configs: some fixes thanks to the write-up at https://offbyinfinity.com/2017/12/sandboxing-imagemagick-with-nsjail/

2017-12-05 15:01:27 +01:00 · 2017-12-05 15:01:27 +01:00 · 5c8397860c
commit 5c8397860c
parent e8e2f4b011
1 changed files with 18 additions and 14 deletions
--- a/configs/imagemagick-convert.cfg
+++ b/configs/imagemagick-convert.cfg
@ -20,7 +20,7 @@ envar: "TMP=/tmp"
 rlimit_as: 2048
 rlimit_cpu: 1000
 rlimit_fsize: 1024
-rlimit_nofile: 16
+rlimit_nofile: 64

 mount {
 	src: "/lib"
@ -48,12 +48,6 @@ mount {
 	mandatory: false
 }

-mount {
-	src: "/usr/bin/convert"
-	dst: "/usr/bin/convert"
-	is_bind: true
-}
-
 mount {
 	dst: "/tmp"
 	fstype: "tmpfs"
@ -76,11 +70,21 @@ mount {
 	mandatory: false
 }

-seccomp_string: "POLICY example {"
-seccomp_string: "	KILL {"
-seccomp_string: "		ptrace,"
-seccomp_string: "		process_vm_readv,"
-seccomp_string: "		process_vm_writev"
-seccomp_string: "	}"
+seccomp_string: "POLICY imagemagick_convert {"
+seccomp_string: "  ALLOW {"
+seccomp_string: "    read, write, open, close, newstat, newfstat,"
+seccomp_string: "    newlstat, lseek, mmap, mprotect, munmap, brk,"
+seccomp_string: "    rt_sigaction, rt_sigprocmask, pwrite64, access,"
+seccomp_string: "    getpid, execveat, getdents, unlink, fchmod,"
+seccomp_string: "    getrlimit, getrusage, sysinfo, times, futex,"
+seccomp_string: "    arch_prctl, sched_getaffinity, set_tid_address,"
+seccomp_string: "    clock_gettime, set_robust_list, exit_group,"
+seccomp_string: "    clone, getcwd, pread64, readlink"
+seccomp_string: "  }"
 seccomp_string: "}"
-seccomp_string: "USE example DEFAULT ALLOW"
+seccomp_string: "USE imagemagick_convert DEFAULT KILL"
+
+exec_bin {
+	path: "/usr/bin/convert"
+	exec_fd: true
+}