Merge branch 'master' of github.com:google/nsjail
This commit is contained in:
commit
4628ded479
@ -133,6 +133,7 @@ struct custom_option custom_opts[] = {
|
||||
{ { "seccomp_policy", required_argument, NULL, 'P' }, "Path to file containing seccomp-bpf policy (see kafel/)" },
|
||||
{ { "seccomp_string", required_argument, NULL, 0x0901 }, "String with kafel seccomp-bpf policy (see kafel/)" },
|
||||
{ { "seccomp_log", no_argument, NULL, 0x0902 }, "Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14" },
|
||||
{ { "nice_level", required_argument, NULL, 0x0903 }, "Set jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19" },
|
||||
{ { "cgroup_mem_max", required_argument, NULL, 0x0801 }, "Maximum number of bytes to use in the group (default: '0' - disabled)" },
|
||||
{ { "cgroup_mem_mount", required_argument, NULL, 0x0802 }, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')" },
|
||||
{ { "cgroup_mem_parent", required_argument, NULL, 0x0803 }, "Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')" },
|
||||
@ -444,6 +445,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
||||
nsjconf->seccomp_fprog.filter = NULL;
|
||||
nsjconf->seccomp_fprog.len = 0;
|
||||
nsjconf->seccomp_log = false;
|
||||
nsjconf->nice_level = 19;
|
||||
|
||||
nsjconf->openfds.push_back(STDIN_FILENO);
|
||||
nsjconf->openfds.push_back(STDOUT_FILENO);
|
||||
@ -830,6 +832,9 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
||||
case 0x902:
|
||||
nsjconf->seccomp_log = true;
|
||||
break;
|
||||
case 0x903:
|
||||
nsjconf->nice_level = (int)strtol(optarg, NULL, 0);
|
||||
break;
|
||||
default:
|
||||
cmdlineUsage(argv[0]);
|
||||
return nullptr;
|
||||
|
@ -239,6 +239,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
|
||||
nsjconf->kafel_string += '\n';
|
||||
}
|
||||
nsjconf->seccomp_log = njc.seccomp_log();
|
||||
nsjconf->nice_level = njc.nice_level();
|
||||
|
||||
nsjconf->cgroup_mem_max = njc.cgroup_mem_max();
|
||||
nsjconf->cgroup_mem_mount = njc.cgroup_mem_mount();
|
||||
|
@ -237,7 +237,10 @@ message NsJailConfig {
|
||||
optional string macvlan_vs_gw = 78 [default = "192.168.0.1"];
|
||||
optional string macvlan_vs_ma = 79 [default = ""];
|
||||
|
||||
/* Niceness level of the jailed process */
|
||||
optional int32 nice_level = 80 [default = 19];
|
||||
|
||||
/* Binary path (with arguments) to be executed. If not specified here, it
|
||||
can be specified with cmd-line as "-- /path/to/command arg1 arg2" */
|
||||
optional Exe exec_bin = 80;
|
||||
optional Exe exec_bin = 81;
|
||||
}
|
||||
|
@ -100,9 +100,10 @@ static bool containPrepareEnv(nsjconf_t* nsjconf) {
|
||||
PLOG_E("personality(%lx)", nsjconf->personality);
|
||||
return false;
|
||||
}
|
||||
LOG_D("setpriority(%d)", nsjconf->nice_level);
|
||||
errno = 0;
|
||||
if (setpriority(PRIO_PROCESS, 0, 19) == -1 && errno != 0) {
|
||||
PLOG_W("setpriority(19)");
|
||||
if (setpriority(PRIO_PROCESS, 0, nsjconf->nice_level) == -1 && errno != 0) {
|
||||
PLOG_W("setpriority(%d)", nsjconf->nice_level);
|
||||
}
|
||||
if (!nsjconf->skip_setsid) {
|
||||
setsid();
|
||||
|
1
nsjail.h
1
nsjail.h
@ -142,6 +142,7 @@ struct nsjconf_t {
|
||||
std::string kafel_string;
|
||||
struct sock_fprog seccomp_fprog;
|
||||
bool seccomp_log;
|
||||
int nice_level;
|
||||
long num_cpus;
|
||||
uid_t orig_uid;
|
||||
uid_t orig_euid;
|
||||
|
4
user.cc
4
user.cc
@ -88,7 +88,7 @@ static bool setGroupsDeny(nsjconf_t* nsjconf, pid_t pid) {
|
||||
|
||||
char fname[PATH_MAX];
|
||||
snprintf(fname, sizeof(fname), "/proc/%d/setgroups", pid);
|
||||
const char* denystr = "deny";
|
||||
const char* const denystr = "deny";
|
||||
if (!util::writeBufToFile(fname, denystr, strlen(denystr), O_WRONLY | O_CLOEXEC)) {
|
||||
LOG_E("util::writeBufToFile('%s', '%s') failed", fname, denystr);
|
||||
return false;
|
||||
@ -263,7 +263,7 @@ bool initNsFromChild(nsjconf_t* nsjconf) {
|
||||
|
||||
LOG_D("setgroups(%lu, %s)", groups.size(), groupsString.c_str());
|
||||
if (setgroups(groups.size(), groups.data()) == -1) {
|
||||
/* Indicate errror if specific groups were requested */
|
||||
/* Indicate error if specific groups were requested */
|
||||
if (groups.size() > 0) {
|
||||
PLOG_E("setgroups(%lu, %s) failed", groups.size(), groupsString.c_str());
|
||||
return false;
|
||||
|
Loading…
Reference in New Issue
Block a user