omit keyword 'struct'
This commit is contained in:
Robert Swiecki
parent
01606a0707
commit
4494deffa7
5
Makefile
5
Makefile
@ -94,8 +94,8 @@ caps.o: caps.h nsjail.h log.h macros.h util.h
|
|||||||
cgroup.o: cgroup.h nsjail.h log.h util.h
|
cgroup.o: cgroup.h nsjail.h log.h util.h
|
||||||
cmdline.o: cmdline.h nsjail.h caps.h config.h log.h macros.h mnt.h sandbox.h
|
cmdline.o: cmdline.h nsjail.h caps.h config.h log.h macros.h mnt.h sandbox.h
|
||||||
cmdline.o: user.h util.h
|
cmdline.o: user.h util.h
|
||||||
config.o: caps.h nsjail.h cmdline.h config.h log.h macros.h mnt.h user.h
|
config.o: caps.h nsjail.h cmdline.h config.h config.pb.h log.h macros.h mnt.h
|
||||||
config.o: util.h
|
config.o: user.h util.h
|
||||||
contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mnt.h net.h pid.h
|
contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mnt.h net.h pid.h
|
||||||
contain.o: user.h uts.h
|
contain.o: user.h uts.h
|
||||||
cpu.o: cpu.h nsjail.h log.h util.h
|
cpu.o: cpu.h nsjail.h log.h util.h
|
||||||
@ -110,3 +110,4 @@ subproc.o: sandbox.h user.h util.h
|
|||||||
uts.o: uts.h nsjail.h log.h
|
uts.o: uts.h nsjail.h log.h
|
||||||
user.o: user.h nsjail.h log.h macros.h subproc.h util.h
|
user.o: user.h nsjail.h log.h macros.h subproc.h util.h
|
||||||
util.o: util.h nsjail.h log.h macros.h
|
util.o: util.h nsjail.h log.h macros.h
|
||||||
|
config.pb.o: config.pb.h
|
||||||
|
|||||||
2
caps.cc
2
caps.cc
@ -198,7 +198,7 @@ static bool initNsKeepCaps(cap_user_data_t cap_data) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool initNs(struct nsjconf_t* nsjconf) {
|
bool initNs(nsjconf_t* nsjconf) {
|
||||||
char dbgmsg[4096];
|
char dbgmsg[4096];
|
||||||
struct ints_t* p;
|
struct ints_t* p;
|
||||||
|
|
||||||
|
|||||||
2
caps.h
2
caps.h
@ -30,7 +30,7 @@
|
|||||||
namespace caps {
|
namespace caps {
|
||||||
|
|
||||||
int nameToVal(const char* name);
|
int nameToVal(const char* name);
|
||||||
bool initNs(struct nsjconf_t* nsjconf);
|
bool initNs(nsjconf_t* nsjconf);
|
||||||
|
|
||||||
} // namespace caps
|
} // namespace caps
|
||||||
|
|
||||||
|
|||||||
20
cgroup.cc
20
cgroup.cc
@ -35,7 +35,7 @@
|
|||||||
|
|
||||||
namespace cgroup {
|
namespace cgroup {
|
||||||
|
|
||||||
static bool initNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool initNsFromParentMem(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_mem_max == (size_t)0) {
|
if (nsjconf->cgroup_mem_max == (size_t)0) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -81,7 +81,7 @@ static bool initNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool initNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool initNsFromParentPids(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_pids_max == 0U) {
|
if (nsjconf->cgroup_pids_max == 0U) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -118,7 +118,7 @@ static bool initNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool initNsFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool initNsFromParentNetCls(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_net_cls_classid == 0U) {
|
if (nsjconf->cgroup_net_cls_classid == 0U) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -156,7 +156,7 @@ static bool initNsFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool initNsFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool initNsFromParentCpu(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
|
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -203,7 +203,7 @@ static bool initNsFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
|
bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (!initNsFromParentMem(nsjconf, pid)) {
|
if (!initNsFromParentMem(nsjconf, pid)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -219,7 +219,7 @@ bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
void finishFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParentMem(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_mem_max == (size_t)0) {
|
if (nsjconf->cgroup_mem_max == (size_t)0) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -233,7 +233,7 @@ void finishFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void finishFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParentPids(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_pids_max == 0U) {
|
if (nsjconf->cgroup_pids_max == 0U) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -247,7 +247,7 @@ void finishFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void finishFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParentCpu(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
|
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -261,7 +261,7 @@ void finishFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void finishFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParentNetCls(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (nsjconf->cgroup_net_cls_classid == 0U) {
|
if (nsjconf->cgroup_net_cls_classid == 0U) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -275,7 +275,7 @@ void finishFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void finishFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
|
void finishFromParent(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
finishFromParentMem(nsjconf, pid);
|
finishFromParentMem(nsjconf, pid);
|
||||||
finishFromParentPids(nsjconf, pid);
|
finishFromParentPids(nsjconf, pid);
|
||||||
finishFromParentNetCls(nsjconf, pid);
|
finishFromParentNetCls(nsjconf, pid);
|
||||||
|
|||||||
4
cgroup.h
4
cgroup.h
@ -29,9 +29,9 @@
|
|||||||
|
|
||||||
namespace cgroup {
|
namespace cgroup {
|
||||||
|
|
||||||
bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid);
|
bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid);
|
||||||
bool initNs(void);
|
bool initNs(void);
|
||||||
void finishFromParent(struct nsjconf_t* nsjconf, pid_t pid);
|
