Move PID ns to a separate module
This commit is contained in:
parent
d78e141f70
commit
3edc8bf4a7
2
Makefile
2
Makefile
@ -26,7 +26,7 @@ CFLAGS += -O2 -c -std=gnu11 \
|
|||||||
|
|
||||||
LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -Wl,-z,noexecstack
|
LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -Wl,-z,noexecstack
|
||||||
|
|
||||||
SRCS = nsjail.c cmdline.c contain.c log.c mount.c net.c sandbox.c subproc.c user.c util.c uts.c seccomp/bpf-helper.c
|
SRCS = nsjail.c cmdline.c contain.c log.c mount.c net.c pid.c sandbox.c subproc.c user.c util.c uts.c seccomp/bpf-helper.c
|
||||||
OBJS = $(SRCS:.c=.o)
|
OBJS = $(SRCS:.c=.o)
|
||||||
BIN = nsjail
|
BIN = nsjail
|
||||||
|
|
||||||
|
@ -45,9 +45,15 @@
|
|||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "mount.h"
|
#include "mount.h"
|
||||||
#include "net.h"
|
#include "net.h"
|
||||||
|
#include "pid.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "uts.h"
|
#include "uts.h"
|
||||||
|
|
||||||
|
static bool containInitPidNs(struct nsjconf_t *nsjconf)
|
||||||
|
{
|
||||||
|
return pidInitNs(nsjconf);
|
||||||
|
}
|
||||||
|
|
||||||
static bool containInitNetNs(struct nsjconf_t *nsjconf)
|
static bool containInitNetNs(struct nsjconf_t *nsjconf)
|
||||||
{
|
{
|
||||||
return netInitNsFromChild(nsjconf);
|
return netInitNsFromChild(nsjconf);
|
||||||
@ -282,6 +288,9 @@ bool containSetupFD(struct nsjconf_t * nsjconf, int fd_in, int fd_out, int fd_er
|
|||||||
|
|
||||||
bool containContain(struct nsjconf_t * nsjconf)
|
bool containContain(struct nsjconf_t * nsjconf)
|
||||||
{
|
{
|
||||||
|
if (containInitPidNs(nsjconf) == false) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
if (containInitMountNs(nsjconf) == false) {
|
if (containInitMountNs(nsjconf) == false) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
52
pid.c
Normal file
52
pid.c
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
/*
|
||||||
|
|
||||||
|
nsjail - CLONE_PID routines
|
||||||
|
-----------------------------------------
|
||||||
|
|
||||||
|
Copyright 2014 Google Inc. All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "pid.h"
|
||||||
|
|
||||||
|
#include <signal.h>
|
||||||
|
#include <sched.h>
|
||||||
|
#include <sys/prctl.h>
|
||||||
|
#include <sys/syscall.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include "log.h"
|
||||||
|
|
||||||
|
bool pidInitNs(struct nsjconf_t * nsjconf)
|
||||||
|
{
|
||||||
|
if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
pid_t pid = syscall(__NR_clone, (uintptr_t) CLONE_FS, NULL, NULL, NULL, (uintptr_t) 0);
|
||||||
|
if (pid == -1) {
|
||||||
|
LOG_E("Couldn't create a dummy init process");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if (pid > 0) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
|
||||||
|
LOG_W("(prctl(PR_SET_PDEATHSIG, SIGKILL) failed");
|
||||||
|
}
|
||||||
|
for (;;) {
|
||||||
|
pause();
|
||||||
|
}
|
||||||
|
}
|
31
pid.h
Normal file
31
pid.h
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
/*
|
||||||
|
|
||||||
|
nsjail - CLONE_PID routines
|
||||||
|
-----------------------------------------
|
||||||
|
|
||||||
|
Copyright 2014 Google Inc. All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef NS_PID_H
|
||||||
|
#define NS_PID_H
|
||||||
|
|
||||||
|
#include <stdbool.h>
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
|
||||||
|
bool pidInitNs(struct nsjconf_t *nsjconf);
|
||||||
|
|
||||||
|
#endif /* NS_PID_H */
|
22
subproc.c
22
subproc.c
@ -278,23 +278,6 @@ static bool subprocInitParent(struct nsjconf_t *nsjconf, pid_t pid, int pipefd)
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
void subprocDummyInit()
|
|
||||||
{
|
|
||||||
pid_t pid = syscall(__NR_clone, (uintptr_t) CLONE_FS, NULL, NULL, NULL, (uintptr_t) 0);
|
|
||||||
if (pid == -1) {
|
|
||||||
LOG_F("Couldn't create a dummy init process");
|
|
||||||
}
|
|
||||||
if (pid > 0) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
|
|
||||||
LOG_W("(prctl(PR_SET_PDEATHSIG, SIGKILL) failed");
|
|
||||||
}
|
|
||||||
for (;;) {
|
|
||||||
pause();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err)
|
void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err)
|
||||||
{
|
{
|
||||||
if (netLimitConns(nsjconf, fd_in) == false) {
|
if (netLimitConns(nsjconf, fd_in) == false) {
|
||||||
@ -315,11 +298,6 @@ void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_er
|
|||||||
PLOG_E("unshare(%#lx)", flags);
|
PLOG_E("unshare(%#lx)", flags);
|
||||||
_exit(EXIT_FAILURE);
|
_exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
if (nsjconf->clone_newpid) {
|
|
||||||
LOG_D
|
|
||||||
("CLONE_NEWPID requested. We must create a dummy init process, to avoid ENOMEM with clone/fork/vfork");
|
|
||||||
subprocDummyInit();
|
|
||||||
}
|
|
||||||
subprocNewProc(nsjconf, fd_in, fd_out, fd_err, -1);
|
subprocNewProc(nsjconf, fd_in, fd_out, fd_err, -1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user