Merge branch 'master' of github.com:google/nsjail

cmdline.cc

@@ -133,6 +133,7 @@ struct custom_option custom_opts[] = {
     { { "seccomp_policy", required_argument, NULL, 'P' }, "Path to file containing seccomp-bpf policy (see kafel/)" },
     { { "seccomp_string", required_argument, NULL, 0x0901 }, "String with kafel seccomp-bpf policy (see kafel/)" },
     { { "seccomp_log", no_argument, NULL, 0x0902 }, "Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14" },
+    { { "nice_level", required_argument, NULL, 0x0903 }, "Set jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19" },
     { { "cgroup_mem_max", required_argument, NULL, 0x0801 }, "Maximum number of bytes to use in the group (default: '0' - disabled)" },
     { { "cgroup_mem_mount", required_argument, NULL, 0x0802 }, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')" },
     { { "cgroup_mem_parent", required_argument, NULL, 0x0803 }, "Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')" },
@@ -444,6 +445,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 	nsjconf->seccomp_fprog.filter = NULL;
 	nsjconf->seccomp_fprog.len = 0;
 	nsjconf->seccomp_log = false;
+	nsjconf->nice_level = 19;
 
 	nsjconf->openfds.push_back(STDIN_FILENO);
 	nsjconf->openfds.push_back(STDOUT_FILENO);
@@ -830,6 +832,9 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 		case 0x902:
 			nsjconf->seccomp_log = true;
 			break;
+		case 0x903:
+			nsjconf->nice_level = (int)strtol(optarg, NULL, 0);
+			break;
 		default:
 			cmdlineUsage(argv[0]);
 			return nullptr;

config.cc

@@ -239,6 +239,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
 		nsjconf->kafel_string += '\n';
 	}
 	nsjconf->seccomp_log = njc.seccomp_log();
+	nsjconf->nice_level = njc.nice_level();
 
 	nsjconf->cgroup_mem_max = njc.cgroup_mem_max();
 	nsjconf->cgroup_mem_mount = njc.cgroup_mem_mount();

config.proto

@@ -237,7 +237,10 @@ message NsJailConfig {
     optional string macvlan_vs_gw = 78 [default = "192.168.0.1"];
     optional string macvlan_vs_ma = 79 [default = ""];
 
+    /* Niceness level of the jailed process */
+    optional int32 nice_level = 80 [default = 19];
+
     /* Binary path (with arguments) to be executed. If not specified here, it
        can be specified with cmd-line as "-- /path/to/command arg1 arg2" */
-    optional Exe exec_bin = 80;
+    optional Exe exec_bin = 81;
 }

contain.cc

@@ -100,9 +100,10 @@ static bool containPrepareEnv(nsjconf_t* nsjconf) {
 		PLOG_E("personality(%lx)", nsjconf->personality);
 		return false;
 	}
+	LOG_D("setpriority(%d)", nsjconf->nice_level);
 	errno = 0;
-	if (setpriority(PRIO_PROCESS, 0, 19) == -1 && errno != 0) {
-		PLOG_W("setpriority(19)");
+	if (setpriority(PRIO_PROCESS, 0, nsjconf->nice_level) == -1 && errno != 0) {
+		PLOG_W("setpriority(%d)", nsjconf->nice_level);
 	}
 	if (!nsjconf->skip_setsid) {
 		setsid();

nsjail.h

@@ -142,6 +142,7 @@ struct nsjconf_t {
 	std::string kafel_string;
 	struct sock_fprog seccomp_fprog;
 	bool seccomp_log;
+	int nice_level;
 	long num_cpus;
 	uid_t orig_uid;
 	uid_t orig_euid;

user.cc

@@ -88,7 +88,7 @@ static bool setGroupsDeny(nsjconf_t* nsjconf, pid_t pid) {
 
 	char fname[PATH_MAX];
 	snprintf(fname, sizeof(fname), "/proc/%d/setgroups", pid);
-	const char* denystr = "deny";
+	const char* const denystr = "deny";
 	if (!util::writeBufToFile(fname, denystr, strlen(denystr), O_WRONLY | O_CLOEXEC)) {
 		LOG_E("util::writeBufToFile('%s', '%s') failed", fname, denystr);
 		return false;
@@ -263,7 +263,7 @@ bool initNsFromChild(nsjconf_t* nsjconf) {
 
 	LOG_D("setgroups(%lu, %s)", groups.size(), groupsString.c_str());
 	if (setgroups(groups.size(), groups.data()) == -1) {
-		/* Indicate errror if specific groups were requested */
+		/* Indicate error if specific groups were requested */
 		if (groups.size() > 0) {
 			PLOG_E("setgroups(%lu, %s) failed", groups.size(), groupsString.c_str());
 			return false;