cgroup: move to C++
This commit is contained in:
parent
27a226ad28
commit
15170f9d6c
11
Makefile
11
Makefile
@ -35,8 +35,8 @@ LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf)
|
|||||||
|
|
||||||
BIN = nsjail
|
BIN = nsjail
|
||||||
LIBS = kafel/libkafel.a
|
LIBS = kafel/libkafel.a
|
||||||
SRCS_C = log.c cgroup.c mount.c user.c util.c
|
SRCS_C = log.c mount.c util.c
|
||||||
SRCS_CXX = caps.cc cmdline.cc config.cc contain.cc cpu.cc net.cc nsjail.cc pid.cc sandbox.cc subproc.cc uts.cc
|
SRCS_CXX = caps.cc cgroup.cc cmdline.cc config.cc contain.cc cpu.cc net.cc nsjail.cc pid.cc sandbox.cc subproc.cc uts.cc user.cc
|
||||||
SRCS_PROTO = config.proto
|
SRCS_PROTO = config.proto
|
||||||
SRCS_PB_CXX = $(SRCS_PROTO:.proto=.pb.cc)
|
SRCS_PB_CXX = $(SRCS_PROTO:.proto=.pb.cc)
|
||||||
SRCS_PB_H = $(SRCS_PROTO:.proto=.pb.h)
|
SRCS_PB_H = $(SRCS_PROTO:.proto=.pb.h)
|
||||||
@ -98,21 +98,22 @@ indent:
|
|||||||
# DO NOT DELETE THIS LINE -- make depend depends on it.
|
# DO NOT DELETE THIS LINE -- make depend depends on it.
|
||||||
|
|
||||||
log.o: log.h nsjail.h
|
log.o: log.h nsjail.h
|
||||||
cgroup.o: cgroup.h nsjail.h log.h util.h
|
|
||||||
mount.o: mount.h nsjail.h common.h log.h subproc.h util.h
|
mount.o: mount.h nsjail.h common.h log.h subproc.h util.h
|
||||||
util.o: util.h nsjail.h common.h log.h
|
util.o: util.h nsjail.h common.h log.h
|
||||||
caps.o: caps.h nsjail.h common.h log.h util.h
|
caps.o: caps.h nsjail.h common.h log.h util.h
|
||||||
|
cgroup.o: cgroup.h nsjail.h log.h util.h
|
||||||
cmdline.o: cmdline.h nsjail.h common.h log.h mount.h util.h caps.h config.h
|
cmdline.o: cmdline.h nsjail.h common.h log.h mount.h util.h caps.h config.h
|
||||||
cmdline.o: sandbox.h user.h
|
cmdline.o: sandbox.h user.h
|
||||||
config.o: common.h config.h nsjail.h log.h mount.h util.h caps.h cmdline.h
|
config.o: common.h config.h nsjail.h log.h mount.h util.h caps.h cmdline.h
|
||||||
config.o: user.h
|
config.o: user.h
|
||||||
contain.o: contain.h nsjail.h cgroup.h log.h mount.h caps.h cpu.h net.h pid.h
|
contain.o: contain.h nsjail.h log.h mount.h caps.h cgroup.h cpu.h net.h pid.h
|
||||||
contain.o: user.h uts.h
|
contain.o: user.h uts.h
|
||||||
cpu.o: cpu.h nsjail.h log.h util.h
|
cpu.o: cpu.h nsjail.h log.h util.h
|
||||||
net.o: net.h nsjail.h log.h subproc.h
|
net.o: net.h nsjail.h log.h subproc.h
|
||||||
nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h util.h
|
nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h util.h
|
||||||
pid.o: pid.h nsjail.h log.h subproc.h
|
pid.o: pid.h nsjail.h log.h subproc.h
|
||||||
sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h
|
sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h
|
||||||
subproc.o: subproc.h nsjail.h contain.h net.h sandbox.h user.h cgroup.h
|
subproc.o: subproc.h nsjail.h cgroup.h contain.h net.h sandbox.h user.h
|
||||||
subproc.o: common.h log.h util.h
|
subproc.o: common.h log.h util.h
|
||||||
uts.o: uts.h nsjail.h log.h
|
uts.o: uts.h nsjail.h log.h
|
||||||
|
user.o: user.h nsjail.h common.h log.h util.h subproc.h
|
||||||
|
@ -30,10 +30,14 @@
|
|||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
|
extern "C" {
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
}
|
||||||
|
|
||||||
static bool cgroupInitNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
namespace cgroup {
|
||||||
|
|
||||||
|
static bool initNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_mem_max == (size_t)0) {
|
if (nsjconf->cgroup_mem_max == (size_t)0) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -79,7 +83,7 @@ static bool cgroupInitNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool cgroupInitNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool initNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_pids_max == 0U) {
