# Example config for nsjail

name: "bash-with-fake-geteuid"

description: "An example/demo policy which allows to execute /bin/bash and other commands in "
description: "a fairly restricted jail containing only some directories from the main "
description: "system, and with blocked __NR_syslog syscall. Also, __NR_geteuid returns -1337 "
description: "value, which /usr/bin/id will show as euid=4294965959, and ptrace is blocked "
description: "but returns success, hence strange behavior of the strace command. "
description: "This is an example/demo policy, hence it repeats many default values from the "
description: "https://github.com/google/nsjail/blob/master/config.proto PB schema "

mode: ONCE
hostname: "JAILED-BASH"
cwd: "/tmp"

bindhost: "127.0.0.1"
max_conns_per_ip: 10
port: 31337

time_limit: 100
daemon: false
max_cpus: 1

keep_env: false
envar: "ENVAR1=VALUE1"
envar: "ENVAR2=VALUE2"
envar: "TERM=linux"
envar: "HOME=/"
envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "

keep_caps: true
cap: "CAP_NET_ADMIN"
cap: "CAP_NET_RAW"
silent: false
stderr_to_null: false
skip_setsid: true
pass_fd: 100
pass_fd: 3
disable_no_new_privs: false

rlimit_as: 128
rlimit_core: 0
rlimit_cpu: 10
rlimit_fsize: 0
rlimit_nofile: 32
rlimit_stack_type: SOFT
rlimit_nproc_type: SOFT

persona_addr_compat_layout: false
persona_mmap_page_zero: false
persona_read_implies_exec: false
persona_addr_limit_3gb: false
persona_addr_no_randomize: false

clone_newnet: true
clone_newuser: true
clone_newns: true
clone_newpid: true
clone_newipc: true
clone_newuts: true
clone_newcgroup: true

uidmap {
	inside_id: "0"
	outside_id: ""
	count: 1
}

gidmap {
	inside_id: "0"
	outside_id: ""
	count: 1
}

mount_proc: false

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
	rw: false
}

mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
	rw: false
}

mount {
	src: "/sbin"
	dst: "/sbin"
	is_bind: true
	rw: false
}

mount {
	src: "/usr"
	dst: "/usr"
	is_bind: true
	rw: false
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	rw: false
	mandatory: false
}

mount {
	src: "/lib32"
	dst: "/lib32"
	is_bind: true
	rw: false
	mandatory: false
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
	is_bind: false
	noexec: true
	nodev: true
	nosuid: true
}

mount {
	src: "/dev/null"
	dst: "/dev/null"
	rw: true
	is_bind: true
}

mount {
	dst: "/proc"
	fstype: "proc"
	rw: false
}

mount {
	src_content: "This file was created dynamically"
	dst: "/DYNAMIC_FILE"
}

mount {
	src: "/nonexistent_777"
	dst: "/nonexistent_777"
	is_bind: true
	mandatory: false
}

mount {
	src: "/proc/self/fd"
	dst: "/dev/fd"
	is_symlink: true
}

mount {
	src: "/some/unimportant/target"
	dst: "/proc/no/symlinks/can/be/created/in/proc"
	is_symlink: true
	mandatory: false
}

seccomp_string: "ERRNO(1337) { geteuid }	"
seccomp_string: "ERRNO(1) { ptrace, sched_setaffinity }		"
seccomp_string: "KILL_PROCESS { syslog }		"
seccomp_string: "DEFAULT ALLOW			"

exec_bin {
	path: "/bin/bash"
	arg0: "sh"
	arg: "-i"
}