config: Implement --stderr_to_null
This commit is contained in:
Robert Swiecki
parent
054e62c026
commit
272a85477a
@ -99,6 +99,7 @@ struct custom_option custom_opts[] = {
|
|||||||
{ { "silent", no_argument, NULL, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" },
|
{ { "silent", no_argument, NULL, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" },
|
||||||
{ { "skip_setsid", no_argument, NULL, 0x0504 }, "Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous" },
|
{ { "skip_setsid", no_argument, NULL, 0x0504 }, "Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous" },
|
||||||
{ { "pass_fd", required_argument, NULL, 0x0505 }, "Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open" },
|
{ { "pass_fd", required_argument, NULL, 0x0505 }, "Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open" },
|
||||||
|
{ { "stderr_to_null", no_argument, NULL, 0x0506 }, "Redirect FD=2 (STDERR_FILENO) to /dev/null" },
|
||||||
{ { "disable_no_new_privs", no_argument, NULL, 0x0507 }, "Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)" },
|
{ { "disable_no_new_privs", no_argument, NULL, 0x0507 }, "Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)" },
|
||||||
{ { "rlimit_as", required_argument, NULL, 0x0201 }, "RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 512)" },
|
{ { "rlimit_as", required_argument, NULL, 0x0201 }, "RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 512)" },
|
||||||
{ { "rlimit_core", required_argument, NULL, 0x0202 }, "RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)" },
|
{ { "rlimit_core", required_argument, NULL, 0x0202 }, "RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)" },
|
||||||
@ -396,6 +397,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
|||||||
nsjconf->is_root_rw = false;
|
nsjconf->is_root_rw = false;
|
||||||
nsjconf->is_silent = false;
|
nsjconf->is_silent = false;
|
||||||
nsjconf->skip_setsid = false;
|
nsjconf->skip_setsid = false;
|
||||||
|
nsjconf->stderr_to_null = false;
|
||||||
nsjconf->max_conns_per_ip = 0;
|
nsjconf->max_conns_per_ip = 0;
|
||||||
nsjconf->proc_path = "/proc";
|
nsjconf->proc_path = "/proc";
|
||||||
nsjconf->is_proc_rw = false;
|
nsjconf->is_proc_rw = false;
|
||||||
@ -570,6 +572,9 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
|||||||
case 0x0505:
|
case 0x0505:
|
||||||
nsjconf->openfds.push_back((int)strtol(optarg, NULL, 0));
|
nsjconf->openfds.push_back((int)strtol(optarg, NULL, 0));
|
||||||
break;
|
break;
|
||||||
|
case 0x0506:
|
||||||
|
nsjconf->stderr_to_null = true;
|
||||||
|
break;
|
||||||
case 0x0507:
|
case 0x0507:
|
||||||
nsjconf->disable_no_new_privs = true;
|
nsjconf->disable_no_new_privs = true;
|
||||||
break;
|
break;
|
||||||
|
|||||||
@ -144,6 +144,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
|
|||||||
nsjconf->openfds.push_back(i);
|
nsjconf->openfds.push_back(i);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
nsjconf->stderr_to_null = njc.stderr_to_null();
|
||||||
nsjconf->disable_no_new_privs = njc.disable_no_new_privs();
|
nsjconf->disable_no_new_privs = njc.disable_no_new_privs();
|
||||||
|
|
||||||
nsjconf->rl_as =
|
nsjconf->rl_as =
|
||||||
|
|||||||
@ -124,6 +124,8 @@ message NsJailConfig {
|
|||||||
job control / signals. Dangerous, can be used to put
|
job control / signals. Dangerous, can be used to put
|
||||||
characters into the controlling terminal back */
|
characters into the controlling terminal back */
|
||||||
optional bool skip_setsid = 24 [default = false];
|
optional bool skip_setsid = 24 [default = false];
|
||||||
|
/* Redirect sdterr of the process to /dev/null instead of the socket or original TTY */
|
||||||
|
optional bool stderr_to_null = 79 [default = false];
|
||||||
/* Which FDs should be passed to the newly executed process
|
/* Which FDs should be passed to the newly executed process
|
||||||
By default only FD=0,1,2 are passed */
|
By default only FD=0,1,2 are passed */
|
||||||
repeated int32 pass_fd = 25;
|
repeated int32 pass_fd = 25;
|
||||||
|
|||||||
17
contain.cc
17
contain.cc
@ -263,25 +263,30 @@ static bool containMakeFdsCOE(nsjconf_t* nsjconf) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
bool setupFD(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
|
bool setupFD(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
|
||||||
if (nsjconf->mode != MODE_LISTEN_TCP) {
|
if (nsjconf->stderr_to_null) {
|
||||||
if (!nsjconf->is_silent) {
|
LOG_D("Redirecting FD=2 (STDERR_FILENO) to /dev/null");
|
||||||
return true;
|
if ((fd_err = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR))) == -1) {
|
||||||
|
PLOG_E("open('/dev/null', O_RDWR");
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
if (nsjconf->is_silent) {
|
||||||
|
LOG_D("Redirecting FD=0/1/2 (STDIN/OUT/ERR_FILENO) to /dev/null");
|
||||||
if (TEMP_FAILURE_RETRY(fd_in = fd_out = fd_err = open("/dev/null", O_RDWR)) == -1) {
|
if (TEMP_FAILURE_RETRY(fd_in = fd_out = fd_err = open("/dev/null", O_RDWR)) == -1) {
|
||||||
PLOG_E("open('/dev/null', O_RDWR)");
|
PLOG_E("open('/dev/null', O_RDWR)");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
/* Set stdin/stdout/stderr to the net */
|
/* Set stdin/stdout/stderr to the net */
|
||||||
if (TEMP_FAILURE_RETRY(dup2(fd_in, STDIN_FILENO)) == -1) {
|
if (fd_in != STDIN_FILENO && TEMP_FAILURE_RETRY(dup2(fd_in, STDIN_FILENO)) == -1) {
|
||||||
PLOG_E("dup2(%d, STDIN_FILENO)", fd_in);
|
PLOG_E("dup2(%d, STDIN_FILENO)", fd_in);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (TEMP_FAILURE_RETRY(dup2(fd_out, STDOUT_FILENO)) == -1) {
|
if (fd_out != STDOUT_FILENO && TEMP_FAILURE_RETRY(dup2(fd_out, STDOUT_FILENO)) == -1) {
|
||||||
PLOG_E("dup2(%d, STDOUT_FILENO)", fd_out);
|
PLOG_E("dup2(%d, STDOUT_FILENO)", fd_out);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (TEMP_FAILURE_RETRY(dup2(fd_err, STDERR_FILENO)) == -1) {
|
if (fd_err != STDERR_FILENO && TEMP_FAILURE_RETRY(dup2(fd_err, STDERR_FILENO)) == -1) {
|
||||||
PLOG_E("dup2(%d, STDERR_FILENO)", fd_err);
|
PLOG_E("dup2(%d, STDERR_FILENO)", fd_err);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|||||||
1
nsjail.h
1
nsjail.h
@ -116,6 +116,7 @@ struct nsjconf_t {
|
|||||||
bool is_root_rw;
|
bool is_root_rw;
|
||||||
bool is_silent;
|
bool is_silent;
|
||||||
bool skip_setsid;
|
bool skip_setsid;
|
||||||
|
bool stderr_to_null;
|
||||||
unsigned int max_conns_per_ip;
|
unsigned int max_conns_per_ip;
|
||||||
std::string proc_path;
|
std::string proc_path;
|
||||||
bool is_proc_rw;
|
bool is_proc_rw;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user