name: "bash-with-fake-geteuid"
description:
"An example/demo policy which allows to execute /bin/bash and other commands in
a fairly restricted jail containing only some directories from the main
system, and with blocked __NR_syslog syscall. Also, __NR_geteuid returns -1337
value, which /usr/bin/id will show as euid=4294965959, and ptrace is blocked
but returns success, hence strange behavior of the strace command.

This is an example/demo policy, hence it repeats many default values from the
https://github.com/google/nsjail/blob/master/config.proto PB schema"

mode: ONCE
hostname: "JAILED-BASH"
cwd: "/tmp"

bindhost: "::1"
max_conns_per_ip: 10
port: 31337

time_limit: 100
daemon: false
max_cpu_num: 1

keep_env: false
envar: "ENVAR1=VALUE1"
envar: "ENVAR2=VALUE2"
envar: "TERM=linux"
envar: "HOME=/"
envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "

keep_caps: true
silent: false
skip_setsid: true
pass_fd: 100
pass_fd: 3
disable_no_new_privs: false

rlimit_as: 128
rlimit_core: 0
rlimit_cpu: 10
rlimit_fsize: 0
rlimit_nofile: 32
rlimit_stack: 1

persona_addr_compat_layout: false
persona_mmap_page_zero: false
persona_read_implies_exec: false
persona_addr_limit_3gb: false
persona_addr_no_randomize: false

clone_newnet: true
clone_newuser: true
clone_newns: true
clone_newpid: true
clone_newipc: true
clone_newuts: true
clone_newcgroup: true

uidmap {
	inside_id: "0"
	outside_id: ""
	count: 1
}

gidmap {
	inside_id: "0"
	outside_id: ""
	count: 1
}

mount_proc: false

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
	rw: false
}

mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
	rw: false
}

mount {
	src: "/sbin"
	dst: "/sbin"
	is_bind: true
	rw: false
}

mount {
	src: "/usr"
	dst: "/usr"
	is_bind: true
	rw: false
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	rw: false
	mandatory: false
}

mount {
	src: "/lib32"
	dst: "/lib32"
	is_bind: true
	rw: false
	mandatory: false
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
	is_bind: false
}

mount {
	dst: "/dev"
	fstype: "tmpfs"
	options: "size=8388608"
	rw: true
	is_bind: false
}

mount {
	src: "/dev/null"
	dst: "/dev/null"
	rw: true
	is_bind: true
}

mount {
	dst: "/proc"
	fstype: "proc"
	rw: false
}

mount {
	src_content: "This file was created dynamically"
	dst: "/DYNAMIC_FILE"
}

mount {
	src: "/nonexistent_777"
	dst: "/nonexistent_777"
	is_bind: true
	mandatory: false
}

seccomp_string: "
	POLICY example {
		ERRNO(1337) { geteuid },
		KILL { syslog },
		ERRNO(0) { ptrace }
	}
	USE example DEFAULT ALLOW
"

exec_bin {
	path: "/bin/bash"
	arg0: "sh"
	arg: "-i"
}