name: "apache-with-cloned-net"
description:
"Works under Ubuntu 17.04. Other Linux distros might have different
location of the Apache's HTTPD configuration files and system
libraries.

On the basis of (GitHub's) @farconada work in:
https://github.com/google/nsjail/issues/31

Run as: sudo ./nsjail --config configs/apache.cfg
"

mode: ONCE
hostname: "APACHE-NSJ"

rlimit_as: 1024
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 16

envar: "APACHE_RUN_DIR=/run/apache2"
envar: "APACHE_PID_FILE=/run/apache2/apache2.pid"
envar: "APACHE_RUN_USER=www-data"
envar: "APACHE_RUN_GROUP=www-data"
envar: "APACHE_LOG_DIR=/run/apache2"

cap: "CAP_NET_BIND_SERVICE"

time_limit: 0

uidmap {
	inside_id: "1"
	outside_id: "www-data"
}

gidmap {
	inside_id: "1"
	outside_id: "www-data"
}

mount {
	src: "/etc/apache2"
	dst: "/etc/apache2"
	is_bind: true
}
mount {
	src: "/etc/ld.so.cache"
	dst: "/etc/ld.so.cache"
	is_bind: true
}
mount {
	src: "/etc/hosts"
	dst: "/etc/hosts"
	is_bind: true
}
mount {
	src: "/etc/mime.types"
	dst: "/etc/mime.types"
	is_bind: true
}
mount {
	src: "/etc/localtime"
	dst: "/etc/localtime"
	is_bind: true
}
mount {
	src_content: "www-data:x:1:1:www-data:/var/www:/bin/false"
	dst: "/etc/passwd"
}
mount {
	src_content: "www-data:x:1:"
	dst: "/etc/group"
}
mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
}
mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
}
mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
}
mount {
	src: "/var/www/html"
	dst: "/var/www/html"
	is_bind: true
	rw: true
}
mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
	is_bind: false
}
mount {
	dst: "/run/apache2"
	fstype: "tmpfs"
	rw: true
	is_bind: false
}
mount {
    src: "/dev/urandom"
    dst: "/dev/urandom"
    is_bind: true
    rw: true
}
mount {
    dst: "/dev/shm"
    fstype: "tmpfs"
    rw: true
    is_bind: false
}
mount {
    dst: "/proc"
    fstype: "proc"
}
mount {
	src: "/usr/share/apache2"
	dst: "/usr/share/apache2"
	is_bind: true
}
mount {
	src: "/usr/sbin/apache2"
	dst: "/usr/sbin/apache2"
	is_bind: true
}

seccomp_string: "
	POLICY example {
		KILL {
			ptrace,
			process_vm_readv,
			process_vm_writev
		}
	}
	USE example DEFAULT ALLOW
"

macvlan_iface: "enp0s31f6"
macvlan_vs_ip: "192.168.10.223"
macvlan_vs_nm: "255.255.255.0"
macvlan_vs_gw: "192.168.10.1"

exec_bin {
path:
    "/usr/sbin/apache2" arg : "-DFOREGROUND"
}