name: "static-busybox-with-execveat"
description: "An example/demo policy which allows to execute /bin/busybox-static in an "
description: "empty (only /proc) mount namespace which doesn't even include busybox itself"

mode: ONCE
hostname: "BUSYBOX"
cwd: "/"

time_limit: 100

keep_env: false
envar: "TERM=linux"
envar: "PS1=$ "

skip_setsid: true

clone_newcgroup: true

uidmap {
	inside_id: "999999"
	outside_id: ""
	count: 1
}

gidmap {
	inside_id: "999999"
	outside_id: ""
	count: 1
}

mount_proc: false

mount {
	dst: "/proc"
	fstype: "proc"
	rw: false
}

seccomp_string: "ERRNO(0) { ptrace }"
seccomp_string: "DEFAULT ALLOW"

exec_bin {
	path: "/bin/busybox"
	arg: "sh"
	exec_fd: true
}