2015-05-15 05:44:48 +08:00
|
|
|
/*
|
|
|
|
|
|
|
|
nsjail
|
|
|
|
-----------------------------------------
|
|
|
|
|
|
|
|
Copyright 2014 Google Inc. All Rights Reserved.
|
2016-01-21 03:21:27 +08:00
|
|
|
Copyright 2016 Sergiusz Bazanski. All Rights Reserved.
|
2015-05-15 05:44:48 +08:00
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
|
|
|
|
*/
|
2016-01-22 07:11:31 +08:00
|
|
|
|
2016-03-11 09:45:43 +08:00
|
|
|
#ifndef NS_NSJAIL_H
|
|
|
|
#define NS_NSJAIL_H
|
2015-05-15 05:44:48 +08:00
|
|
|
|
2018-02-01 21:19:01 +08:00
|
|
|
#include <linux/filter.h>
|
2017-10-18 20:27:34 +08:00
|
|
|
#include <netinet/ip6.h>
|
2017-10-18 18:33:24 +08:00
|
|
|
#include <signal.h>
|
2017-10-18 20:27:34 +08:00
|
|
|
#include <stdbool.h>
|
|
|
|
#include <stdint.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <time.h>
|
2017-11-09 00:20:57 +08:00
|
|
|
#include <unistd.h>
|
|
|
|
|
2020-02-17 05:34:19 +08:00
|
|
|
#include <map>
|
2018-02-10 06:04:57 +08:00
|
|
|
#include <string>
|
2018-02-10 05:35:33 +08:00
|
|
|
#include <vector>
|
|
|
|
|
2017-10-18 18:33:24 +08:00
|
|
|
static const int nssigs[] = {
|
2017-10-26 06:26:02 +08:00
|
|
|
SIGINT,
|
|
|
|
SIGQUIT,
|
|
|
|
SIGUSR1,
|
|
|
|
SIGALRM,
|
|
|
|
SIGCHLD,
|
|
|
|
SIGTERM,
|
2018-02-15 08:33:33 +08:00
|
|
|
SIGTTIN,
|
|
|
|
SIGTTOU,
|
2020-02-13 19:24:28 +08:00
|
|
|
SIGPIPE,
|
2017-10-18 18:33:24 +08:00
|
|
|
};
|
2016-03-02 00:03:11 +08:00
|
|
|
|
2017-10-18 20:27:34 +08:00
|
|
|
struct pids_t {
|
|
|
|
time_t start;
|
2018-02-11 07:17:44 +08:00
|
|
|
std::string remote_txt;
|
2017-10-18 20:27:34 +08:00
|
|
|
struct sockaddr_in6 remote_addr;
|
|
|
|
int pid_syscall_fd;
|
|
|
|
};
|
|
|
|
|
2018-02-10 21:38:01 +08:00
|
|
|
struct mount_t {
|
|
|
|
std::string src;
|
|
|
|
std::string src_content;
|
|
|
|
std::string dst;
|
|
|
|
std::string fs_type;
|
|
|
|
std::string options;
|
2017-10-18 20:27:34 +08:00
|
|
|
uintptr_t flags;
|
2018-02-12 06:44:43 +08:00
|
|
|
bool is_dir;
|
|
|
|
bool is_symlink;
|
|
|
|
bool is_mandatory;
|
2017-10-18 20:27:34 +08:00
|
|
|
bool mounted;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct idmap_t {
|
|
|
|
uid_t inside_id;
|
|
|
|
uid_t outside_id;
|
|
|
|
size_t count;
|
|
|
|
bool is_newidmap;
|
|
|
|
};
|
|
|
|
|
|
|
|
enum ns_mode_t {
|
|
|
|
MODE_LISTEN_TCP = 0,
|
|
|
|
MODE_STANDALONE_ONCE,
|
|
|
|
MODE_STANDALONE_EXECVE,
|
|
|
|
MODE_STANDALONE_RERUN
|
|
|
|
};
|
|
|
|
|
2020-02-17 22:55:08 +08:00
|
|
|
struct pipemap_t {
|
|
|
|
int sock_fd;
|
|
|
|
int pipe_in;
|
|
|
|
int pipe_out;
|
2020-08-31 04:02:08 +08:00
|
|
|
pid_t pid;
|
2020-02-17 22:55:08 +08:00
|
|
|
bool operator==(const pipemap_t& o) {
|
|
|
|
return sock_fd == o.sock_fd && pipe_in == o.pipe_in && pipe_out == o.pipe_out;
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
2017-10-18 20:27:34 +08:00
|
|
|
struct nsjconf_t {
|
2018-02-12 23:52:05 +08:00
|
|
|
std::string exec_file;
|
2017-10-18 23:57:52 +08:00
|
|
|
bool use_execveat;
|
|
|
|
int exec_fd;
|
2018-02-12 23:52:05 +08:00
|
|
|
std::vector<std::string> argv;
|
2018-02-10 11:10:18 +08:00
|
|
|
std::string hostname;
|
|
|
|
std::string cwd;
|
|
|
|
std::string chroot;
|
2017-10-18 20:27:34 +08:00
|
|
|
int port;
|
2018-02-11 06:46:15 +08:00
|
|
|
std::string bindhost;
|
2017-10-18 20:27:34 +08:00
