projects / platform / upstream / nsjail.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 86f444d)
configs/busybox: indicate that the busybox must be statically compiled
authorRobert Swiecki <robert@swiecki.net>
Fri, 20 Oct 2017 12:46:43 +0000 (14:46 +0200)
committerRobert Swiecki <robert@swiecki.net>
Fri, 20 Oct 2017 12:46:43 +0000 (14:46 +0200)
configs/busybox-with-execveat.cfg [deleted file] patch | blob | history
configs/static-busybox-with-execveat.cfg [new file with mode: 0644] patch | blob

diff --git a/configs/busybox-with-execveat.cfg b/configs/busybox-with-execveat.cfg
deleted file mode 100644 (file)
index af2402f..0000000
--- a/configs/busybox-with-execveat.cfg
+++ /dev/null
@@ -1,48 +0,0 @@
-name: "busybox-with-execveat"
-description: "An example/demo policy which allows to execute /bin/busybox in an empty (only /proc) "
-description: "mount namespace which doesn't even include busybox itself."
-
-mode: ONCE
-hostname: "BUSYBOX"
-cwd: "/"
-
-time_limit: 100
-
-keep_env: false
-envar: "TERM=linux"
-envar: "PS1=$ "
-
-skip_setsid: true
-
-clone_newcgroup: true
-
-uidmap {
-       inside_id: "999999"
-       outside_id: ""
-       count: 1
-}
-
-gidmap {
-       inside_id: "999999"
-       outside_id: ""
-       count: 1
-}
-
-mount_proc: false
-
-mount {
-       dst: "/proc"
-       fstype: "proc"
-       rw: false
-}
-
-seccomp_string: "POLICY example {                              "
-seccomp_string:        "       ERRNO(0) { ptrace }             "
-seccomp_string:        "}                                                              "
-seccomp_string:        "USE example DEFAULT ALLOW"
-
-exec_bin {
-       path: "/bin/busybox"
-       arg: "sh"
-       exec_fd: true
-}
diff --git a/configs/static-busybox-with-execveat.cfg b/configs/static-busybox-with-execveat.cfg
new file mode 100644 (file)
index 0000000..56b7cf1
--- /dev/null
+++ b/configs/static-busybox-with-execveat.cfg
@@ -0,0 +1,48 @@
+name: "static-busybox-with-execveat"
+description: "An example/demo policy which allows to execute /bin/busybox-static in an "
+description: "empty (only /proc) mount namespace which doesn't even include busybox itself"
+
+mode: ONCE
+hostname: "BUSYBOX"
+cwd: "/"
+
+time_limit: 100
+
+keep_env: false
+envar: "TERM=linux"
+envar: "PS1=$ "
+
+skip_setsid: true
+
+clone_newcgroup: true
+
+uidmap {
+       inside_id: "999999"
+       outside_id: ""
+       count: 1
+}
+
+gidmap {
+       inside_id: "999999"
+       outside_id: ""
+       count: 1
+}
+
+mount_proc: false
+
+mount {
+       dst: "/proc"
+       fstype: "proc"
+       rw: false
+}
+
+seccomp_string: "POLICY example {                              "
+seccomp_string:        "       ERRNO(0) { ptrace }             "
+seccomp_string:        "}                                                              "
+seccomp_string:        "USE example DEFAULT ALLOW              "
+
+exec_bin {
+       path: "/bin/busybox"
+       arg: "sh"
+       exec_fd: true
+}
Domain: System / System Framework;