Merge pull request #192 from mkow/mkow/disable-tsc-docs
Add more docs for disable_tsc + update README
This commit is contained in:
commit
8e4cc83eb2
32
README.md
32
README.md
@ -354,6 +354,8 @@ Options:
|
|||||||
Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing
|
Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing
|
||||||
--chroot|-c VALUE
|
--chroot|-c VALUE
|
||||||
Directory containing / of the jail (default: none)
|
Directory containing / of the jail (default: none)
|
||||||
|
--no_pivotroot
|
||||||
|
When creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration
|
||||||
--rw
|
--rw
|
||||||
Mount chroot dir (/) R/W (default: R/O)
|
Mount chroot dir (/) R/W (default: R/O)
|
||||||
--user|-u VALUE
|
--user|-u VALUE
|
||||||
@ -389,9 +391,9 @@ Options:
|
|||||||
--really_quiet|-Q
|
--really_quiet|-Q
|
||||||
Log fatal messages only
|
Log fatal messages only
|
||||||
--keep_env|-e
|
--keep_env|-e
|
||||||
Pass all environment variables to the child process (default: all envvars are cleared)
|
Pass all environment variables to the child process (default: all envars are cleared)
|
||||||
--env|-E VALUE
|
--env|-E VALUE
|
||||||
Additional environment variable (can be used multiple times)
|
Additional environment variable (can be used multiple times). If the envar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envar value will be used
|
||||||
--keep_caps
|
--keep_caps
|
||||||
Don't drop any capabilities
|
Don't drop any capabilities
|
||||||
--cap VALUE
|
--cap VALUE
|
||||||
@ -399,7 +401,7 @@ Options:
|
|||||||
--silent
|
--silent
|
||||||
Redirect child process' fd:0/1/2 to /dev/null
|
Redirect child process' fd:0/1/2 to /dev/null
|
||||||
--stderr_to_null
|
--stderr_to_null
|
||||||
Redirect FD=2 (STDERR_FILENO) to /dev/null
|
Redirect child process' fd:2 (STDERR_FILENO) to /dev/null
|
||||||
--skip_setsid
|
--skip_setsid
|
||||||
Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous
|
Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous
|
||||||
--pass_fd VALUE
|
--pass_fd VALUE
|
||||||
@ -420,6 +422,14 @@ Options:
|
|||||||
RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')
|
RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')
|
||||||
--rlimit_stack VALUE
|
--rlimit_stack VALUE
|
||||||
RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')
|
RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')
|
||||||
|
--rlimit_memlock VALUE
|
||||||
|
RLIMIT_MEMLOCK in KB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')
|
||||||
|
--rlimit_rtprio VALUE
|
||||||
|
RLIMIT_RTPRIO, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')
|
||||||
|
--rlimit_msgqueue VALUE
|
||||||
|
RLIMIT_MSGQUEUE in bytes, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')
|
||||||
|
--disable_rlimits
|
||||||
|
Disable all rlimits, default to limits set by parent
|
||||||
--persona_addr_compat_layout
|
--persona_addr_compat_layout
|
||||||
personality(ADDR_COMPAT_LAYOUT)
|
personality(ADDR_COMPAT_LAYOUT)
|
||||||
--persona_mmap_page_zero
|
--persona_mmap_page_zero
|
||||||
@ -444,6 +454,8 @@ Options:
|
|||||||
Don't use CLONE_NEWUTS
|
Don't use CLONE_NEWUTS
|
||||||
--disable_clone_newcgroup
|
--disable_clone_newcgroup
|
||||||
Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6
|
Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6
|
||||||
|
--enable_clone_newtime
|
||||||
|
Use CLONE_NEWTIME. Supported with kernel versions >= 5.3
|
||||||
--uid_mapping|-U VALUE
|
--uid_mapping|-U VALUE
|
||||||
Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present
|
Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present
|
||||||
--gid_mapping|-G VALUE
|
--gid_mapping|-G VALUE
|
||||||
@ -470,12 +482,14 @@ Options:
|
|||||||
String with kafel seccomp-bpf policy (see kafel/)
|
String with kafel seccomp-bpf policy (see kafel/)
|
||||||
--seccomp_log
|
--seccomp_log
|
||||||
Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14
|
Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14
|
||||||
|
--nice_level VALUE
|
||||||
|
Set jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19
|
||||||