void finishFromParent(nsjconf_t* nsjconf, pid_t pid);
|
||||||
|
|
||||||
} // namespace cgroup
|
} // namespace cgroup
|
||||||
|
|
||||||
|
|||||||
12
cmdline.cc
12
cmdline.cc
@ -199,7 +199,7 @@ static void cmdlineUsage(const char* pname) {
|
|||||||
LOG_HELP_BOLD(" nsjail -Me --chroot / --disable_proc -- /bin/echo \"ABC\"");
|
LOG_HELP_BOLD(" nsjail -Me --chroot / --disable_proc -- /bin/echo \"ABC\"");
|
||||||
}
|
}
|
||||||
|
|
||||||
void logParams(struct nsjconf_t* nsjconf) {
|
void logParams(nsjconf_t* nsjconf) {
|
||||||
switch (nsjconf->mode) {
|
switch (nsjconf->mode) {
|
||||||
case MODE_LISTEN_TCP:
|
case MODE_LISTEN_TCP:
|
||||||
LOG_I("Mode: LISTEN_TCP");
|
LOG_I("Mode: LISTEN_TCP");
|
||||||
@ -241,7 +241,7 @@ void logParams(struct nsjconf_t* nsjconf) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
struct idmap_t* p;
|
idmap_t* p;
|
||||||
for (const auto& uid : nsjconf->uids) {
|
for (const auto& uid : nsjconf->uids) {
|
||||||
LOG_I("Uid map: inside_uid:%lu outside_uid:%lu count:%zu newuidmap:%s",
|
LOG_I("Uid map: inside_uid:%lu outside_uid:%lu count:%zu newuidmap:%s",
|
||||||
(unsigned long)uid.inside_id, (unsigned long)uid.outside_id, uid.count,
|
(unsigned long)uid.inside_id, (unsigned long)uid.outside_id, uid.count,
|
||||||
@ -319,8 +319,8 @@ static char* cmdlineSplitStrByColon(char* spec) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
std::unique_ptr<struct nsjconf_t> parseArgs(int argc, char* argv[]) {
|
std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
||||||
std::unique_ptr<struct nsjconf_t> nsjconf = std::make_unique<struct nsjconf_t>();
|
std::unique_ptr<nsjconf_t> nsjconf = std::make_unique<nsjconf_t>();
|
||||||
|
|
||||||
nsjconf->exec_file = NULL;
|
nsjconf->exec_file = NULL;
|
||||||
nsjconf->use_execveat = false;
|
nsjconf->use_execveat = false;
|
||||||
@ -783,7 +783,7 @@ std::unique_ptr<struct nsjconf_t> parseArgs(int argc, char* argv[]) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (nsjconf->uids.empty()) {
|
if (nsjconf->uids.empty()) {
|
||||||
struct idmap_t uid;
|
idmap_t uid;
|
||||||
uid.inside_id = getuid();
|
uid.inside_id = getuid();
|
||||||
uid.outside_id = getuid();
|
uid.outside_id = getuid();
|
||||||
uid.count = 1U;
|
uid.count = 1U;
|
||||||
@ -791,7 +791,7 @@ std::unique_ptr<struct nsjconf_t> parseArgs(int argc, char* argv[]) {
|
|||||||
nsjconf->uids.push_back(uid);
|
nsjconf->uids.push_back(uid);
|
||||||
}
|
}
|
||||||
if (nsjconf->gids.empty()) {
|
if (nsjconf->gids.empty()) {
|
||||||
struct idmap_t gid;
|
idmap_t gid;
|
||||||
gid.inside_id = getgid();
|
gid.inside_id = getgid();
|
||||||
gid.outside_id = getgid();
|
gid.outside_id = getgid();
|
||||||
gid.count = 1U;
|
gid.count = 1U;
|
||||||
|
|||||||
@ -31,8 +31,8 @@
|
|||||||
namespace cmdline {
|
namespace cmdline {
|
||||||
|
|
||||||
uint64_t parseRLimit(int res, const char* optarg, unsigned long mul);
|
uint64_t parseRLimit(int res, const char* optarg, unsigned long mul);
|
||||||
void logParams(struct nsjconf_t* nsjconf);
|
void logParams(nsjconf_t* nsjconf);
|
||||||
std::unique_ptr<struct nsjconf_t> parseArgs(int argc, char* argv[]);
|
std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]);
|
||||||
|
|
||||||
} // namespace cmdline
|
} // namespace cmdline
|
||||||
|
|
||||||
|
|||||||
@ -65,7 +65,7 @@ static uint64_t configRLimit(
|
|||||||
abort();
|
abort();
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailConfig& njc) {
|
static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig& njc) {
|
||||||
switch (njc.mode()) {
|
switch (njc.mode()) {
|
||||||
case nsjail::Mode::LISTEN:
|
case nsjail::Mode::LISTEN:
|
||||||
nsjconf->mode = MODE_LISTEN_TCP;
|
nsjconf->mode = MODE_LISTEN_TCP;
|
||||||
@ -301,7 +301,7 @@ static void LogHandler(
|
|||||||
LOG_W("config.cc: '%s'", message.c_str());
|
LOG_W("config.cc: '%s'", message.c_str());
|
||||||
}
|
}
|
||||||
|
|
||||||
bool parseFile(struct nsjconf_t* nsjconf, const char* file) {
|
bool parseFile(nsjconf_t* nsjconf, const char* file) {
|
||||||
LOG_I("Parsing configuration from '%s'", file);
|
LOG_I("Parsing configuration from '%s'", file);
|
||||||
|
|
||||||
int fd = open(file, O_RDONLY | O_CLOEXEC);
|
int fd = open(file, O_RDONLY | O_CLOEXEC);
|
||||||
|
|||||||
2
config.h
2
config.h
@ -28,7 +28,7 @@
|
|||||||
|
|
||||||
namespace config {
|
namespace config {
|
||||||
|
|
||||||
bool parseFile(struct nsjconf_t* nsjconf, const char* file);
|
bool parseFile(nsjconf_t* nsjconf, const char* file);
|
||||||
|
|
||||||
} // namespace config
|
} // namespace config
|
||||||
|
|
||||||
|
|||||||
30
contain.cc
30
contain.cc
@ -50,17 +50,17 @@
|
|||||||
|
|
||||||
namespace contain {
|
namespace contain {
|
||||||
|
|
||||||
static bool containUserNs(struct nsjconf_t* nsjconf) { return user::initNsFromChild(nsjconf); }
|
static bool containUserNs(nsjconf_t* nsjconf) { return user::initNsFromChild(nsjconf); }
|
||||||
|
|
||||||
static bool containInitPidNs(struct nsjconf_t* nsjconf) { return pid::initNs(nsjconf); }
|
static bool containInitPidNs(nsjconf_t* nsjconf) { return pid::initNs(nsjconf); }
|
||||||
|
|
||||||
static bool containInitNetNs(struct nsjconf_t* nsjconf) { return net::initNsFromChild(nsjconf); }
|
static bool containInitNetNs(nsjconf_t* nsjconf) { return net::initNsFromChild(nsjconf); }
|
||||||
|
|
||||||
static bool containInitUtsNs(struct nsjconf_t* nsjconf) { return uts::initNs(nsjconf); }
|
static bool containInitUtsNs(nsjconf_t* nsjconf) { return uts::initNs(nsjconf); }
|
||||||
|
|
||||||
static bool containInitCgroupNs(void) { return cgroup::initNs(); }
|
static bool containInitCgroupNs(void) { return cgroup::initNs(); }
|
||||||
|
|
||||||
static bool containDropPrivs(struct nsjconf_t* nsjconf) {
|
static bool containDropPrivs(nsjconf_t* nsjconf) {
|
||||||
#ifndef PR_SET_NO_NEW_PRIVS
|
#ifndef PR_SET_NO_NEW_PRIVS
|
||||||
