Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
goelp14
GitHub Repository: goelp14/easyctf-iv-problems
 Path: blob/master/pixelly/src/pixelly.cfg
947 views
name: "pixelly"

description: "This policy allows to run ImageMagick's convert inside a jail."
description: "Your $HOME's Documents will be mapped as /user/Documents"
description: ""
description: "Run as:"
description: ""
description: "./nsjail --config imagemagick-convert.cfg -- /usr/bin/convert \\"
description: "	jpg:/user/Documents/input.jpg png:/user/Documents/output.png"

mode: ONCE
hostname: "NSJAIL"
cwd: "/user"

uidmap {
	inside_id: "999999"
	outside_id: ""
	count: 1
}

gidmap {
	inside_id: "999999"
	outside_id: ""
	count: 1
}

time_limit: 120

envar: "HOME=/user"
envar: "TMP=/tmp"
envar: "PATH=/usr/local/bin:/usr/bin:/bin"

rlimit_as: 2048
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 64

# idk what im doing
clone_newcgroup: false

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
}

mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
}

mount {
	src: "/usr/local/lib"
	dst: "/usr/local/lib"
	is_bind: true
}

mount {
	src: "/usr/bin"
	dst: "/usr/bin"
	is_bind: true
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	mandatory: false
}

#mount {
#	src: "/lib32"
#	dst: "/lib32"
#	is_bind: true
#	mandatory: false
#}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
	is_bind: false
}

mount {
	dst: "/user"
	fstype: "tmpfs"
	rw: true
}

mount {
	prefix_src_env: "HOME"
	src: "/"
	dst: "/user/"
	is_bind: true
}

seccomp_string: "POLICY example {"
seccomp_string: "  ALLOW {"

# determined from strace
seccomp_string: "    access, arch_prctl, brk, close, dup,"
seccomp_string: "    execve, exit_group, fcntl, futex, getcwd,"
seccomp_string: "    getdents, getegid, geteuid, getgid, getpid,"
seccomp_string: "    getrandom, getuid, ioctl, lseek, mmap,"
seccomp_string: "    mprotect, munmap, open, openat, prlimit64, read,"
seccomp_string: "    readlink, rt_sigaction, rt_sigprocmask,"
seccomp_string: "    set_robust_list, set_tid_address, sigaltstack,"
seccomp_string: "    statfs, sysinfo, write,"

# why kafel why??
seccomp_string: "    newfstat, newlstat, newstat,"

# manually determined bleh
seccomp_string: "    clock_gettime, getrlimit"

seccomp_string: "  }"
seccomp_string: "}"
seccomp_string: "USE example DEFAULT KILL"