configs/bash-with-fake-geteuid: block ptrace, fix description

author Robert Swiecki <robert@swiecki.net>

Mon, 29 May 2017 14:57:04 +0000 (16:57 +0200)

committer Robert Swiecki <robert@swiecki.net>

Mon, 29 May 2017 14:57:04 +0000 (16:57 +0200)
author Robert Swiecki <robert@swiecki.net>
Mon, 29 May 2017 14:57:04 +0000 (16:57 +0200)
committer Robert Swiecki <robert@swiecki.net>
Mon, 29 May 2017 14:57:04 +0000 (16:57 +0200)
diff --git a/configs/bash-with-fake-geteuid.cfg b/configs/bash-with-fake-geteuid.cfg

index c8d56e7602674329af22d6608d018c4921ab815f..2b50bc6b0b89ce53dba5d79dd1b780dde74b5999 100644 (file)
--- a/configs/bash-with-fake-geteuid.cfg
+++ b/configs/bash-with-fake-geteuid.cfg
@@ -1,11 +1,12 @@
  name: "bash-with-fake-geteuid"
  description:
-"An example policy which allows to execute /bin/bash and other commands in
+"An example/demo policy which allows to execute /bin/bash and other commands in
  a fairly restricted jail containing only some directories from the main
  system, and with blocked __NR_syslog syscall. Also, __NR_geteuid returns -1337
-value, which /usr/bin/id will show as euid=4294965959.
+value, which /usr/bin/id will show as euid=4294965959, and ptrace is blocked
+but returns success, hence strange behavior of the strace command.
  
-This is an example policy, hence it repeats many default values from the
+This is an example/demo policy, hence it repeats many default values from the
  https://github.com/google/nsjail/blob/master/config.proto PB schema"
  
  mode: ONCE
@@ -155,7 +156,8 @@ mount {
  seccomp_string: "
         POLICY example {
                 ERRNO(1337) { geteuid },
-               KILL { syslog }
+               KILL { syslog },
+               ERRNO(0) { ptrace }
         }
         USE example DEFAULT ALLOW
  "
author	Robert Swiecki <robert@swiecki.net>
	Mon, 29 May 2017 14:57:04 +0000 (16:57 +0200)
committer	Robert Swiecki <robert@swiecki.net>
	Mon, 29 May 2017 14:57:04 +0000 (16:57 +0200)