configs: some fixes thanks to the write-up at https://offbyinfinity.com/2017/12/sandboxing-imagemagick-with-nsjail/
This commit is contained in:
parent
e8e2f4b011
commit
5c8397860c
@ -20,7 +20,7 @@ envar: "TMP=/tmp"
|
||||
rlimit_as: 2048
|
||||
rlimit_cpu: 1000
|
||||
rlimit_fsize: 1024
|
||||
rlimit_nofile: 16
|
||||
rlimit_nofile: 64
|
||||
|
||||
mount {
|
||||
src: "/lib"
|
||||
@ -48,12 +48,6 @@ mount {
|
||||
mandatory: false
|
||||
}
|
||||
|
||||
mount {
|
||||
src: "/usr/bin/convert"
|
||||
dst: "/usr/bin/convert"
|
||||
is_bind: true
|
||||
}
|
||||
|
||||
mount {
|
||||
dst: "/tmp"
|
||||
fstype: "tmpfs"
|
||||
@ -76,11 +70,21 @@ mount {
|
||||
mandatory: false
|
||||
}
|
||||
|
||||
seccomp_string: "POLICY example {"
|
||||
seccomp_string: " KILL {"
|
||||
seccomp_string: " ptrace,"
|
||||
seccomp_string: " process_vm_readv,"
|
||||
seccomp_string: " process_vm_writev"
|
||||
seccomp_string: " }"
|
||||
seccomp_string: "POLICY imagemagick_convert {"
|
||||
seccomp_string: " ALLOW {"
|
||||
seccomp_string: " read, write, open, close, newstat, newfstat,"
|
||||
seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk,"
|
||||
seccomp_string: " rt_sigaction, rt_sigprocmask, pwrite64, access,"
|
||||
seccomp_string: " getpid, execveat, getdents, unlink, fchmod,"
|
||||
seccomp_string: " getrlimit, getrusage, sysinfo, times, futex,"
|
||||
seccomp_string: " arch_prctl, sched_getaffinity, set_tid_address,"
|
||||
seccomp_string: " clock_gettime, set_robust_list, exit_group,"
|
||||
seccomp_string: " clone, getcwd, pread64, readlink"
|
||||
seccomp_string: " }"
|
||||
seccomp_string: "}"
|
||||
seccomp_string: "USE example DEFAULT ALLOW"
|
||||
seccomp_string: "USE imagemagick_convert DEFAULT KILL"
|
||||
|
||||
exec_bin {
|
||||
path: "/usr/bin/convert"
|
||||
exec_fd: true
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user