move sandboxing setup from cmdline to nsjail

Makefile

@@ -92,8 +92,8 @@ indent:
 
 caps.o: caps.h nsjail.h logs.h macros.h util.h
 cgroup.o: cgroup.h nsjail.h logs.h util.h
-cmdline.o: cmdline.h nsjail.h logs.h caps.h config.h macros.h mnt.h sandbox.h
-cmdline.o: user.h util.h
+cmdline.o: cmdline.h nsjail.h logs.h caps.h config.h macros.h mnt.h user.h
+cmdline.o: util.h
 config.o: caps.h nsjail.h logs.h cmdline.h config.h config.pb.h macros.h
 config.o: mnt.h user.h util.h
 contain.o: contain.h nsjail.h logs.h caps.h cgroup.h cpu.h mnt.h net.h pid.h
@@ -102,7 +102,7 @@ cpu.o: cpu.h nsjail.h logs.h util.h
 logs.o: logs.h nsjail.h
 mnt.o: mnt.h nsjail.h logs.h macros.h subproc.h util.h
 net.o: net.h nsjail.h logs.h subproc.h
-nsjail.o: nsjail.h logs.h cmdline.h macros.h net.h subproc.h util.h
+nsjail.o: nsjail.h logs.h cmdline.h macros.h net.h sandbox.h subproc.h util.h
 pid.o: pid.h nsjail.h logs.h subproc.h
 sandbox.o: sandbox.h nsjail.h logs.h kafel/include/kafel.h
 subproc.o: subproc.h nsjail.h logs.h cgroup.h contain.h macros.h net.h

cmdline.cc

@@ -51,7 +51,6 @@
 #include "logs.h"
 #include "macros.h"
 #include "mnt.h"
-#include "sandbox.h"
 #include "user.h"
 #include "util.h"
 
@@ -433,12 +432,15 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 			break;
 		case 'v':
 			nsjconf->loglevel = logs::DEBUG;
+			logs::logLevel(nsjconf->loglevel);
 			break;
 		case 'q':
 			nsjconf->loglevel = logs::WARNING;
+			logs::logLevel(nsjconf->loglevel);
 			break;
 		case 'Q':
 			nsjconf->loglevel = logs::FATAL;
+			logs::logLevel(nsjconf->loglevel);
 			break;
 		case 'e':
 			nsjconf->keep_env = true;
@@ -816,11 +818,6 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 		}
 	}
 
-	if (!sandbox::preparePolicy(nsjconf.get())) {
-		LOG_E("Couldn't prepare sandboxing setup");
-		return nullptr;
-	}
-
 	return nsjconf;
 }
 

config.cc

@@ -121,6 +121,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
 			LOG_E("Unknown log_level: %d", njc.log_level());
 			return false;
 		}
+		logs::logLevel(nsjconf->loglevel);
 	}
 
 	nsjconf->keep_env = njc.keep_env();

logs.cc

@@ -141,4 +141,8 @@ void logStop(int sig) {
 	LOG_I("Server stops due to fatal signal (%d) caught. Exiting", sig);
 }
 
+void logLevel(enum llevel_t ll) {
+	_log_level = ll;
+}
+
 }  // namespace logs

logs.h

@@ -59,6 +59,7 @@ bool initLog(const std::string& logfile, llevel_t loglevel);
 void logMsg(enum llevel_t ll, const char* fn, int ln, bool perr, const char* fmt, ...)
     __attribute__((format(printf, 5, 6)));
 void logStop(int sig);
+void logLevel(enum llevel_t ll);
 
 }  // namespace logs
 

nsjail.cc

@@ -33,6 +33,7 @@
 #include "logs.h"
 #include "macros.h"
 #include "net.h"
+#include "sandbox.h"
 #include "subproc.h"
 #include "util.h"
 
@@ -174,6 +175,9 @@ int main(int argc, char* argv[]) {
 	if (nsjailSetTimer(nsjconf.get()) == false) {
 		LOG_F("nsjailSetTimer() failed");
 	}
+	if (!sandbox::preparePolicy(nsjconf.get())) {
+		LOG_F("Couldn't prepare sandboxing policy");
+	}
 
 	if (nsjconf->mode == MODE_LISTEN_TCP) {
 		nsjailListenMode(nsjconf.get());