string: "		process_vm_readv,"
-seccomp_string: "			process_vm_readv,"
+seccomp_string: "		process_vm_writev"
 seccomp_string: "			process_vm_writev"
 seccomp_string: "		}"
 seccomp_string: "	}"
-seccomp_string: "	USE example DEFAULT ALLOW"
+seccomp_string: "	DEFAULT ALLOW"
 macvlan_iface: "enp0s31f6"
 macvlan_vs_ip: "192.168.10.223"
--- a/configs/bash-with-fake-geteuid.cfg
+++ b/configs/bash-with-fake-geteuid.cfg
@ -172,12 +172,10 @@ mount {
 	mandatory: false
 }
-seccomp_string: "POLICY example {				"
+seccomp_string: "ERRNO(1337) { geteuid }	"
-seccomp_string:	"	ERRNO(1337) { geteuid },	"
+seccomp_string: "ERRNO(0) { ptrace }		"
-seccomp_string:	"	ERRNO(0) { ptrace },		"
+seccomp_string: "KILL { syslog }		"
-seccomp_string: "	KILL { syslog }				"
+seccomp_string: "DEFAULT ALLOW			"
 seccomp_string:	"}								"
 seccomp_string:	"USE example DEFAULT ALLOW"
 exec_bin {
 	path: "/bin/bash"
--- a/configs/demo-dont-use-chrome-with-net.cfg
+++ b/configs/demo-dont-use-chrome-with-net.cfg
@ -165,14 +165,12 @@ mount {
 	is_bind: true
 }
-seccomp_string: "	POLICY example {"
+seccomp_string: "	KILL {"
-seccomp_string: "		KILL {"
+seccomp_string: "		ptrace,"
-seccomp_string: "			ptrace,"
+seccomp_string: "		process_vm_readv,"
-seccomp_string: "			process_vm_readv,"
+seccomp_string: "		process_vm_writev"
 seccomp_string: "			process_vm_writev"
 seccomp_string: "		}"
 seccomp_string: "	}"
-seccomp_string: "	USE example DEFAULT ALLOW"
+seccomp_string: "	DEFAULT ALLOW"
 exec_bin {
        path: "/opt/google/chrome/google-chrome"
--- a/configs/firefox-with-cloned-net.cfg
+++ b/configs/firefox-with-cloned-net.cfg
@ -164,14 +164,12 @@ mount {
 	is_bind: true
 }
-seccomp_string: "POLICY example {"
+seccomp_string: "KILL {"
-seccomp_string: "	KILL {"
+seccomp_string: "	ptrace,"
-seccomp_string: "		ptrace,"
+seccomp_string: "	process_vm_readv,"
-seccomp_string: "		process_vm_readv,"
+seccomp_string: "	process_vm_writev"
 seccomp_string: "		process_vm_writev"
 seccomp_string: "	}"
 seccomp_string: "}"
-seccomp_string: "USE example DEFAULT ALLOW"
+seccomp_string: "DEFAULT ALLOW"
 macvlan_iface: "enp0s31f6"
 macvlan_vs_ip: "192.168.10.223"
--- a/configs/firefox-with-net.cfg
+++ b/configs/firefox-with-net.cfg
@ -156,14 +156,12 @@ mount {
 	is_bind: true
 }
-seccomp_string: "POLICY example {"
+seccomp_string: "KILL {"
-seccomp_string: "	KILL {"
+seccomp_string: "	ptrace,"
-seccomp_string: "		ptrace,"
+seccomp_string: "	process_vm_readv,"
-seccomp_string: "		process_vm_readv,"
+seccomp_string: "	process_vm_writev"
 seccomp_string: "		process_vm_writev"
 seccomp_string: "	}"
 seccomp_string: "}"
-seccomp_string: "USE example DEFAULT ALLOW"
+seccomp_string: "DEFAULT ALLOW"
 exec_bin {
 	path: "/usr/lib/firefox/firefox"
--- a/configs/home-documents-with-xorg-no-net.cfg
+++ b/configs/home-documents-with-xorg-no-net.cfg
@ -126,11 +126,9 @@ mount {
 	is_bind: true
 }
