woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:google/nsjail

Browse Source
This commit is contained in:
Robert Swiecki 2018-10-25 14:10:33 +02:00
commit 4d3cf9f56f
7 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -504,6 +504,8 @@ Options:
Netmask of the 'vs' interface (e.g. "255.255.255.0")
--macvlan_vs_gw VALUE
Default GW for the 'vs' interface (e.g. "192.168.0.1")
--macvlan_vs_ma VALUE
MAC-address of the 'vs' interface (e.g. "ba:ad:ba:be:45:00")
Examples:
Wait on a port 31337 for connections, and run /bin/sh

5
cmdline.cc
View File

@ -151,6 +151,7 @@ struct custom_option custom_opts[] = {
{ { "macvlan_vs_ip", required_argument, NULL, 0x701 }, "IP of the 'vs' interface (e.g. \"192.168.0.1\")" },
{ { "macvlan_vs_nm", required_argument, NULL, 0x702 }, "Netmask of the 'vs' interface (e.g. \"255.255.255.0\")" },
{ { "macvlan_vs_gw", required_argument, NULL, 0x703 }, "Default GW for the 'vs' interface (e.g. \"192.168.0.1\")" },
{ { "macvlan_vs_ma", required_argument, NULL, 0x705 }, "MAC-address of the 'vs' interface (e.g. \"ba:ad:ba:be:45:00\")" },
};
// clang-format on
@ -417,6 +418,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
nsjconf->iface_vs_ip = "0.0.0.0";
nsjconf->iface_vs_nm = "255.255.255.0";
nsjconf->iface_vs_gw = "0.0.0.0";
nsjconf->iface_vs_ma = "";
nsjconf->orig_uid = getuid();
nsjconf->num_cpus = sysconf(_SC_NPROCESSORS_ONLN);
nsjconf->seccomp_fprog.filter = NULL;
@ -760,6 +762,9 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
case 0x704:
nsjconf->ifaces.push_back(optarg);
break;
case 0x705:
nsjconf->iface_vs_ma = optarg;
break;
case 0x801:
nsjconf->cgroup_mem_max = (size_t)strtoull(optarg, NULL, 0);
break;

1
config.cc
View File

@ -262,6 +262,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
nsjconf->iface_vs_ip = njc.macvlan_vs_ip();
nsjconf->iface_vs_nm = njc.macvlan_vs_nm();
nsjconf->iface_vs_gw = njc.macvlan_vs_gw();
nsjconf->iface_vs_ma = njc.macvlan_vs_ma();
if (njc.has_exec_bin()) {
nsjconf->exec_file = njc.exec_bin().path();

3
config.proto
View File

@ -192,7 +192,7 @@ message NsJailConfig {
Homepage of the project: https://github.com/google/kafel */
optional string seccomp_policy_file = 57;
repeated string seccomp_string = 58;
/* Setting it to true makes audit write seccomp logs to dmesg */
/* Setting it to true makes audit write seccomp logs to dmesg */
optional bool seccomp_log = 77 [default = false];
/* If > 0, maximum cumulative size of RAM used inside any jail */
@ -234,6 +234,7 @@ message NsJailConfig {
optional string macvlan_vs_ip = 73 [default = "192.168.0.2"];
optional string macvlan_vs_nm = 74 [default = "255.255.255.0"];
optional string macvlan_vs_gw = 75 [default = "192.168.0.1"];
optional string macvlan_vs_ma = 80 [default = ""];
/* Binary path (with arguments) to be executed. If not specified here, it
can be specified with cmd-line as "-- /path/to/command arg1 arg2" */

13
net.cc
View File

@ -187,13 +187,20 @@ bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
LOG_D("Putting iface:'%s' into namespace of PID:%d (with /sbin/ip)",
nsjconf->iface_vs.c_str(), pid);
const std::vector<std::string> argv{"/sbin/ip", "link", "add", "link", nsjconf->iface_vs,
"name", IFACE_NAME, "netns", std::to_string(pid), "type", "macvlan", "mode", "bridge"};
std::vector<std::string> argv;
if (nsjconf->iface_vs_ma != "") {
argv = {"/sbin/ip", "link", "add", "link", nsjconf->iface_vs, "name", IFACE_NAME,
"netns", std::to_string(pid), "address", nsjconf->iface_vs_ma, "type",
"macvlan", "mode", "bridge"};
} else {
argv = {"/sbin/ip", "link", "add", "link", nsjconf->iface_vs, "name", IFACE_NAME,
"netns", std::to_string(pid), "type", "macvlan", "mode", "bridge"};
}
if (subproc::systemExe(argv, environ) != 0) {
LOG_E("Couldn't create MACVTAP interface for '%s'", nsjconf->iface_vs.c_str());
return false;
}
return true;
}
#endif // defined(NSJAIL_NL3_WITH_MACVLAN)

3
nsjail.1
View File

@ -264,6 +264,9 @@ Netmask of the 'vs' interface (e.g. "255.255.255.0")
.TP
\fB\-\-macvlan_vs_gw\fR VALUE
Default GW for the 'vs' interface (e.g. "192.168.0.1")
.TP
\fB\-\-macvlan_vs_ma\fR VALUE
MAC-address of the 'vs' interface (e.g. "ba:ad:ba:be:45:00")
\"
.SH Examples
.PP

1
nsjail.h
View File

@ -125,6 +125,7 @@ struct nsjconf_t {
std::string iface_vs_ip;
std::string iface_vs_nm;
std::string iface_vs_gw;
std::string iface_vs_ma;
std::string cgroup_mem_mount;
std::string cgroup_mem_parent;
size_t cgroup_mem_max;