|
|
|
bool daemonize;
|
2018-05-26 19:54:17 +08:00
|
|
|
uint64_t tlimit;
|
2017-10-18 20:27:34 +08:00
|
|
|
size_t max_cpus;
|
|
|
|
bool keep_env;
|
|
|
|
bool keep_caps;
|
|
|
|
bool disable_no_new_privs;
|
2017-10-25 21:44:35 +08:00
|
|
|
uint64_t rl_as;
|
|
|
|
uint64_t rl_core;
|
|
|
|
uint64_t rl_cpu;
|
|
|
|
uint64_t rl_fsize;
|
|
|
|
uint64_t rl_nofile;
|
|
|
|
uint64_t rl_nproc;
|
|
|
|
uint64_t rl_stack;
|
2019-08-05 18:25:22 +08:00
|
|
|
bool disable_rl;
|
2017-10-18 20:27:34 +08:00
|
|
|
unsigned long personality;
|
|
|
|
bool clone_newnet;
|
|
|
|
bool clone_newuser;
|
|
|
|
bool clone_newns;
|
|
|
|
bool clone_newpid;
|
|
|
|
bool clone_newipc;
|
|
|
|
bool clone_newuts;
|
|
|
|
bool clone_newcgroup;
|
|
|
|
enum ns_mode_t mode;
|
|
|
|
bool is_root_rw;
|
|
|
|
bool is_silent;
|
2018-06-25 09:12:27 +08:00
|
|
|
bool stderr_to_null;
|
2018-06-25 10:10:42 +08:00
|
|
|
bool skip_setsid;
|
2021-02-10 06:13:35 +08:00
|
|
|
unsigned int max_conns;
|
2017-10-18 20:27:34 +08:00
|
|
|
unsigned int max_conns_per_ip;
|
2018-02-11 03:16:17 +08:00
|
|
|
std::string proc_path;
|
2017-10-18 20:27:34 +08:00
|
|
|
bool is_proc_rw;
|
2018-02-11 01:22:51 +08:00
|
|
|
bool iface_lo;
|
2018-02-11 01:18:40 +08:00
|
|
|
std::string iface_vs;
|
|
|
|
std::string iface_vs_ip;
|
|
|
|
std::string iface_vs_nm;
|
|
|
|
std::string iface_vs_gw;
|
2018-10-24 16:31:14 +08:00
|
|
|
std::string iface_vs_ma;
|
2018-02-11 11:02:43 +08:00
|
|
|
std::string cgroup_mem_mount;
|
|
|
|
std::string cgroup_mem_parent;
|
2017-10-18 20:27:34 +08:00
|
|
|
size_t cgroup_mem_max;
|
2018-02-11 11:02:43 +08:00
|
|
|
std::string cgroup_pids_mount;
|
|
|
|
std::string cgroup_pids_parent;
|
2017-10-25 21:50:24 +08:00
|
|
|
unsigned int cgroup_pids_max;
|
2018-02-11 11:02:43 +08:00
|
|
|
std::string cgroup_net_cls_mount;
|
|
|
|
std::string cgroup_net_cls_parent;
|
2017-10-25 16:15:03 +08:00
|
|
|
unsigned int cgroup_net_cls_classid;
|
2018-02-11 11:02:43 +08:00
|
|
|
std::string cgroup_cpu_mount;
|
|
|
|
std::string cgroup_cpu_parent;
|
2018-02-04 11:15:19 +08:00
|
|
|
unsigned int cgroup_cpu_ms_per_sec;
|
2019-07-26 22:02:17 +08:00
|
|
|
std::string cgroupv2_mount;
|
|
|
|
bool use_cgroupv2;
|
2018-02-11 06:46:15 +08:00
|
|
|
std::string kafel_file_path;
|
|
|
|
std::string kafel_string;
|
2018-02-01 21:19:01 +08:00
|
|
|
struct sock_fprog seccomp_fprog;
|
2018-05-23 21:32:45 +08:00
|
|
|
bool seccomp_log;
|
2019-07-01 03:50:56 +08:00
|
|
|
int nice_level;
|
2017-10-18 20:27:34 +08:00
|
|
|
long num_cpus;
|
2017-10-20 04:39:37 +08:00
|
|
|
uid_t orig_uid;
|
2019-03-30 04:38:14 +08:00
|
|
|
uid_t orig_euid;
|
2018-02-10 21:38:01 +08:00
|
|
|
std::vector<mount_t> mountpts;
|
2020-02-17 05:34:19 +08:00
|
|
|
std::map<pid_t, pids_t> pids;
|
2018-02-10 07:37:23 +08:00
|
|
|
std::vector<idmap_t> uids;
|
|
|
|
std::vector<idmap_t> gids;
|
2018-02-10 06:04:57 +08:00
|
|
|
std::vector<std::string> envs;
|
2018-02-10 05:47:00 +08:00
|
|
|
std::vector<int> openfds;
|
2018-02-10 05:35:33 +08:00
|
|
|
std::vector<int> caps;
|
2018-05-30 21:26:09 +08:00
|
|
|
std::vector<std::string> ifaces;
|
2020-02-17 22:55:08 +08:00
|
|
|
std::vector<pipemap_t> pipes;
|
2017-10-18 20:27:34 +08:00
|
|
|
};
|
|
|
|
|
2017-10-09 05:00:45 +08:00
|
|
|
#endif /* _NSJAIL_H */
|