#define PR_SET_NO_NEW_PRIVS 38
|
#define PR_SET_NO_NEW_PRIVS 38
|
||||||
#endif
|
#endif
|
||||||
@ -78,7 +78,7 @@ static bool containDropPrivs(struct nsjconf_t* nsjconf) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool containPrepareEnv(struct nsjconf_t* nsjconf) {
|
static bool containPrepareEnv(nsjconf_t* nsjconf) {
|
||||||
if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
|
if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
|
||||||
PLOG_E("prctl(PR_SET_PDEATHSIG, SIGKILL)");
|
PLOG_E("prctl(PR_SET_PDEATHSIG, SIGKILL)");
|
||||||
return false;
|
return false;
|
||||||
@ -97,11 +97,11 @@ static bool containPrepareEnv(struct nsjconf_t* nsjconf) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool containInitMountNs(struct nsjconf_t* nsjconf) { return mnt::initNs(nsjconf); }
|
static bool containInitMountNs(nsjconf_t* nsjconf) { return mnt::initNs(nsjconf); }
|
||||||
|
|
||||||
static bool containCPU(struct nsjconf_t* nsjconf) { return cpu::initCpu(nsjconf); }
|
static bool containCPU(nsjconf_t* nsjconf) { return cpu::initCpu(nsjconf); }
|
||||||
|
|
||||||
static bool containSetLimits(struct nsjconf_t* nsjconf) {
|
static bool containSetLimits(nsjconf_t* nsjconf) {
|
||||||
struct rlimit64 rl;
|
struct rlimit64 rl;
|
||||||
rl.rlim_cur = rl.rlim_max = nsjconf->rl_as;
|
rl.rlim_cur = rl.rlim_max = nsjconf->rl_as;
|
||||||
if (setrlimit64(RLIMIT_AS, &rl) == -1) {
|
if (setrlimit64(RLIMIT_AS, &rl) == -1) {
|
||||||
@ -141,12 +141,12 @@ static bool containSetLimits(struct nsjconf_t* nsjconf) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool containPassFd(struct nsjconf_t* nsjconf, int fd) {
|
static bool containPassFd(nsjconf_t* nsjconf, int fd) {
|
||||||
return (std::find(nsjconf->openfds.begin(), nsjconf->openfds.end(), fd) !=
|
return (std::find(nsjconf->openfds.begin(), nsjconf->openfds.end(), fd) !=
|
||||||
nsjconf->openfds.end());
|
nsjconf->openfds.end());
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool containMakeFdsCOENaive(struct nsjconf_t* nsjconf) {
|
static bool containMakeFdsCOENaive(nsjconf_t* nsjconf) {
|
||||||
/*
|
/*
|
||||||
* Don't use getrlimit(RLIMIT_NOFILE) here, as it can return an artifically small value
|
* Don't use getrlimit(RLIMIT_NOFILE) here, as it can return an artifically small value
|
||||||
* (e.g. 32), which could be smaller than a maximum assigned number to file-descriptors
|
* (e.g. 32), which could be smaller than a maximum assigned number to file-descriptors
|
||||||
@ -173,7 +173,7 @@ static bool containMakeFdsCOENaive(struct nsjconf_t* nsjconf) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool containMakeFdsCOEProc(struct nsjconf_t* nsjconf) {
|
static bool containMakeFdsCOEProc(nsjconf_t* nsjconf) {
|
||||||
int dirfd = open("/proc/self/fd", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
|
int dirfd = open("/proc/self/fd", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
|
||||||
if (dirfd == -1) {
|
if (dirfd == -1) {
|
||||||
PLOG_D("open('/proc/self/fd', O_DIRECTORY|O_RDONLY|O_CLOEXEC)");
|
PLOG_D("open('/proc/self/fd', O_DIRECTORY|O_RDONLY|O_CLOEXEC)");
|
||||||
@ -234,7 +234,7 @@ static bool containMakeFdsCOEProc(struct nsjconf_t* nsjconf) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool containMakeFdsCOE(struct nsjconf_t* nsjconf) {
|
static bool containMakeFdsCOE(nsjconf_t* nsjconf) {
|
||||||
if (containMakeFdsCOEProc(nsjconf)) {
|
if (containMakeFdsCOEProc(nsjconf)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -245,7 +245,7 @@ static bool containMakeFdsCOE(struct nsjconf_t* nsjconf) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool setupFD(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
|
bool setupFD(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
|
||||||
if (nsjconf->mode != MODE_LISTEN_TCP) {
|
if (nsjconf->mode != MODE_LISTEN_TCP) {
|
||||||
if (nsjconf->is_silent == false) {
|
if (nsjconf->is_silent == false) {
|
||||||
return true;
|
return true;
|
||||||
@ -271,7 +271,7 @@ bool setupFD(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool containProc(struct nsjconf_t* nsjconf) {
|
bool containProc(nsjconf_t* nsjconf) {
|
||||||
if (containUserNs(nsjconf) == false) {
|
if (containUserNs(nsjconf) == false) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -28,8 +28,8 @@
|
|||||||
|
|
||||||
namespace contain {
|
namespace contain {
|
||||||
|
|
||||||
bool setupFD(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err);
|
bool setupFD(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err);
|
||||||
bool containProc(struct nsjconf_t* nsjconf);
|
bool containProc(nsjconf_t* nsjconf);
|
||||||
|
|
||||||
} // namespace contain
|
} // namespace contain
|
||||||
|
|
||||||
|
|||||||
2
cpu.cc
2
cpu.cc
@ -49,7 +49,7 @@ static void setRandomCpu(cpu_set_t* mask, size_t mask_size, size_t cpu_num) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
bool initCpu(struct nsjconf_t* nsjconf) {
|
bool initCpu(nsjconf_t* nsjconf) {
|
||||||
if (nsjconf->num_cpus < 0) {
|
if (nsjconf->num_cpus < 0) {
|
||||||
PLOG_W("sysconf(_SC_NPROCESSORS_ONLN) returned %ld", nsjconf->num_cpus);
|
PLOG_W("sysconf(_SC_NPROCESSORS_ONLN) returned %ld", nsjconf->num_cpus);
|
||||||
return false;
|
return false;
|
||||||
|
|||||||
2
cpu.h
2
cpu.h
@ -28,7 +28,7 @@
|
|||||||
|
|
||||||
namespace cpu {
|
namespace cpu {
|
||||||
|
|
||||||
bool initCpu(struct nsjconf_t* nsjconf);
|
bool initCpu(nsjconf_t* nsjconf);
|
||||||
|
|
||||||
} // namespace cpu
|
} // namespace cpu
|
||||||
|
|
||||||
|
|||||||
2
log.cc
2
log.cc
@ -51,7 +51,7 @@ __attribute__((constructor)) static void log_init(void) { log_fd_isatty = isatty
|
|||||||
* Log to stderr by default. Use a dup()d fd, because in the future we'll associate the
|
* Log to stderr by default. Use a dup()d fd, because in the future we'll associate the
|
||||||
* connection socket with fd (0, 1, 2).
