From 5c8397860c72fb60ebfcb18ce3d5ab327e482044 Mon Sep 17 00:00:00 2001
From: Robert Swiecki <robert@swiecki.net>
Date: Tue, 5 Dec 2017 15:01:27 +0100
Subject: [PATCH] configs: some fixes thanks to the write-up at
 https://offbyinfinity.com/2017/12/sandboxing-imagemagick-with-nsjail/

---
 configs/imagemagick-convert.cfg | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/configs/imagemagick-convert.cfg b/configs/imagemagick-convert.cfg
index cf7aaa9..dae41ab 100644
--- a/configs/imagemagick-convert.cfg
+++ b/configs/imagemagick-convert.cfg
@@ -20,7 +20,7 @@ envar: "TMP=/tmp"
 rlimit_as: 2048
 rlimit_cpu: 1000
 rlimit_fsize: 1024
-rlimit_nofile: 16
+rlimit_nofile: 64
 
 mount {
 	src: "/lib"
@@ -48,12 +48,6 @@ mount {
 	mandatory: false
 }
 
-mount {
-	src: "/usr/bin/convert"
-	dst: "/usr/bin/convert"
-	is_bind: true
-}
-
 mount {
 	dst: "/tmp"
 	fstype: "tmpfs"
@@ -76,11 +70,21 @@ mount {
 	mandatory: false
 }
 
-seccomp_string: "POLICY example {"
-seccomp_string: "	KILL {"
-seccomp_string: "		ptrace,"
-seccomp_string: "		process_vm_readv,"
-seccomp_string: "		process_vm_writev"
-seccomp_string: "	}"
+seccomp_string: "POLICY imagemagick_convert {"
+seccomp_string: "  ALLOW {"
+seccomp_string: "    read, write, open, close, newstat, newfstat,"
+seccomp_string: "    newlstat, lseek, mmap, mprotect, munmap, brk,"
+seccomp_string: "    rt_sigaction, rt_sigprocmask, pwrite64, access,"
+seccomp_string: "    getpid, execveat, getdents, unlink, fchmod,"
+seccomp_string: "    getrlimit, getrusage, sysinfo, times, futex,"
+seccomp_string: "    arch_prctl, sched_getaffinity, set_tid_address,"
+seccomp_string: "    clock_gettime, set_robust_list, exit_group,"
+seccomp_string: "    clone, getcwd, pread64, readlink"
+seccomp_string: "  }"
 seccomp_string: "}"
-seccomp_string: "USE example DEFAULT ALLOW"
+seccomp_string: "USE imagemagick_convert DEFAULT KILL"
+
+exec_bin {
+	path: "/usr/bin/convert"
+	exec_fd: true
+}
-- 
2.34.1