***
### Configuration file
-[config.proto](https://github.com/google/nsjail/blob/master/config.proto) contains ProtoBuf schema for nsjail's configuration format. You can also examine the example config file in [config1.example](https://github.com/google/nsjail/blob/master/configs/config1.example).
+[config.proto](https://github.com/google/nsjail/blob/master/config.proto) contains ProtoBuf schema for nsjail's configuration format. You can also examine an example config file in [configs/bash-with-fake-geteuid.cfg](https://github.com/google/nsjail/blob/master/configs/bash-with-fake-geteuid.cfg).
Usage:
-
<pre>
-./nsjail --config configs/config1.example
+./nsjail --config configs/bash-with-fake-geteuid.cfg
</pre>
-You can also override certain options with command-line options. Here, the executed binary is changed from _/usr/bin/id_ to _/bin/ls_, yet options from _config1.example_ are applied.
-
+You can also override certain options with command-line options. Here, the executed binary (_/bin/bash_) is overriden with _/usr/bin/id_, yet options from _configs/bash-with-fake-geteuid.cfg_ apply
<pre>
-./nsjail --config configs/config1.example -- /bin/ls
+./nsjail --config configs/bash-with-fake-geteuid.cfg -- /usr/bin/id
</pre>
***
--- /dev/null
+mode: ONCE
+hostname: "TEST-NS"
+cwd: "/"
+
+bindhost: "::1"
+max_conns_per_ip: 10
+port: 31337
+
+time_limit: 100
+daemon: false
+
+keep_env: false
+envar: "ENVAR1=VALUE1"
+envar: "ENVAR2=VALUE2"
+envar: "PS1=[INSIDE-JAIL]: "
+
+silent: false
+skip_setsid: false
+pass_fd: 100
+pass_fd: 3
+pivot_root_only: false
+disable_no_new_privs: false
+
+rlimit_as: 128
+rlimit_core: 0
+rlimit_cpu: 10
+rlimit_fsize: 0
+rlimit_nofile: 32
+rlimit_stack: 1
+
+persona_addr_compat_layout: false
+persona_mmap_page_zero: false
+persona_read_implies_exec: false
+persona_addr_limit_3gb: false
+persona_addr_no_randomize: false
+
+clone_newnet: true
+clone_newuser: true
+clone_newns: true
+clone_newpid: true
+clone_newipc: true
+clone_newuts: true
+clone_newcgroup: true
+
+uidmap {
+ inside_id: "999999"
+ outside_id: ""
+ count: 1
+}
+
+gidmap {
+ inside_id: "999998"
+ outside_id: ""
+ count: 1
+}
+
+mount_proc: false
+
+mount {
+ src: "/lib"
+ dst: "/lib"
+ is_bind: true
+ is_ro: true
+}
+
+mount {
+ src: "/bin"
+ dst: "/bin"
+ is_bind: true
+ is_ro: true
+}
+
+mount {
+ src: "/sbin"
+ dst: "/sbin"
+ is_bind: true
+ is_ro: true
+}
+
+mount {
+ src: "/usr"
+ dst: "/usr"
+ is_bind: true
+ is_ro: true
+}
+
+mount {
+ src: "/lib64"
+ dst: "/lib64"
+ is_bind: true
+ is_ro: true
+ mandatory: false
+}
+
+mount {
+ src: "/lib32"
+ dst: "/lib32"
+ is_bind: true
+ is_ro: true
+ mandatory: false
+}
+
+mount {
+ dst: "/tmp"
+ fstype: "tmpfs"
+ is_ro: false
+ is_bind: false
+}
+
+mount {
+ dst: "/dev"
+ fstype: "tmpfs"
+ options: "size=8388608"
+ is_ro: false
+ is_bind: false
+}
+
+mount {
+ src: "/dev/null"
+ dst: "/dev/null"
+ is_ro: false
+ is_bind: true
+}
+
+mount {
+ dst: "/proc"
+ fstype: "proc"
+ is_ro: true
+}
+
+mount {
+ src: "/nonexistent_777"
+ dst: "/nonexistent_777"
+ is_bind: true
+ mandatory: false
+}
+
+seccomp_string: "
+ POLICY example {
+ ERRNO(1337) { geteuid },
+ KILL { syslog }
+ }
+ USE example DEFAULT ALLOW
+"
+
+exec_bin {
+ path: "/bin/bash"
+ arg: "-i"
+}
+++ /dev/null
-mode: ONCE
-hostname: "TEST-NS"
-cwd: "/"
-
-bindhost: "::1"
-max_conns_per_ip: 10
-port: 31337
-
-time_limit: 100
-daemon: false
-
-keep_env: false
-envar: "ENVAR1=VALUE1"
-envar: "ENVAR2=VALUE2"
-envar: "PS1=[INSIDE-JAIL]: "
-
-silent: false
-skip_setsid: false
-pass_fd: 100
-pass_fd: 3
-pivot_root_only: false
-disable_no_new_privs: false
-
-rlimit_as: 128
-rlimit_core: 0
-rlimit_cpu: 10
-rlimit_fsize: 0
-rlimit_nofile: 32
-rlimit_stack: 1
-
-persona_addr_compat_layout: false
-persona_mmap_page_zero: false
-persona_read_implies_exec: false
-persona_addr_limit_3gb: false
-persona_addr_no_randomize: false
-
-clone_newnet: true
-clone_newuser: true
-clone_newns: true
-clone_newpid: true
-clone_newipc: true
-clone_newuts: true
-clone_newcgroup: true
-
-uidmap {
- inside_id: "999999"
- outside_id: ""
- count: 1
-}
-
-gidmap {
- inside_id: "999998"
- outside_id: ""
- count: 1
-}
-
-mount_proc: false
-
-mount {
- src: "/lib"
- dst: "/lib"
- is_bind: true
- is_ro: true
-}
-
-mount {
- src: "/bin"
- dst: "/bin"
- is_bind: true
- is_ro: true
-}
-
-mount {
- src: "/sbin"
- dst: "/sbin"
- is_bind: true
- is_ro: true
-}
-
-mount {
- src: "/usr"
- dst: "/usr"
- is_bind: true
- is_ro: true
-}
-
-mount {
- src: "/lib64"
- dst: "/lib64"
- is_bind: true
- is_ro: true
- mandatory: false
-}
-
-mount {
- src: "/lib32"
- dst: "/lib32"
- is_bind: true
- is_ro: true
- mandatory: false
-}
-
-mount {
- dst: "/tmp"
- fstype: "tmpfs"
- is_ro: false
- is_bind: false
-}
-
-mount {
- dst: "/dev"
- fstype: "tmpfs"
- options: "size=8388608"
- is_ro: false
- is_bind: false
-}
-
-mount {
- src: "/dev/null"
- dst: "/dev/null"
- is_ro: false
- is_bind: true
-}
-
-mount {
- dst: "/proc"
- fstype: "proc"
- is_ro: true
-}
-
-mount {
- src: "/nonexistent_777"
- dst: "/nonexistent_777"
- is_bind: true
- mandatory: false
-}
-
-seccomp_string: "
- POLICY example {
- ERRNO(1337) { geteuid },
- KILL { syslog }
- }
- USE example DEFAULT ALLOW
-"
-
-exec_bin {
- path: "/bin/bash"
- arg: "-i"
-}
--- /dev/null
+bash-with-fake-geteuid.cfg
\ No newline at end of file
projects / platform / upstream / nsjail.git / commitdiff