|
* connection socket with fd (0, 1, 2).
|
||||||
*/
|
*/
|
||||||
bool initLogFile(struct nsjconf_t* nsjconf) {
|
bool initLogFile(nsjconf_t* nsjconf) {
|
||||||
/* Close previous log_fd */
|
/* Close previous log_fd */
|
||||||
if (log_fd > STDERR_FILENO) {
|
if (log_fd > STDERR_FILENO) {
|
||||||
close(log_fd);
|
close(log_fd);
|
||||||
|
|||||||
2
log.h
2
log.h
@ -45,7 +45,7 @@
|
|||||||
|
|
||||||
namespace log {
|
namespace log {
|
||||||
|
|
||||||
bool initLogFile(struct nsjconf_t* nsjconf);
|
bool initLogFile(nsjconf_t* nsjconf);
|
||||||
void logMsg(enum llevel_t ll, const char* fn, int ln, bool perr, const char* fmt, ...)
|
void logMsg(enum llevel_t ll, const char* fn, int ln, bool perr, const char* fmt, ...)
|
||||||
__attribute__((format(printf, 5, 6)));
|
__attribute__((format(printf, 5, 6)));
|
||||||
void logStop(int sig);
|
void logStop(int sig);
|
||||||
|
|||||||
22
mnt.cc
22
mnt.cc
@ -118,7 +118,7 @@ static bool isDir(const char* path) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool mountPt(struct mount_t* mpt, const char* newroot, const char* tmpdir) {
|
static bool mountPt(mount_t* mpt, const char* newroot, const char* tmpdir) {
|
||||||
char dst[PATH_MAX];
|
char dst[PATH_MAX];
|
||||||
snprintf(dst, sizeof(dst), "%s/%s", newroot, mpt->dst.c_str());
|
snprintf(dst, sizeof(dst), "%s/%s", newroot, mpt->dst.c_str());
|
||||||
|
|
||||||
@ -224,7 +224,7 @@ static bool mountPt(struct mount_t* mpt, const char* newroot, const char* tmpdir
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool remountRO(const struct mount_t& mpt) {
|
static bool remountRO(const mount_t& mpt) {
|
||||||
if (!mpt.mounted) {
|
if (!mpt.mounted) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -285,7 +285,7 @@ static bool mkdirAndTest(const char* dir) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool getDir(struct nsjconf_t* nsjconf, char* dir, const char* name) {
|
static bool getDir(nsjconf_t* nsjconf, char* dir, const char* name) {
|
||||||
snprintf(dir, PATH_MAX, "/run/user/%u/nsjail.%s", nsjconf->orig_uid, name);
|
snprintf(dir, PATH_MAX, "/run/user/%u/nsjail.%s", nsjconf->orig_uid, name);
|
||||||
if (mkdirAndTest(dir)) {
|
if (mkdirAndTest(dir)) {
|
||||||
return true;
|
return true;
|
||||||
@ -314,7 +314,7 @@ static bool getDir(struct nsjconf_t* nsjconf, char* dir, const char* name) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool initNsInternal(struct nsjconf_t* nsjconf) {
|
static bool initNsInternal(nsjconf_t* nsjconf) {
|
||||||
/*
|
/*
|
||||||
* If CLONE_NEWNS is not used, we would be changing the global mount namespace, so simply
|
* If CLONE_NEWNS is not used, we would be changing the global mount namespace, so simply
|
||||||
* use --chroot in this case
|
* use --chroot in this case
|
||||||
@ -412,7 +412,7 @@ static bool initNsInternal(struct nsjconf_t* nsjconf) {
|
|||||||
* With mode MODE_STANDALONE_EXECVE it's required to mount /proc inside a new process,
|
* With mode MODE_STANDALONE_EXECVE it's required to mount /proc inside a new process,
|
||||||
* as the current process is still in the original PID namespace (man pid_namespaces)
|
* as the current process is still in the original PID namespace (man pid_namespaces)
|
||||||
*/
|
*/
|
||||||
bool initNs(struct nsjconf_t* nsjconf) {
|
bool initNs(nsjconf_t* nsjconf) {
|
||||||
if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
|
if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
|
||||||
return initNsInternal(nsjconf);
|
return initNsInternal(nsjconf);
|
||||||
}
|
}
|
||||||
@ -435,7 +435,7 @@ bool initNs(struct nsjconf_t* nsjconf) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool addMountPt(struct mount_t* mnt, const char* src, const char* dst, const char* fstype,
|
static bool addMountPt(mount_t* mnt, const char* src, const char* dst, const char* fstype,
|
||||||
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
||||||
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) {
|
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) {
|
||||||
if (src_env) {
|
if (src_env) {
|
||||||
@ -503,10 +503,10 @@ static bool addMountPt(struct mount_t* mnt, const char* src, const char* dst, co
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool addMountPtHead(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
|
bool addMountPtHead(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
|
||||||
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
||||||
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) {
|
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) {
|
||||||
struct mount_t mnt;
|
mount_t mnt;
|
||||||
if (!addMountPt(&mnt, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env,
|
if (!addMountPt(&mnt, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env,
|
||||||
src_content, src_content_len, is_symlink)) {
|
src_content, src_content_len, is_symlink)) {
|
||||||
return false;
|
return false;
|
||||||
@ -515,10 +515,10 @@ bool addMountPtHead(struct nsjconf_t* nsjconf, const char* src, const char* dst,
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool addMountPtTail(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
|
bool addMountPtTail(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
|
||||||
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
||||||
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) {
|
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) {
|
||||||
struct mount_t mnt;
