DF-0165 / run.sh
#!/bin/sh # DF-0165 run. Must be invoked as root on the guest. # Creates a jail with defaults (raw_sockets=0, vfs_mount_nullfs=0, etc.), # attaches to it, then tries the cap-gated actions. set -e cd "$(dirname "$0")" # Sanity: ensure jail defaults are restrictive (the baseline state). sysctl jail.defaults.allow_raw_sockets >/dev/null 2>&1 || true sysctl jail.defaults.vfs_mount_nullfs >/dev/null 2>&1 || true echo "---- jail default policy (should all be 0): ----" sysctl jail.defaults.allow_raw_sockets jail.defaults.vfs_mount_nullfs \ jail.defaults.vfs_mount_tmpfs jail.defaults.vfs_mount_devfs \ jail.defaults.vfs_mount_procfs 2>/dev/null || true echo "---- running bypass as root (will create + enter jail): ----" ./bypass echo "RC=$?" |