commit
6482720b29
@ -357,9 +357,9 @@ Options:
|
|||||||
--rw
|
--rw
|
||||||
Mount chroot dir (/) R/W (default: R/O)
|
Mount chroot dir (/) R/W (default: R/O)
|
||||||
--user|-u VALUE
|
--user|-u VALUE
|
||||||
Username/uid of processess inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times
|
Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times
|
||||||
--group|-g VALUE
|
--group|-g VALUE
|
||||||
Groupname/gid of processess inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times
|
Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times
|
||||||
--hostname|-H VALUE
|
--hostname|-H VALUE
|
||||||
UTS name (hostname) of the jail (default: 'NSJAIL')
|
UTS name (hostname) of the jail (default: 'NSJAIL')
|
||||||
--cwd|-D VALUE
|
--cwd|-D VALUE
|
||||||
|
2
caps.cc
2
caps.cc
@ -88,7 +88,7 @@ int nameToVal(const char* name) {
|
|||||||
return cap.val;
|
return cap.val;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
LOG_W("Uknown capability: '%s'", name);
|
LOG_W("Unknown capability: '%s'", name);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -77,8 +77,8 @@ struct custom_option custom_opts[] = {
|
|||||||
{ { "execute_fd", no_argument, NULL, 0x0607 }, "Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing" },
|
{ { "execute_fd", no_argument, NULL, 0x0607 }, "Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing" },
|
||||||
{ { "chroot", required_argument, NULL, 'c' }, "Directory containing / of the jail (default: none)" },
|
{ { "chroot", required_argument, NULL, 'c' }, "Directory containing / of the jail (default: none)" },
|
||||||
{ { "rw", no_argument, NULL, 0x601 }, "Mount chroot dir (/) R/W (default: R/O)" },
|
{ { "rw", no_argument, NULL, 0x601 }, "Mount chroot dir (/) R/W (default: R/O)" },
|
||||||
{ { "user", required_argument, NULL, 'u' }, "Username/uid of processess inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times" },
|
{ { "user", required_argument, NULL, 'u' }, "Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times" },
|
||||||
{ { "group", required_argument, NULL, 'g' }, "Groupname/gid of processess inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times" },
|
{ { "group", required_argument, NULL, 'g' }, "Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times" },
|
||||||
{ { "hostname", required_argument, NULL, 'H' }, "UTS name (hostname) of the jail (default: 'NSJAIL')" },
|
{ { "hostname", required_argument, NULL, 'H' }, "UTS name (hostname) of the jail (default: 'NSJAIL')" },
|
||||||
{ { "cwd", required_argument, NULL, 'D' }, "Directory in the namespace the process will run (default: '/')" },
|
{ { "cwd", required_argument, NULL, 'D' }, "Directory in the namespace the process will run (default: '/')" },
|
||||||
{ { "port", required_argument, NULL, 'p' }, "TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)" },
|
{ { "port", required_argument, NULL, 'p' }, "TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)" },
|
||||||
|
@ -79,7 +79,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
|
|||||||
nsjconf->mode = MODE_STANDALONE_EXECVE;
|
nsjconf->mode = MODE_STANDALONE_EXECVE;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
LOG_E("Uknown running mode: %d", njc.mode());
|
LOG_E("Unknown running mode: %d", njc.mode());
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (njc.has_chroot_dir()) {
|
if (njc.has_chroot_dir()) {
|
||||||
|
2
mnt.cc
2
mnt.cc
@ -178,7 +178,7 @@ static bool mountPt(mount_t* mpt, const char* newroot, const char* tmpdir) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!util::writeToFd(fd, mpt->src_content.data(), mpt->src_content.length())) {
|
if (!util::writeToFd(fd, mpt->src_content.data(), mpt->src_content.length())) {
|
||||||
LOG_W("Writting %zu bytes to '%s' failed", mpt->src_content.length(),
|
LOG_W("Writing %zu bytes to '%s' failed", mpt->src_content.length(),
|
||||||
srcpath);
|
srcpath);
|
||||||
close(fd);
|
close(fd);
|
||||||
return false;
|
return false;
|
||||||
|
4
nsjail.1
4
nsjail.1
@ -44,10 +44,10 @@ Directory containing / of the jail (default: none)
|
|||||||
Mount chroot dir (/) R/W (default: R/O)
|
Mount chroot dir (/) R/W (default: R/O)
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-user\fR|\fB\-u\fR VALUE
|
\fB\-\-user\fR|\fB\-u\fR VALUE
|
||||||
Username/uid of processess inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times
|
Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-group\fR|\fB\-g\fR VALUE
|
\fB\-\-group\fR|\fB\-g\fR VALUE
|
||||||
Groupname/gid of processess inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times
|
Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-hostname\fR|\fB\-H\fR VALUE
|
\fB\-\-hostname\fR|\fB\-H\fR VALUE
|
||||||
UTS name (hostname) of the jail (default: 'NSJAIL')
|
UTS name (hostname) of the jail (default: 'NSJAIL')
|
||||||
|
@ -255,7 +255,7 @@ void displayProc(nsjconf_t* nsjconf) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
|
static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
|
||||||
LOG_W("pid=%d commited a syscall/seccomp violation and exited with SIGSYS", si->si_pid);
|
LOG_W("pid=%d committed a syscall/seccomp violation and exited with SIGSYS", si->si_pid);
|
||||||
|
|
||||||
const auto& p = nsjconf->pids.find(si->si_pid);
|
const auto& p = nsjconf->pids.find(si->si_pid);
|
||||||
if (p == nsjconf->pids.end()) {
|
if (p == nsjconf->pids.end()) {
|
||||||
|
Loading…
Reference in New Issue
Block a user