|
if (nsjconf->cgroup_pids_max == 0U) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -115,7 +119,7 @@ static bool cgroupInitNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool cgroupInitNsFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool initNsFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_net_cls_classid == 0U) {
|
if (nsjconf->cgroup_net_cls_classid == 0U) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -153,7 +157,7 @@ static bool cgroupInitNsFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool cgroupInitNsFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool initNsFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
|
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -200,23 +204,23 @@ static bool cgroupInitNsFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool cgroupInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
|
bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (!cgroupInitNsFromParentMem(nsjconf, pid)) {
|
if (!initNsFromParentMem(nsjconf, pid)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!cgroupInitNsFromParentPids(nsjconf, pid)) {
|
if (!initNsFromParentPids(nsjconf, pid)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!cgroupInitNsFromParentNetCls(nsjconf, pid)) {
|
if (!initNsFromParentNetCls(nsjconf, pid)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!cgroupInitNsFromParentCpu(nsjconf, pid)) {
|
if (!initNsFromParentCpu(nsjconf, pid)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
void cgroupFinishFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_mem_max == (size_t)0) {
|
if (nsjconf->cgroup_mem_max == (size_t)0) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -230,7 +234,7 @@ void cgroupFinishFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void cgroupFinishFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_pids_max == 0U) {
|
if (nsjconf->cgroup_pids_max == 0U) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -244,7 +248,7 @@ void cgroupFinishFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void cgroupFinishFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
|
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -258,7 +262,7 @@ void cgroupFinishFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void cgroupFinishFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_net_cls_classid == 0U) {
|
if (nsjconf->cgroup_net_cls_classid == 0U) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -272,11 +276,13 @@ void cgroupFinishFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void cgroupFinishFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
|
||||||
cgroupFinishFromParentMem(nsjconf, pid);
|
finishFromParentMem(nsjconf, pid);
|
||||||
cgroupFinishFromParentPids(nsjconf, pid);
|
finishFromParentPids(nsjconf, pid);
|
||||||
cgroupFinishFromParentNetCls(nsjconf, pid);
|
finishFromParentNetCls(nsjconf, pid);
|
||||||
cgroupFinishFromParentCpu(nsjconf, pid);
|
finishFromParentCpu(nsjconf, pid);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool cgroupInitNs(void) { return true; }
|
bool initNs(void) { return true; }
|
||||||
|
|
||||||
|
} // namespace cgroup
|
10
cgroup.h
10
cgroup.h
@ -27,8 +27,12 @@
|
|||||||
|
|
||||||
#include "nsjail.h"
|
#include "nsjail.h"
|
||||||
|
|
||||||
bool cgroupInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid);
|
namespace cgroup {
|
||||||
bool cgroupInitNs(void);
|
|
||||||
void cgroupFinishFromParent(struct nsjconf_t* nsjconf, pid_t pid);
|
bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid);
|
||||||
|
bool initNs(void);
|
||||||
|
void finishFromParent(struct nsjconf_t* nsjconf, pid_t pid);
|
||||||
|
|
||||||
|
} // namespace cgroup
|
||||||
|
|
||||||
#endif /* _CGROUP_H */
|
#endif /* _CGROUP_H */
|
||||||
|
