config: bind caps
This commit is contained in:
parent
5ed3c033ed
commit
7226893b12
2
Makefile
2
Makefile
@ -139,7 +139,7 @@ indent:
|
|||||||
nsjail.o: nsjail.h common.h caps.h cmdline.h log.h net.h subproc.h util.h
|
nsjail.o: nsjail.h common.h caps.h cmdline.h log.h net.h subproc.h util.h
|
||||||
caps.o: caps.h common.h log.h
|
caps.o: caps.h common.h log.h
|
||||||
cmdline.o: cmdline.h common.h caps.h config.h log.h mount.h util.h user.h
|
cmdline.o: cmdline.h common.h caps.h config.h log.h mount.h util.h user.h
|
||||||
config.o: common.h config.h log.h mount.h user.h util.h
|
config.o: common.h caps.h config.h log.h mount.h user.h util.h
|
||||||
contain.o: contain.h common.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
|
contain.o: contain.h common.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
|
||||||
contain.o: user.h util.h uts.h
|
contain.o: user.h util.h uts.h
|
||||||
log.o: log.h common.h
|
log.o: log.h common.h
|
||||||
|
10
config.c
10
config.c
@ -25,6 +25,7 @@
|
|||||||
#include <sys/mount.h>
|
#include <sys/mount.h>
|
||||||
#include <sys/personality.h>
|
#include <sys/personality.h>
|
||||||
|
|
||||||
|
#include "caps.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "mount.h"
|
#include "mount.h"
|
||||||
@ -113,6 +114,15 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig
|
|||||||
}
|
}
|
||||||
|
|
||||||
nsjconf->keep_caps = njc->keep_caps;
|
nsjconf->keep_caps = njc->keep_caps;
|
||||||
|
for (size_t i = 0; i < njc->n_cap; i++) {
|
||||||
|
struct ints_t *f = utilMalloc(sizeof(struct ints_t));
|
||||||
|
f->val = capsNameToVal(njc->cap[i]);
|
||||||
|
if (f->val == -1) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
TAILQ_INSERT_HEAD(&nsjconf->caps, f, pointers);
|
||||||
|
}
|
||||||
|
|
||||||
nsjconf->is_silent = njc->silent;
|
nsjconf->is_silent = njc->silent;
|
||||||
nsjconf->skip_setsid = njc->skip_setsid;
|
nsjconf->skip_setsid = njc->skip_setsid;
|
||||||
|
|
||||||
|
@ -110,6 +110,9 @@ message NsJailConfig
|
|||||||
|
|
||||||
/* Should capabilities be preserved or dropped */
|
/* Should capabilities be preserved or dropped */
|
||||||
required bool keep_caps = 21 [ default = false ];
|
required bool keep_caps = 21 [ default = false ];
|
||||||
|
/* Which capabilities should be preserved if keep_caps == false.
|
||||||
|
Format: "CAP_SYS_PTRACE" */
|
||||||
|
repeated string cap = 63;
|
||||||
/* Should nsjail close FD=0,1,2 before executing the process */
|
/* Should nsjail close FD=0,1,2 before executing the process */
|
||||||
required bool silent = 22 [ default = false ];
|
required bool silent = 22 [ default = false ];
|
||||||
/* Should the child process have control over terminal?
|
/* Should the child process have control over terminal?
|
||||||
|
@ -29,6 +29,8 @@ envar: "HOME=/"
|
|||||||
envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "
|
envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "
|
||||||
|
|
||||||
keep_caps: true
|
keep_caps: true
|
||||||
|
cap: "CAP_NET_ADMIN"
|
||||||
|
cap: "CAP_NET_RAW"
|
||||||
silent: false
|
silent: false
|
||||||
skip_setsid: true
|
skip_setsid: true
|
||||||
pass_fd: 100
|
pass_fd: 100
|
||||||
|
Loading…
Reference in New Issue
Block a user