|
mount_t mnt;
|
||||||
if (!addMountPt(&mnt, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env,
|
if (!addMountPt(&mnt, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env,
|
||||||
src_content, src_content_len, is_symlink)) {
|
src_content, src_content_len, is_symlink)) {
|
||||||
return false;
|
return false;
|
||||||
@ -527,7 +527,7 @@ bool addMountPtTail(struct nsjconf_t* nsjconf, const char* src, const char* dst,
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
const char* describeMountPt(const struct mount_t& mpt) {
|
const char* describeMountPt(const mount_t& mpt) {
|
||||||
static __thread char mount_pt_descr[4096];
|
static __thread char mount_pt_descr[4096];
|
||||||
|
|
||||||
snprintf(mount_pt_descr, sizeof(mount_pt_descr),
|
snprintf(mount_pt_descr, sizeof(mount_pt_descr),
|
||||||
|
|||||||
8
mnt.h
8
mnt.h
@ -36,14 +36,14 @@ typedef enum {
|
|||||||
} isDir_t;
|
} isDir_t;
|
||||||
|
|
||||||
const char* flagsToStr(uintptr_t flags);
|
const char* flagsToStr(uintptr_t flags);
|
||||||
bool initNs(struct nsjconf_t* nsjconf);
|
bool initNs(nsjconf_t* nsjconf);
|
||||||
bool addMountPtHead(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
|
bool addMountPtHead(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
|
||||||
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
||||||
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink);
|
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink);
|
||||||
bool addMountPtTail(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
|
bool addMountPtTail(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
|
||||||
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
|
||||||
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink);
|
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink);
|
||||||
const char* describeMountPt(const struct mount_t& mpt);
|
const char* describeMountPt(const mount_t& mpt);
|
||||||
|
|
||||||
} // namespace mnt
|
} // namespace mnt
|
||||||
|
|
||||||
|
|||||||
10
net.cc
10
net.cc
@ -51,7 +51,7 @@ namespace net {
|
|||||||
#if defined(NSJAIL_NL3_WITH_MACVLAN)
|
#if defined(NSJAIL_NL3_WITH_MACVLAN)
|
||||||
#include <netlink/route/link.h>
|
#include <netlink/route/link.h>
|
||||||
#include <netlink/route/link/macvlan.h>
|
#include <netlink/route/link/macvlan.h>
|
||||||
bool initNsFromParent(struct nsjconf_t* nsjconf, int pid) {
|
bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
|
||||||
if (nsjconf->clone_newnet == false) {
|
if (nsjconf->clone_newnet == false) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -118,7 +118,7 @@ bool initNsFromParent(struct nsjconf_t* nsjconf, int pid) {
|
|||||||
}
|
}
|
||||||
#else // defined(NSJAIL_NL3_WITH_MACVLAN)
|
#else // defined(NSJAIL_NL3_WITH_MACVLAN)
|
||||||
|
|
||||||
bool initNsFromParent(struct nsjconf_t* nsjconf, int pid) {
|
bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
|
||||||
if (nsjconf->clone_newnet == false) {
|
if (nsjconf->clone_newnet == false) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -153,7 +153,7 @@ static bool isSocket(int fd) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool limitConns(struct nsjconf_t* nsjconf, int connsock) {
|
bool limitConns(nsjconf_t* nsjconf, int connsock) {
|
||||||
/* 0 means 'unlimited' */
|
/* 0 means 'unlimited' */
|
||||||
if (nsjconf->max_conns_per_ip == 0) {
|
if (nsjconf->max_conns_per_ip == 0) {
|
||||||
return true;
|
return true;
|
||||||
@ -320,7 +320,7 @@ static bool ifaceUp(const char* ifacename) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool netConfigureVs(struct nsjconf_t* nsjconf) {
|
static bool netConfigureVs(nsjconf_t* nsjconf) {
|
||||||
struct ifreq ifr = {};
|
struct ifreq ifr = {};
|
||||||
snprintf(ifr.ifr_name, IF_NAMESIZE, "%s", IFACE_NAME);
|
snprintf(ifr.ifr_name, IF_NAMESIZE, "%s", IFACE_NAME);
|
||||||
struct in_addr addr;
|
struct in_addr addr;
|
||||||
@ -406,7 +406,7 @@ static bool netConfigureVs(struct nsjconf_t* nsjconf) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool initNsFromChild(struct nsjconf_t* nsjconf) {
|
bool initNsFromChild(nsjconf_t* nsjconf) {
|
||||||
if (nsjconf->clone_newnet == false) {
|
if (nsjconf->clone_newnet == false) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|||||||
6
net.h
6
net.h
@ -29,12 +29,12 @@
|
|||||||
|
|
||||||
namespace net {
|
namespace net {
|
||||||
|
|
||||||
bool limitConns(struct nsjconf_t* nsjconf, int connsock);
|
bool limitConns(nsjconf_t* nsjconf, int connsock);
|
||||||
int getRecvSocket(const char* bindhost, int port);
|
int getRecvSocket(const char* bindhost, int port);
|
||||||
int acceptConn(int listenfd);
|
int acceptConn(int listenfd);
|
||||||
void connToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null);
|
void connToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null);
|
||||||
bool initNsFromParent(struct nsjconf_t* nsjconf, int pid);
|
bool initNsFromParent(nsjconf_t* nsjconf, int pid);
|
||||||
bool initNsFromChild(struct nsjconf_t* nsjconf);
|
bool initNsFromChild(nsjconf_t* nsjconf);
|
||||||
|
|
||||||
} // namespace net
|
} // namespace net
|
||||||
|
|
||||||
|
|||||||
@ -80,7 +80,7 @@ static bool nsjailSetSigHandlers(void) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool nsjailSetTimer(struct nsjconf_t* nsjconf) {
|
static bool nsjailSetTimer(nsjconf_t* nsjconf) {
|
||||||
if (nsjconf->mode == MODE_STANDALONE_EXECVE) {
|