-seccomp_string: "POLICY example {"
+seccomp_string: "KILL {"
-seccomp_string: "	KILL {"
+seccomp_string: "	ptrace,"
-seccomp_string: "		ptrace,"
+seccomp_string: "	process_vm_readv,"
-seccomp_string: "		process_vm_readv,"
+seccomp_string: "	process_vm_writev"
 seccomp_string: "		process_vm_writev"
 seccomp_string: "	}"
 seccomp_string: "}"
-seccomp_string: "USE example DEFAULT ALLOW"
+seccomp_string: "DEFAULT ALLOW"
--- a/configs/imagemagick-convert.cfg
+++ b/configs/imagemagick-convert.cfg
@ -70,19 +70,17 @@ mount {
 	mandatory: false
 }
-seccomp_string: "POLICY imagemagick_convert {"
+seccomp_string: "ALLOW {"
-seccomp_string: "  ALLOW {"
+seccomp_string: "  read, write, open, openat, close, newstat, newfstat,"
-seccomp_string: "    read, write, open, openat, close, newstat, newfstat,"
+seccomp_string: "  newlstat, lseek, mmap, mprotect, munmap, brk,"
-seccomp_string: "    newlstat, lseek, mmap, mprotect, munmap, brk,"
+seccomp_string: "  rt_sigaction, rt_sigprocmask, pwrite64, access,"
-seccomp_string: "    rt_sigaction, rt_sigprocmask, pwrite64, access,"
+seccomp_string: "  getpid, execveat, getdents, unlink, fchmod,"
-seccomp_string: "    getpid, execveat, getdents, unlink, fchmod,"
+seccomp_string: "  getrlimit, getrusage, sysinfo, times, futex,"
-seccomp_string: "    getrlimit, getrusage, sysinfo, times, futex,"
+seccomp_string: "  arch_prctl, sched_getaffinity, set_tid_address,"
-seccomp_string: "    arch_prctl, sched_getaffinity, set_tid_address,"
+seccomp_string: "  clock_gettime, set_robust_list, exit_group,"
-seccomp_string: "    clock_gettime, set_robust_list, exit_group,"
+seccomp_string: "  clone, getcwd, pread64, readlink, prlimit64"
 seccomp_string: "    clone, getcwd, pread64, readlink, prlimit64"
 seccomp_string: "  }"
 seccomp_string: "}"
-seccomp_string: "USE imagemagick_convert DEFAULT KILL"
+seccomp_string: "DEFAULT KILL"
 exec_bin {
 	path: "/usr/bin/convert"
--- a/configs/static-busybox-with-execveat.cfg
+++ b/configs/static-busybox-with-execveat.cfg
@ -36,10 +36,8 @@ mount {
 	rw: false
 }
-seccomp_string: "POLICY example {				"
+seccomp_string: "ERRNO(0) { ptrace }"
-seccomp_string:	"	ERRNO(0) { ptrace }	    	"
+seccomp_string: "DEFAULT ALLOW"
 seccomp_string:	"}								"
 seccomp_string:	"USE example DEFAULT ALLOW		"
 exec_bin {
 	path: "/bin/busybox"
--- a/configs/xchat-with-net.cfg
+++ b/configs/xchat-with-net.cfg
@ -128,14 +128,12 @@ mount {
 	is_bind: true
 }
-seccomp_string: "POLICY example {"
+seccomp_string: "KILL {"
-seccomp_string: "	KILL {"
+seccomp_string: "	ptrace,"
-seccomp_string: "		ptrace,"
+seccomp_string: "	process_vm_readv,"
-seccomp_string: "		process_vm_readv,"
+seccomp_string: "	process_vm_writev"
 seccomp_string: "		process_vm_writev"
 seccomp_string: "	}"
 seccomp_string: "}"
-seccomp_string: "USE example DEFAULT ALLOW"
+seccomp_string: "DEFAULT ALLOW"
 exec_bin {
        path: "/usr/bin/xchat"