@ -38,12 +38,12 @@
|
|||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
extern "C" {
|
extern "C" {
|
||||||
#include "cgroup.h"
|
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "mount.h"
|
#include "mount.h"
|
||||||
}
|
}
|
||||||
|
|
||||||
#include "caps.h"
|
#include "caps.h"
|
||||||
|
#include "cgroup.h"
|
||||||
#include "cpu.h"
|
#include "cpu.h"
|
||||||
#include "net.h"
|
#include "net.h"
|
||||||
#include "pid.h"
|
#include "pid.h"
|
||||||
@ -60,7 +60,7 @@ static bool containInitNetNs(struct nsjconf_t* nsjconf) { return net::initNsFrom
|
|||||||
|
|
||||||
static bool containInitUtsNs(struct nsjconf_t* nsjconf) { return uts::initNs(nsjconf); }
|
static bool containInitUtsNs(struct nsjconf_t* nsjconf) { return uts::initNs(nsjconf); }
|
||||||
|
|
||||||
static bool containInitCgroupNs(void) { return cgroupInitNs(); }
|
static bool containInitCgroupNs(void) { return cgroup::initNs(); }
|
||||||
|
|
||||||
static bool containDropPrivs(struct nsjconf_t* nsjconf) {
|
static bool containDropPrivs(struct nsjconf_t* nsjconf) {
|
||||||
#ifndef PR_SET_NO_NEW_PRIVS
|
#ifndef PR_SET_NO_NEW_PRIVS
|
||||||
|
@ -42,13 +42,13 @@
|
|||||||
#include <time.h>
|
#include <time.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include "cgroup.h"
|
||||||
#include "contain.h"
|
#include "contain.h"
|
||||||
#include "net.h"
|
#include "net.h"
|
||||||
#include "sandbox.h"
|
#include "sandbox.h"
|
||||||
#include "user.h"
|
#include "user.h"
|
||||||
|
|
||||||
extern "C" {
|
extern "C" {
|
||||||
#include "cgroup.h"
|
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
@ -148,7 +148,7 @@ static int subprocNewProc(
|
|||||||
LOG_E("Couldn't initialize net user namespace");
|
LOG_E("Couldn't initialize net user namespace");
|
||||||
_exit(0xff);
|
_exit(0xff);
|
||||||
}
|
}
|
||||||
if (cgroupInitNsFromParent(nsjconf, getpid()) == false) {
|
if (cgroup::initNsFromParent(nsjconf, getpid()) == false) {
|
||||||
LOG_E("Couldn't initialize net user namespace");
|
LOG_E("Couldn't initialize net user namespace");
|
||||||
_exit(0xff);
|
_exit(0xff);
|
||||||
}
|
}
|
||||||
@ -317,7 +317,7 @@ int reapProc(struct nsjconf_t* nsjconf) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (wait4(si.si_pid, &status, WNOHANG, NULL) == si.si_pid) {
|
if (wait4(si.si_pid, &status, WNOHANG, NULL) == si.si_pid) {
|
||||||
cgroupFinishFromParent(nsjconf, si.si_pid);
|
cgroup::finishFromParent(nsjconf, si.si_pid);
|
||||||
|
|
||||||
const char* remote_txt = "[UNKNOWN]";
|
const char* remote_txt = "[UNKNOWN]";
|
||||||
struct pids_t* elem = getPidElem(nsjconf, si.si_pid);
|
struct pids_t* elem = getPidElem(nsjconf, si.si_pid);
|
||||||
@ -380,7 +380,7 @@ static bool initParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) {
|
|||||||
LOG_E("Couldn't create and put MACVTAP interface into NS of PID '%d'", pid);
|
LOG_E("Couldn't create and put MACVTAP interface into NS of PID '%d'", pid);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (cgroupInitNsFromParent(nsjconf, pid) == false) {
|
if (cgroup::initNsFromParent(nsjconf, pid) == false) {
|
||||||
LOG_E("Couldn't initialize cgroup user namespace");
|
LOG_E("Couldn't initialize cgroup user namespace");
|
||||||
exit(0xff);
|
exit(0xff);
|
||||||
}
|
}
|
||||||
|
4
user.cc
4
user.cc
@ -349,8 +349,8 @@ static gid_t parseGid(const char* id) {
|
|||||||
return (gid_t)-1;
|
return (gid_t)-1;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool parseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt,
|
bool parseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid,
|
||||||
bool is_gid, bool is_newidmap) {
|
bool is_newidmap) {
|
||||||
uid_t inside_id;
|
uid_t inside_id;
|
||||||
uid_t outside_id;
|
uid_t outside_id;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user