--cgroup_mem_max VALUE
|
--cgroup_mem_max VALUE
|
||||||
Maximum number of bytes to use in the group (default: '0' - disabled)
|
Maximum number of bytes to use in the group (default: '0' - disabled)
|
||||||
--cgroup_mem_memsw_max VALUE
|
--cgroup_mem_memsw_max VALUE
|
||||||
Maximum number of memory+Swap bytes to use in the group (default: '0' - disabled)
|
Maximum number of memory+swap bytes to use (default: '0' - disabled)
|
||||||
--cgroup_mem_swap_max VALUE
|
--cgroup_mem_swap_max VALUE
|
||||||
Maximum number of swap bytes to use in the group (default: '-1' - disabled)
|
Maximum number of swap bytes to use (default: '-1' - disabled)
|
||||||
--cgroup_mem_mount VALUE
|
--cgroup_mem_mount VALUE
|
||||||
Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')
|
Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')
|
||||||
--cgroup_mem_parent VALUE
|
--cgroup_mem_parent VALUE
|
||||||
@ -498,6 +512,10 @@ Options:
|
|||||||
Location of cpu cgroup FS (default: '/sys/fs/cgroup/cpu')
|
Location of cpu cgroup FS (default: '/sys/fs/cgroup/cpu')
|
||||||
--cgroup_cpu_parent VALUE
|
--cgroup_cpu_parent VALUE
|
||||||
Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')
|
Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')
|
||||||
|
--cgroupv2_mount VALUE
|
||||||
|
Location of cgroupv2 directory (default: '/sys/fs/cgroup')
|
||||||
|
--use_cgroupv2
|
||||||
|
Use cgroup v2
|
||||||
--iface_no_lo
|
--iface_no_lo
|
||||||
Don't bring the 'lo' interface up
|
Don't bring the 'lo' interface up
|
||||||
--iface_own VALUE
|
--iface_own VALUE
|
||||||
@ -512,6 +530,10 @@ Options:
|
|||||||
Default GW for the 'vs' interface (e.g. "192.168.0.1")
|
Default GW for the 'vs' interface (e.g. "192.168.0.1")
|
||||||
--macvlan_vs_ma VALUE
|
--macvlan_vs_ma VALUE
|
||||||
MAC-address of the 'vs' interface (e.g. "ba:ad:ba:be:45:00")
|
MAC-address of the 'vs' interface (e.g. "ba:ad:ba:be:45:00")
|
||||||
|
--macvlan_vs_mo VALUE
|
||||||
|
Mode of the 'vs' interface. Can be either 'private', 'vepa', 'bridge' or 'passthru' (default: 'private')
|
||||||
|
--disable_tsc
|
||||||
|
Disable rdtsc and rdtscp instructions. WARNING: To make it effective, you also need to forbid `prctl(PR_SET_TSC, PR_TSC_ENABLE, ...)` in seccomp rules! (x86 and x86_64 only). Dynamic binaries produced by GCC seem to rely on RDTSC, but static ones should work.
|
||||||
|
|
||||||
Examples:
|
Examples:
|
||||||
Wait on a port 31337 for connections, and run /bin/sh
|
Wait on a port 31337 for connections, and run /bin/sh
|
||||||
|
@ -166,7 +166,7 @@ struct custom_option custom_opts[] = {
|
|||||||
{ { "macvlan_vs_gw", required_argument, NULL, 0x703 }, "Default GW for the 'vs' interface (e.g. \"192.168.0.1\")" },
|
{ { "macvlan_vs_gw", required_argument, NULL, 0x703 }, "Default GW for the 'vs' interface (e.g. \"192.168.0.1\")" },
|
||||||
{ { "macvlan_vs_ma", required_argument, NULL, 0x705 }, "MAC-address of the 'vs' interface (e.g. \"ba:ad:ba:be:45:00\")" },
|
{ { "macvlan_vs_ma", required_argument, NULL, 0x705 }, "MAC-address of the 'vs' interface (e.g. \"ba:ad:ba:be:45:00\")" },
|
||||||
{ { "macvlan_vs_mo", required_argument, NULL, 0x706 }, "Mode of the 'vs' interface. Can be either 'private', 'vepa', 'bridge' or 'passthru' (default: 'private')" },
|
{ { "macvlan_vs_mo", required_argument, NULL, 0x706 }, "Mode of the 'vs' interface. Can be either 'private', 'vepa', 'bridge' or 'passthru' (default: 'private')" },
|
||||||
{ { "disable_tsc", no_argument, NULL, 0x707 }, "Disable rdtsc and rdtscp instructions. WARNING: To make it effective, you also need to forbid `prctl(PR_SET_TSC, PR_TSC_ENABLE, ...)` in seccomp rules! (x86 and x86_64 only)" },
|
{ { "disable_tsc", no_argument, NULL, 0x707 }, "Disable rdtsc and rdtscp instructions. WARNING: To make it effective, you also need to forbid `prctl(PR_SET_TSC, PR_TSC_ENABLE, ...)` in seccomp rules! (x86 and x86_64 only). Dynamic binaries produced by GCC seem to rely on RDTSC, but static ones should work." },
|
||||||
};
|
};
|
||||||
// clang-format on
|
// clang-format on
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user