if (nsjconf->mode == MODE_STANDALONE_EXECVE) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -104,7 +104,7 @@ static bool nsjailSetTimer(struct nsjconf_t* nsjconf) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void nsjailListenMode(struct nsjconf_t* nsjconf) {
|
static void nsjailListenMode(nsjconf_t* nsjconf) {
|
||||||
int listenfd = net::getRecvSocket(nsjconf->bindhost, nsjconf->port);
|
int listenfd = net::getRecvSocket(nsjconf->bindhost, nsjconf->port);
|
||||||
if (listenfd == -1) {
|
if (listenfd == -1) {
|
||||||
return;
|
return;
|
||||||
@ -129,7 +129,7 @@ static void nsjailListenMode(struct nsjconf_t* nsjconf) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static int nsjailStandaloneMode(struct nsjconf_t* nsjconf) {
|
static int nsjailStandaloneMode(nsjconf_t* nsjconf) {
|
||||||
subproc::runChild(nsjconf, STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO);
|
subproc::runChild(nsjconf, STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO);
|
||||||
for (;;) {
|
for (;;) {
|
||||||
int child_status = subproc::reapProc(nsjconf);
|
int child_status = subproc::reapProc(nsjconf);
|
||||||
@ -157,7 +157,7 @@ static int nsjailStandaloneMode(struct nsjconf_t* nsjconf) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
int main(int argc, char* argv[]) {
|
int main(int argc, char* argv[]) {
|
||||||
std::unique_ptr<struct nsjconf_t> nsjconf = cmdline::parseArgs(argc, argv);
|
std::unique_ptr<nsjconf_t> nsjconf = cmdline::parseArgs(argc, argv);
|
||||||
if (!nsjconf) {
|
if (!nsjconf) {
|
||||||
LOG_F("Couldn't parse cmdline options");
|
LOG_F("Couldn't parse cmdline options");
|
||||||
}
|
}
|
||||||
|
|||||||
2
pid.cc
2
pid.cc
@ -33,7 +33,7 @@
|
|||||||
|
|
||||||
namespace pid {
|
namespace pid {
|
||||||
|
|
||||||
bool initNs(struct nsjconf_t* nsjconf) {
|
bool initNs(nsjconf_t* nsjconf) {
|
||||||
if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
|
if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|||||||
2
pid.h
2
pid.h
@ -28,7 +28,7 @@
|
|||||||
|
|
||||||
namespace pid {
|
namespace pid {
|
||||||
|
|
||||||
bool initNs(struct nsjconf_t* nsjconf);
|
bool initNs(nsjconf_t* nsjconf);
|
||||||
|
|
||||||
} // namespace pid
|
} // namespace pid
|
||||||
|
|
||||||
|
|||||||
@ -37,7 +37,7 @@ namespace sandbox {
|
|||||||
#define PR_SET_NO_NEW_PRIVS 38
|
#define PR_SET_NO_NEW_PRIVS 38
|
||||||
#endif /* PR_SET_NO_NEW_PRIVS */
|
#endif /* PR_SET_NO_NEW_PRIVS */
|
||||||
|
|
||||||
static bool prepareAndCommit(struct nsjconf_t* nsjconf) {
|
static bool prepareAndCommit(nsjconf_t* nsjconf) {
|
||||||
if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
|
if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -53,9 +53,9 @@ static bool prepareAndCommit(struct nsjconf_t* nsjconf) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool applyPolicy(struct nsjconf_t* nsjconf) { return prepareAndCommit(nsjconf); }
|
bool applyPolicy(nsjconf_t* nsjconf) { return prepareAndCommit(nsjconf); }
|
||||||
|
|
||||||
bool preparePolicy(struct nsjconf_t* nsjconf) {
|
bool preparePolicy(nsjconf_t* nsjconf) {
|
||||||
if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
|
if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -28,8 +28,8 @@
|
|||||||
|
|
||||||
namespace sandbox {
|
namespace sandbox {
|
||||||
|
|
||||||
bool applyPolicy(struct nsjconf_t* nsjconf);
|
bool applyPolicy(nsjconf_t* nsjconf);
|
||||||
bool preparePolicy(struct nsjconf_t* nsjconf);
|
bool preparePolicy(nsjconf_t* nsjconf);
|
||||||
|
|
||||||
} // namespace sandbox
|
} // namespace sandbox
|
||||||
|
|
||||||
|
|||||||
29
subproc.cc
29
subproc.cc
@ -129,8 +129,7 @@ static bool resetEnv(void) {
|
|||||||
|
|
||||||
static const char kSubprocDoneChar = 'D';
|
static const char kSubprocDoneChar = 'D';
|
||||||
|
|
||||||
static int subprocNewProc(
|
static int subprocNewProc(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd) {
|
||||||
struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd) {
|
|
||||||
if (contain::setupFD(nsjconf, fd_in, fd_out, fd_err) == false) {
|
if (contain::setupFD(nsjconf, fd_in, fd_out, fd_err) == false) {
|
||||||
_exit(0xff);
|
_exit(0xff);
|
||||||
}
|
}
|
||||||
@ -195,8 +194,8 @@ static int subprocNewProc(
|
|||||||
_exit(0xff);
|
_exit(0xff);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void addProc(struct nsjconf_t* nsjconf, pid_t pid, int sock) {
|
static void addProc(nsjconf_t* nsjconf, pid_t pid, int sock) {
|
||||||
struct pids_t p;
|
pids_t p;
|
||||||
p.pid = pid;
|
p.pid = pid;
|
||||||
p.start = time(NULL);
|
p.start = time(NULL);
|
||||||
|
|
||||||
@ -213,7 +212,7 @@ static void addProc(struct nsjconf_t* nsjconf, pid_t pid, int sock) {
|
|||||||
(unsigned int)p.start, p.remote_txt);
|
(unsigned int)p.start, p.remote_txt);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void removeProc(struct nsjconf_t* nsjconf, pid_t pid) {
|
static void removeProc(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
for (auto p = nsjconf->pids.begin(); p != nsjconf->pids.end(); ++p) {
|
for (auto p = nsjconf->pids.begin(); p != nsjconf->pids.end(); ++p) {
|
||||||
if (p->pid == pid) {
|
if (p->pid == pid) {
|
||||||
LOG_D("Removing pid '%d' from the queue (IP:'%s', start time:'%s')", p->pid,
|
LOG_D("Removing pid '%d' from the queue (IP:'%s', start time:'%s')", p->pid,
|
||||||
@ -226,9 +225,9 @@ static void removeProc(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
LOG_W("PID: %d not found (?)", pid);
|
LOG_W("PID: %d not found (?)", pid);
