Merge branch 'master' of ssh://github.com/google/nsjail
This commit is contained in:
commit
86f444d00b
23
cmdline.c
23
cmdline.c
@ -368,6 +368,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
|
|||||||
.iface_vs_gw = "0.0.0.0",
|
.iface_vs_gw = "0.0.0.0",
|
||||||
.kafel_file = NULL,
|
.kafel_file = NULL,
|
||||||
.kafel_string = NULL,
|
.kafel_string = NULL,
|
||||||
|
.orig_uid = getuid(),
|
||||||
.num_cpus = sysconf(_SC_NPROCESSORS_ONLN),
|
.num_cpus = sysconf(_SC_NPROCESSORS_ONLN),
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -651,9 +652,8 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
|
|||||||
dst = dst ? dst : optarg;
|
dst = dst ? dst : optarg;
|
||||||
if (!mountAddMountPtTail(nsjconf, /* src= */ optarg, dst, /* fs_type= */ "",
|
if (!mountAddMountPtTail(nsjconf, /* src= */ optarg, dst, /* fs_type= */ "",
|
||||||
/* options= */ "", MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY,
|
/* options= */ "", MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY,
|
||||||
/* isDir= */
|
/* isDir= */ NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, NULL,
|
||||||
NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, NULL, 0,
|
0, /* is_symlink= */ false)) {
|
||||||
/* is_symlink= */ false)) {
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}; break;
|
}; break;
|
||||||
@ -662,18 +662,15 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
|
|||||||
dst = dst ? dst : optarg;
|
dst = dst ? dst : optarg;
|
||||||
if (!mountAddMountPtTail(nsjconf, /* src= */ optarg, dst, /* fs_type= */ "",
|
if (!mountAddMountPtTail(nsjconf, /* src= */ optarg, dst, /* fs_type= */ "",
|
||||||
/* options= */ "", MS_BIND | MS_REC | MS_PRIVATE,
|
/* options= */ "", MS_BIND | MS_REC | MS_PRIVATE,
|
||||||
/* isDir= */ NS_DIR_MAYBE,
|
/* isDir= */ NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, NULL,
|
||||||
/* mandatory= */ true, NULL, NULL, NULL, 0,
|
0, /* is_symlink= */ false)) {
|
||||||
/* is_symlink= */
|
|
||||||
false)) {
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}; break;
|
}; break;
|
||||||
case 'T': {
|
case 'T': {
|
||||||
if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, optarg, "tmpfs",
|
if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, optarg, "tmpfs",
|
||||||
/* options= */ "",
|
/* options= */ "", /* flags= */ 0, /* isDir= */ NS_DIR_YES,
|
||||||
/* flags= */ 0, /* isDir= */ true, /* mandatory= */ true, NULL,
|
/* mandatory= */ true, NULL, NULL, NULL, 0,
|
||||||
NULL, NULL, 0,
|
|
||||||
/* is_symlink= */ false)) {
|
/* is_symlink= */ false)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -752,7 +749,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
|
|||||||
|
|
||||||
if (nsjconf->mount_proc) {
|
if (nsjconf->mount_proc) {
|
||||||
if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, nsjconf->proc_path, "proc", "",
|
if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, nsjconf->proc_path, "proc", "",
|
||||||
nsjconf->is_proc_rw ? 0 : MS_RDONLY, /* isDir= */ true,
|
nsjconf->is_proc_rw ? 0 : MS_RDONLY, /* isDir= */ NS_DIR_YES,
|
||||||
/* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) {
|
/* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -762,13 +759,13 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
|
|||||||
/* options= */ "",
|
/* options= */ "",
|
||||||
nsjconf->is_root_rw ? (MS_BIND | MS_REC | MS_PRIVATE)
|
nsjconf->is_root_rw ? (MS_BIND | MS_REC | MS_PRIVATE)
|
||||||
: (MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY),
|
: (MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY),
|
||||||
/* isDir= */ true, /* mandatory= */ true, NULL, NULL, NULL, 0,
|
