cmdline/config: make --enable_clone_newcgroup obsolete by enabling CLONE_NEWCGROUP by default. This can be disabled by flags/config
This commit is contained in:
parent
805ceb4363
commit
3734b8801f
@ -109,7 +109,7 @@ struct custom_option custom_opts[] = {
|
|||||||
{ { "disable_clone_newpid", no_argument, NULL, 0x0404 }, "Don't use CLONE_NEWPID" },
|
{ { "disable_clone_newpid", no_argument, NULL, 0x0404 }, "Don't use CLONE_NEWPID" },
|
||||||
{ { "disable_clone_newipc", no_argument, NULL, 0x0405 }, "Don't use CLONE_NEWIPC" },
|
{ { "disable_clone_newipc", no_argument, NULL, 0x0405 }, "Don't use CLONE_NEWIPC" },
|
||||||
{ { "disable_clone_newuts", no_argument, NULL, 0x0406 }, "Don't use CLONE_NEWUTS" },
|
{ { "disable_clone_newuts", no_argument, NULL, 0x0406 }, "Don't use CLONE_NEWUTS" },
|
||||||
{ { "enable_clone_newcgroup", no_argument, NULL, 0x0407 }, "Use CLONE_NEWCGROUP" },
|
{ { "disable_clone_newcgroup", no_argument, NULL, 0x0407 }, "Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6" },
|
||||||
{ { "uid_mapping", required_argument, NULL, 'U' }, "Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present" },
|
{ { "uid_mapping", required_argument, NULL, 'U' }, "Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present" },
|
||||||
{ { "gid_mapping", required_argument, NULL, 'G' }, "Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present" },
|
{ { "gid_mapping", required_argument, NULL, 'G' }, "Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present" },
|
||||||
{ { "bindmount_ro", required_argument, NULL, 'R' }, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" },
|
{ { "bindmount_ro", required_argument, NULL, 'R' }, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" },
|
||||||
@ -144,6 +144,7 @@ struct custom_option deprecated_opts[] = {
|
|||||||
{ { "iface_vs_ip", required_argument, NULL, 0x701 }, "IP of the 'vs' interface (e.g. \"192.168.0.1\")" },
|
{ { "iface_vs_ip", required_argument, NULL, 0x701 }, "IP of the 'vs' interface (e.g. \"192.168.0.1\")" },
|
||||||
{ { "iface_vs_nm", required_argument, NULL, 0x702 }, "Netmask of the 'vs' interface (e.g. \"255.255.255.0\")" },
|
{ { "iface_vs_nm", required_argument, NULL, 0x702 }, "Netmask of the 'vs' interface (e.g. \"255.255.255.0\")" },
|
||||||
{ { "iface_vs_gw", required_argument, NULL, 0x703 }, "Default GW for the 'vs' interface (e.g. \"192.168.0.1\")" },
|
{ { "iface_vs_gw", required_argument, NULL, 0x703 }, "Default GW for the 'vs' interface (e.g. \"192.168.0.1\")" },
|
||||||
|
{ { "enable_clone_newcgroup", no_argument, NULL, 0x0408 }, "Use CLONE_NEWCGROUP (it's enabled by default now)" },
|
||||||
};
|
};
|
||||||
// clang-format on
|
// clang-format on
|
||||||
|
|
||||||
@ -540,6 +541,9 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) {
|
|||||||
nsjconf->clone_newuts = false;
|
nsjconf->clone_newuts = false;
|
||||||
break;
|
break;
|
||||||
case 0x0407:
|
case 0x0407:
|
||||||
|
nsjconf->clone_newcgroup = false;
|
||||||
|
break;
|
||||||
|
case 0x0408:
|
||||||
nsjconf->clone_newcgroup = true;
|
nsjconf->clone_newcgroup = true;
|
||||||
break;
|
break;
|
||||||
case 0x0501:
|
case 0x0501:
|
||||||
|
@ -164,8 +164,8 @@ message NsJailConfig {
|
|||||||
optional bool clone_newpid = 49 [default = true];
|
optional bool clone_newpid = 49 [default = true];
|
||||||
optional bool clone_newipc = 50 [default = true];
|
optional bool clone_newipc = 50 [default = true];
|
||||||
optional bool clone_newuts = 51 [default = true];
|
optional bool clone_newuts = 51 [default = true];
|
||||||
/* It's only supported in newer kernels, hence disabled by default */
|
/* Disable for kernel versions < 4.6 as it's not supported there */
|
||||||
optional bool clone_newcgroup = 52 [default = false];
|
optional bool clone_newcgroup = 52 [default = true];
|
||||||
|
|
||||||
/* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
|
/* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
|
||||||
for more */
|
for more */
|
||||||
|
@ -445,7 +445,7 @@ void subprocRunChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_er
|
|||||||
if (nsjconf->mode == MODE_STANDALONE_EXECVE) {
|
if (nsjconf->mode == MODE_STANDALONE_EXECVE) {
|
||||||
LOG_D("Entering namespace with flags:%s", subprocCloneFlagsToStr(flags));
|
LOG_D("Entering namespace with flags:%s", subprocCloneFlagsToStr(flags));
|
||||||
if (unshare(flags) == -1) {
|
if (unshare(flags) == -1) {
|
||||||
PLOG_E("unshare(%#lx)", flags);
|
PLOG_E("unshare(%s)", subprocCloneFlagsToStr(flags));
|
||||||
_exit(0xff);
|
_exit(0xff);
|
||||||
}
|
}
|
||||||
subprocNewProc(nsjconf, fd_in, fd_out, fd_err, -1);
|
subprocNewProc(nsjconf, fd_in, fd_out, fd_err, -1);
|
||||||
@ -469,6 +469,11 @@ void subprocRunChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_er
|
|||||||
}
|
}
|
||||||
close(child_fd);
|
close(child_fd);
|
||||||
if (pid == -1) {
|
if (pid == -1) {
|
||||||
|
if (flags & CLONE_NEWCGROUP) {
|
||||||
|
PLOG_E(
|
||||||
|
"nsjail tried to use the CLONE_NEWCGROUP clone flag, which is "
|
||||||
|
"supported under kernel versions >= 4.6 only. Try disabling this flag");
|
||||||
|
}
|
||||||
PLOG_E(
|
PLOG_E(
|
||||||
"clone(flags=%s) failed. You probably need root privileges if your system "
|
"clone(flags=%s) failed. You probably need root privileges if your system "
|
||||||
"doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile "
|
"doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile "
|
||||||
|
Loading…
Reference in New Issue
Block a user