|
||||||
}
|
}
|
||||||
|
|
||||||
int countProc(struct nsjconf_t* nsjconf) { return nsjconf->pids.size(); }
|
int countProc(nsjconf_t* nsjconf) { return nsjconf->pids.size(); }
|
||||||
|
|
||||||
void displayProc(struct nsjconf_t* nsjconf) {
|
void displayProc(nsjconf_t* nsjconf) {
|
||||||
LOG_I("Total number of spawned namespaces: %d", countProc(nsjconf));
|
LOG_I("Total number of spawned namespaces: %d", countProc(nsjconf));
|
||||||
time_t now = time(NULL);
|
time_t now = time(NULL);
|
||||||
for (const auto& pid : nsjconf->pids) {
|
for (const auto& pid : nsjconf->pids) {
|
||||||
@ -239,7 +238,7 @@ void displayProc(struct nsjconf_t* nsjconf) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct pids_t* getPidElem(struct nsjconf_t* nsjconf, pid_t pid) {
|
static const pids_t* getPidElem(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
for (const auto& p : nsjconf->pids) {
|
for (const auto& p : nsjconf->pids) {
|
||||||
if (p.pid == pid) {
|
if (p.pid == pid) {
|
||||||
return &p;
|
return &p;
|
||||||
@ -248,10 +247,10 @@ static const struct pids_t* getPidElem(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void seccompViolation(struct nsjconf_t* nsjconf, siginfo_t* si) {
|
static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
|
||||||
LOG_W("PID: %d commited a syscall/seccomp violation and exited with SIGSYS", si->si_pid);
|
LOG_W("PID: %d commited a syscall/seccomp violation and exited with SIGSYS", si->si_pid);
|
||||||
|
|
||||||
const struct pids_t* p = getPidElem(nsjconf, si->si_pid);
|
const pids_t* p = getPidElem(nsjconf, si->si_pid);
|
||||||
if (p == NULL) {
|
if (p == NULL) {
|
||||||
LOG_W("PID:%d SiSyscall: %d, SiCode: %d, SiErrno: %d", (int)si->si_pid,
|
LOG_W("PID:%d SiSyscall: %d, SiCode: %d, SiErrno: %d", (int)si->si_pid,
|
||||||
si->si_syscall, si->si_code, si->si_errno);
|
si->si_syscall, si->si_code, si->si_errno);
|
||||||
@ -287,7 +286,7 @@ static void seccompViolation(struct nsjconf_t* nsjconf, siginfo_t* si) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
int reapProc(struct nsjconf_t* nsjconf) {
|
int reapProc(nsjconf_t* nsjconf) {
|
||||||
int status;
|
int status;
|
||||||
int rv = 0;
|
int rv = 0;
|
||||||
siginfo_t si;
|
siginfo_t si;
|
||||||
@ -308,7 +307,7 @@ int reapProc(struct nsjconf_t* nsjconf) {
|
|||||||
cgroup::finishFromParent(nsjconf, si.si_pid);
|
cgroup::finishFromParent(nsjconf, si.si_pid);
|
||||||
|
|
||||||
const char* remote_txt = "[UNKNOWN]";
|
const char* remote_txt = "[UNKNOWN]";
|
||||||
const struct pids_t* elem = getPidElem(nsjconf, si.si_pid);
|
const pids_t* elem = getPidElem(nsjconf, si.si_pid);
|
||||||
if (elem) {
|
if (elem) {
|
||||||
remote_txt = elem->remote_txt;
|
remote_txt = elem->remote_txt;
|
||||||
}
|
}
|
||||||
@ -357,13 +356,13 @@ int reapProc(struct nsjconf_t* nsjconf) {
|
|||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
void killAll(struct nsjconf_t* nsjconf) {
|
void killAll(nsjconf_t* nsjconf) {
|
||||||
for (const auto& p : nsjconf->pids) {
|
for (const auto& p : nsjconf->pids) {
|
||||||
kill(p.pid, SIGKILL);
|
kill(p.pid, SIGKILL);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool initParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) {
|
static bool initParent(nsjconf_t* nsjconf, pid_t pid, int pipefd) {
|
||||||
if (net::initNsFromParent(nsjconf, pid) == false) {
|
if (net::initNsFromParent(nsjconf, pid) == false) {
|
||||||
LOG_E("Couldn't create and put MACVTAP interface into NS of PID '%d'", pid);
|
LOG_E("Couldn't create and put MACVTAP interface into NS of PID '%d'", pid);
|
||||||
return false;
|
return false;
|
||||||
@ -384,7 +383,7 @@ static bool initParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
void runChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
|
void runChild(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
|
||||||
if (net::limitConns(nsjconf, fd_in) == false) {
|
if (net::limitConns(nsjconf, fd_in) == false) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|||||||
10
subproc.h
10
subproc.h
@ -30,12 +30,12 @@
|
|||||||
|
|
||||||
namespace subproc {
|
namespace subproc {
|
||||||
|
|
||||||
void runChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err);
|
void runChild(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err);
|
||||||
int countProc(struct nsjconf_t* nsjconf);
|
int countProc(nsjconf_t* nsjconf);
|
||||||
void displayProc(struct nsjconf_t* nsjconf);
|
void displayProc(nsjconf_t* nsjconf);
|
||||||
void killAll(struct nsjconf_t* nsjconf);
|
void killAll(nsjconf_t* nsjconf);
|
||||||
/* Returns the exit code of the first failing subprocess, or 0 if none fail */
|
/* Returns the exit code of the first failing subprocess, or 0 if none fail */
|
||||||
int reapProc(struct nsjconf_t* nsjconf);
|
int reapProc(nsjconf_t* nsjconf);
|
||||||
int systemExe(const char** argv, char** env);
|
int systemExe(const char** argv, char** env);
|
||||||
pid_t cloneProc(uintptr_t flags);
|
pid_t cloneProc(uintptr_t flags);
|
||||||
|
|
||||||
|
|||||||
26
user.cc
26
user.cc
@ -96,13 +96,13 @@ static bool setGroups(pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool uidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool uidMapSelf(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
char fname[PATH_MAX];
|
char fname[PATH_MAX];
|
||||||
snprintf(fname, sizeof(fname), "/proc/%d/uid_map", pid);
|
snprintf(fname, sizeof(fname), "/proc/%d/uid_map", pid);