/* isDir= */ NS_DIR_YES, /* mandatory= */ true, NULL, NULL, NULL, 0,
|
||||||
/* is_symlink= */ false)) {
|
/* is_symlink= */ false)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (!mountAddMountPtHead(nsjconf, /* src= */ NULL, "/", "tmpfs", /* options= */ "",
|
if (!mountAddMountPtHead(nsjconf, /* src= */ NULL, "/", "tmpfs", /* options= */ "",
|
||||||
nsjconf->is_root_rw ? 0 : MS_RDONLY, /* isDir= */ true,
|
nsjconf->is_root_rw ? 0 : MS_RDONLY, /* isDir= */ NS_DIR_YES,
|
||||||
/* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) {
|
/* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
14
mount.c
14
mount.c
@ -266,9 +266,9 @@ static bool mountMkdirAndTest(const char* dir)
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool mountGetDir(char* dir, const char* name)
|
static bool mountGetDir(struct nsjconf_t* nsjconf, char* dir, const char* name)
|
||||||
{
|
{
|
||||||
snprintf(dir, PATH_MAX, "/dev/shm/nsjail.%s", name);
|
snprintf(dir, PATH_MAX, "/run/user/%u/nsjail.%s", nsjconf->orig_uid, name);
|
||||||
if (mountMkdirAndTest(dir)) {
|
if (mountMkdirAndTest(dir)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -278,11 +278,15 @@ static bool mountGetDir(char* dir, const char* name)
|
|||||||
}
|
}
|
||||||
const char* tmp = getenv("TMPDIR");
|
const char* tmp = getenv("TMPDIR");
|
||||||
if (tmp) {
|
if (tmp) {
|
||||||
snprintf(dir, PATH_MAX, "%s/nsjail.%s", name, tmp);
|
snprintf(dir, PATH_MAX, "%s/nsjail.%s", tmp, name);
|
||||||
if (mountMkdirAndTest(dir)) {
|
if (mountMkdirAndTest(dir)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
snprintf(dir, PATH_MAX, "/dev/shm/nsjail.%s", name);
|
||||||
|
if (mountMkdirAndTest(dir)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
snprintf(dir, PATH_MAX, "/tmp/nsjail.%s.%" PRIx64, name, utilRnd64());
|
snprintf(dir, PATH_MAX, "/tmp/nsjail.%s.%" PRIx64, name, utilRnd64());
|
||||||
if (mountMkdirAndTest(dir)) {
|
if (mountMkdirAndTest(dir)) {
|
||||||
return true;
|
return true;
|
||||||
@ -321,7 +325,7 @@ static bool mountInitNsInternal(struct nsjconf_t* nsjconf)
|
|||||||
}
|
}
|
||||||
|
|
||||||
char destdir[PATH_MAX];
|
char destdir[PATH_MAX];
|
||||||
if (mountGetDir(destdir, "root") == false) {
|
if (mountGetDir(nsjconf, destdir, "root") == false) {
|
||||||
LOG_E("Couldn't obtain root mount directories");
|
LOG_E("Couldn't obtain root mount directories");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -337,7 +341,7 @@ static bool mountInitNsInternal(struct nsjconf_t* nsjconf)
|
|||||||
}
|
}
|
||||||
|
|
||||||
char tmpdir[PATH_MAX];
|
char tmpdir[PATH_MAX];
|
||||||
if (mountGetDir(tmpdir, "tmp") == false) {
|
if (mountGetDir(nsjconf, tmpdir, "tmp") == false) {
|
||||||
LOG_E("Couldn't obtain temporary mount directories");
|
LOG_E("Couldn't obtain temporary mount directories");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
2
mount.h
2
mount.h
@ -28,7 +28,7 @@
|
|||||||
#include "nsjail.h"
|
#include "nsjail.h"
|
||||||
|
|
||||||
typedef enum {
|
typedef enum {
|
||||||
NS_DIR_NO = 0,
|
NS_DIR_NO = 0x100,
|
||||||
NS_DIR_YES,
|
NS_DIR_YES,
|
||||||
NS_DIR_MAYBE,
|
NS_DIR_MAYBE,
|
||||||
} isDir_t;
|
} isDir_t;
|
||||||
|
2
nsjail.h
2
nsjail.h
@ -160,8 +160,8 @@ struct nsjconf_t {
|
|||||||
size_t cgroup_pids_max;
|
size_t cgroup_pids_max;
|
||||||
FILE* kafel_file;
|
FILE* kafel_file;
|
||||||
char* kafel_string;
|
char* kafel_string;
|
||||||
uid_t orig_euid;
|
|
||||||
long num_cpus;
|
long num_cpus;
|
||||||
|
uid_t orig_uid;
|
||||||
TAILQ_HEAD(udmaplist, idmap_t)
|
TAILQ_HEAD(udmaplist, idmap_t)
|
||||||
uids;
|
uids;
|
||||||
TAILQ_HEAD(gdmaplist, idmap_t)
|
TAILQ_HEAD(gdmaplist, idmap_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user