woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move PID ns to a separate module

Browse Source
This commit is contained in:
Robert Swiecki 2016-05-13 17:07:44 +02:00
parent d78e141f70
commit 3edc8bf4a7
5 changed files with 93 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -26,7 +26,7 @@ CFLAGS += -O2 -c -std=gnu11 \
LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -Wl,-z,noexecstack LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -Wl,-z,noexecstack
SRCS = nsjail.c cmdline.c contain.c log.c mount.c net.c sandbox.c subproc.c user.c util.c uts.c seccomp/bpf-helper.c SRCS = nsjail.c cmdline.c contain.c log.c mount.c net.c pid.c sandbox.c subproc.c user.c util.c uts.c seccomp/bpf-helper.c
OBJS = $(SRCS:.c=.o) OBJS = $(SRCS:.c=.o)
BIN = nsjail BIN = nsjail

9
contain.c
View File

@ -45,9 +45,15 @@
#include "log.h" #include "log.h"
#include "mount.h" #include "mount.h"
#include "net.h" #include "net.h"
#include "pid.h"
#include "util.h" #include "util.h"
#include "uts.h" #include "uts.h"
static bool containInitPidNs(struct nsjconf_t *nsjconf)
{
return pidInitNs(nsjconf);
}
static bool containInitNetNs(struct nsjconf_t *nsjconf) static bool containInitNetNs(struct nsjconf_t *nsjconf)
{ {
return netInitNsFromChild(nsjconf); return netInitNsFromChild(nsjconf);
@ -282,6 +288,9 @@ bool containSetupFD(struct nsjconf_t * nsjconf, int fd_in, int fd_out, int fd_er
bool containContain(struct nsjconf_t * nsjconf) bool containContain(struct nsjconf_t * nsjconf)
{ {
if (containInitPidNs(nsjconf) == false) {
return false;
}
if (containInitMountNs(nsjconf) == false) { if (containInitMountNs(nsjconf) == false) {
return false; return false;
} }

52
pid.c Normal file
View File

@ -0,0 +1,52 @@
/*
nsjail - CLONE_PID routines
-----------------------------------------
Copyright 2014 Google Inc. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "pid.h"
#include <signal.h>
#include <sched.h>
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <unistd.h>
#include "log.h"
bool pidInitNs(struct nsjconf_t * nsjconf)
{
if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
return true;
}
pid_t pid = syscall(__NR_clone, (uintptr_t) CLONE_FS, NULL, NULL, NULL, (uintptr_t) 0);
if (pid == -1) {
LOG_E("Couldn't create a dummy init process");
return false;
}
if (pid > 0) {
return true;
}
if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
LOG_W("(prctl(PR_SET_PDEATHSIG, SIGKILL) failed");
}
for (;;) {
pause();
}
}

31
pid.h Normal file
View File

@ -0,0 +1,31 @@
/*
nsjail - CLONE_PID routines
-----------------------------------------
Copyright 2014 Google Inc. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef NS_PID_H
#define NS_PID_H
#include <stdbool.h>
#include "common.h"
bool pidInitNs(struct nsjconf_t *nsjconf);
#endif /* NS_PID_H */

22
subproc.c
View File

@ -278,23 +278,6 @@ static bool subprocInitParent(struct nsjconf_t *nsjconf, pid_t pid, int pipefd)
return true; return true;
} }
void subprocDummyInit()
{
pid_t pid = syscall(__NR_clone, (uintptr_t) CLONE_FS, NULL, NULL, NULL, (uintptr_t) 0);
if (pid == -1) {
LOG_F("Couldn't create a dummy init process");
}
if (pid > 0) {
return;
}
if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
LOG_W("(prctl(PR_SET_PDEATHSIG, SIGKILL) failed");
}
for (;;) {
pause();
}
}
void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err) void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err)
{ {
if (netLimitConns(nsjconf, fd_in) == false) { if (netLimitConns(nsjconf, fd_in) == false) {
@ -315,11 +298,6 @@ void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_er
PLOG_E("unshare(%#lx)", flags); PLOG_E("unshare(%#lx)", flags);
_exit(EXIT_FAILURE); _exit(EXIT_FAILURE);
} }
if (nsjconf->clone_newpid) {
LOG_D
("CLONE_NEWPID requested. We must create a dummy init process, to avoid ENOMEM with clone/fork/vfork");
subprocDummyInit();
}
subprocNewProc(nsjconf, fd_in, fd_out, fd_err, -1); subprocNewProc(nsjconf, fd_in, fd_out, fd_err, -1);
} }