|
||||||
|
|
||||||
char map[4096] = {[0] = '\0'};
|
char map[4096] = {[0] = '\0'};
|
||||||
|
|
||||||
struct idmap_t* p;
|
idmap_t* p;
|
||||||
for (const auto& uid : nsjconf->uids) {
|
for (const auto& uid : nsjconf->uids) {
|
||||||
if (uid.is_newidmap) {
|
if (uid.is_newidmap) {
|
||||||
continue;
|
continue;
|
||||||
@ -124,13 +124,13 @@ static bool uidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool gidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool gidMapSelf(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
char fname[PATH_MAX];
|
char fname[PATH_MAX];
|
||||||
snprintf(fname, sizeof(fname), "/proc/%d/gid_map", pid);
|
snprintf(fname, sizeof(fname), "/proc/%d/gid_map", pid);
|
||||||
|
|
||||||
char map[4096] = {[0] = '\0'};
|
char map[4096] = {[0] = '\0'};
|
||||||
|
|
||||||
struct idmap_t* p;
|
idmap_t* p;
|
||||||
for (const auto& gid : nsjconf->gids) {
|
for (const auto& gid : nsjconf->gids) {
|
||||||
if (gid.is_newidmap) {
|
if (gid.is_newidmap) {
|
||||||
continue;
|
continue;
|
||||||
@ -153,7 +153,7 @@ static bool gidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Use /usr/bin/newgidmap for writing the gid map */
|
/* Use /usr/bin/newgidmap for writing the gid map */
|
||||||
static bool gidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
static bool gidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
||||||
size_t idx = 0;
|
size_t idx = 0;
|
||||||
|
|
||||||
const char* argv[1024];
|
const char* argv[1024];
|
||||||
@ -165,7 +165,7 @@ static bool gidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
|||||||
argv[idx] = parms[idx];
|
argv[idx] = parms[idx];
|
||||||
idx++;
|
idx++;
|
||||||
|
|
||||||
struct idmap_t* p;
|
idmap_t* p;
|
||||||
bool use = false;
|
bool use = false;
|
||||||
for (const auto& gid : nsjconf->gids) {
|
for (const auto& gid : nsjconf->gids) {
|
||||||
if (gid.is_newidmap == false) {
|
if (gid.is_newidmap == false) {
|
||||||
@ -205,7 +205,7 @@ static bool gidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Use /usr/bin/newuidmap for writing the uid map */
|
/* Use /usr/bin/newuidmap for writing the uid map */
|
||||||
static bool uidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
static bool uidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
||||||
size_t idx = 0;
|
size_t idx = 0;
|
||||||
|
|
||||||
const char* argv[1024];
|
const char* argv[1024];
|
||||||
@ -218,7 +218,7 @@ static bool uidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
|||||||
idx++;
|
idx++;
|
||||||
|
|
||||||
bool use = false;
|
bool use = false;
|
||||||
struct idmap_t* p;
|
idmap_t* p;
|
||||||
for (const auto& uid : nsjconf->uids) {
|
for (const auto& uid : nsjconf->uids) {
|
||||||
if (uid.is_newidmap == false) {
|
if (uid.is_newidmap == false) {
|
||||||
continue;
|
continue;
|
||||||
@ -256,7 +256,7 @@ static bool uidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool uidGidMap(struct nsjconf_t* nsjconf, pid_t pid) {
|
static bool uidGidMap(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (!gidMapSelf(nsjconf, pid)) {
|
if (!gidMapSelf(nsjconf, pid)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -272,7 +272,7 @@ static bool uidGidMap(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
|
bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
if (setGroups(pid) == false) {
|
if (setGroups(pid) == false) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -285,7 +285,7 @@ bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool initNsFromChild(struct nsjconf_t* nsjconf) {
|
bool initNsFromChild(nsjconf_t* nsjconf) {
|
||||||
/*
|
/*
|
||||||
* Best effort because of /proc/self/setgroups
|
* Best effort because of /proc/self/setgroups
|
||||||
*/
|
*/
|
||||||
@ -345,7 +345,7 @@ static gid_t parseGid(const char* id) {
|
|||||||
return (gid_t)-1;
|
return (gid_t)-1;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool parseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid,
|
bool parseId(nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid,
|
||||||
bool is_newidmap) {
|
bool is_newidmap) {
|
||||||
uid_t inside_id;
|
uid_t inside_id;
|
||||||
uid_t outside_id;
|
uid_t outside_id;
|
||||||
@ -374,7 +374,7 @@ bool parseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
struct idmap_t id;
|
idmap_t id;
|
||||||
id.inside_id = inside_id;
|
id.inside_id = inside_id;
|
||||||
id.outside_id = outside_id;
|
id.outside_id = outside_id;
|
||||||
id.count = cnt;
|
id.count = cnt;
|
||||||
|
|||||||
6
user.h
6
user.h
@ -28,10 +28,10 @@
|
|||||||
|
|
||||||
namespace user {
|
namespace user {
|
||||||
|
|
||||||
bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid);
|
bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid);
|
||||||
bool initNsFromChild(struct nsjconf_t* nsjconf);
|
bool initNsFromChild(nsjconf_t* nsjconf);
|
||||||
|
|
||||||
bool parseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid,
|
bool parseId(nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid,
|
||||||
bool is_newidmap);
|
bool is_newidmap);
|
||||||
|
|
||||||
} // namespace user
|
} // namespace user
|
||||||
|
|||||||
2
uts.cc
2
uts.cc
@ -28,7 +28,7 @@
|
|||||||
|
|
||||||
namespace uts {
|
namespace uts {
|
||||||
|
|
||||||
bool initNs(struct nsjconf_t* nsjconf) {
|
bool initNs(nsjconf_t* nsjconf) {
|
||||||
if (nsjconf->clone_newuts == false) {
|
if (nsjconf->clone_newuts == false) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user