configs: some fixes thanks to the write-up at https://offbyinfinity.com/2017/12/sandb...

diff --git a/configs/imagemagick-convert.cfg b/configs/imagemagick-convert.cfg
index cf7aaa9084407329924648a589a13c05db52c038..dae41ab65beee9e9e3c379f3ba5d71e37304bc6c 100644 (file)
--- a/configs/imagemagick-convert.cfg
+++ b/configs/imagemagick-convert.cfg
@@ -20,7 +20,7 @@ envar: "TMP=/tmp"
 rlimit_as: 2048
 rlimit_cpu: 1000
 rlimit_fsize: 1024
-rlimit_nofile: 16
+rlimit_nofile: 64
 
 mount {
        src: "/lib"
@@ -48,12 +48,6 @@ mount {
        mandatory: false
 }
 
-mount {
-       src: "/usr/bin/convert"
-       dst: "/usr/bin/convert"
-       is_bind: true
-}
-
 mount {
        dst: "/tmp"
        fstype: "tmpfs"
@@ -76,11 +70,21 @@ mount {
        mandatory: false
 }
 
-seccomp_string: "POLICY example {"
-seccomp_string: "      KILL {"
-seccomp_string: "              ptrace,"
-seccomp_string: "              process_vm_readv,"
-seccomp_string: "              process_vm_writev"
-seccomp_string: "      }"
+seccomp_string: "POLICY imagemagick_convert {"
+seccomp_string: "  ALLOW {"
+seccomp_string: "    read, write, open, close, newstat, newfstat,"
+seccomp_string: "    newlstat, lseek, mmap, mprotect, munmap, brk,"
+seccomp_string: "    rt_sigaction, rt_sigprocmask, pwrite64, access,"
+seccomp_string: "    getpid, execveat, getdents, unlink, fchmod,"
+seccomp_string: "    getrlimit, getrusage, sysinfo, times, futex,"
+seccomp_string: "    arch_prctl, sched_getaffinity, set_tid_address,"
+seccomp_string: "    clock_gettime, set_robust_list, exit_group,"
+seccomp_string: "    clone, getcwd, pread64, readlink"
+seccomp_string: "  }"
 seccomp_string: "}"
-seccomp_string: "USE example DEFAULT ALLOW"
+seccomp_string: "USE imagemagick_convert DEFAULT KILL"
+
+exec_bin {
+       path: "/usr/bin/convert"
+       exec_fd: true
+}