Use nullptr where appropriate
This commit is contained in:
parent
94b022fece
commit
98ec95ca85
4
caps.cc
4
caps.cc
@ -127,7 +127,7 @@ static cap_user_data_t getCaps() {
|
|||||||
};
|
};
|
||||||
if (util::syscall(__NR_capget, (uintptr_t)&cap_hdr, (uintptr_t)&cap_data) == -1) {
|
if (util::syscall(__NR_capget, (uintptr_t)&cap_hdr, (uintptr_t)&cap_data) == -1) {
|
||||||
PLOG_W("capget() failed");
|
PLOG_W("capget() failed");
|
||||||
return NULL;
|
return nullptr;
|
||||||
}
|
}
|
||||||
return cap_data;
|
return cap_data;
|
||||||
}
|
}
|
||||||
@ -214,7 +214,7 @@ static bool initNsKeepCaps(cap_user_data_t cap_data) {
|
|||||||
|
|
||||||
bool initNs(nsjconf_t* nsjconf) {
|
bool initNs(nsjconf_t* nsjconf) {
|
||||||
cap_user_data_t cap_data = getCaps();
|
cap_user_data_t cap_data = getCaps();
|
||||||
if (cap_data == NULL) {
|
if (cap_data == nullptr) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
196
cmdline.cc
196
cmdline.cc
@ -67,109 +67,109 @@ struct custom_option {
|
|||||||
|
|
||||||
// clang-format off
|
// clang-format off
|
||||||
static const struct custom_option custom_opts[] = {
|
static const struct custom_option custom_opts[] = {
|
||||||
{ { "help", no_argument, NULL, 'h' }, "Help plz.." },
|
{ { "help", no_argument, nullptr, 'h' }, "Help plz.." },
|
||||||
{ { "mode", required_argument, NULL, 'M' },
|
{ { "mode", required_argument, nullptr, 'M' },
|
||||||
"Execution mode (default: 'o' [MODE_STANDALONE_ONCE]):\n"
|
"Execution mode (default: 'o' [MODE_STANDALONE_ONCE]):\n"
|
||||||
" l: [MODE_LISTEN_TCP]\n\tWait for connections on a TCP port (specified with --port)\n"
|
" l: [MODE_LISTEN_TCP]\n\tWait for connections on a TCP port (specified with --port)\n"
|
||||||
" o: [MODE_STANDALONE_ONCE]\n\tLaunch a single process on the console using clone/execve\n"
|
" o: [MODE_STANDALONE_ONCE]\n\tLaunch a single process on the console using clone/execve\n"
|
||||||
" e: [MODE_STANDALONE_EXECVE]\n\tLaunch a single process on the console using execve\n"
|
" e: [MODE_STANDALONE_EXECVE]\n\tLaunch a single process on the console using execve\n"
|
||||||
" r: [MODE_STANDALONE_RERUN]\n\tLaunch a single process on the console with clone/execve, keep doing it forever" },
|
" r: [MODE_STANDALONE_RERUN]\n\tLaunch a single process on the console with clone/execve, keep doing it forever" },
|
||||||
{ { "config", required_argument, NULL, 'C' }, "Configuration file in the config.proto ProtoBuf format (see configs/ directory for examples)" },
|
{ { "config", required_argument, nullptr, 'C' }, "Configuration file in the config.proto ProtoBuf format (see configs/ directory for examples)" },
|
||||||
{ { "exec_file", required_argument, NULL, 'x' }, "File to exec (default: argv[0])" },
|
{ { "exec_file", required_argument, nullptr, 'x' }, "File to exec (default: argv[0])" },
|
||||||
{ { "execute_fd", no_argument, NULL, 0x0607 }, "Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing" },
|
{ { "execute_fd", no_argument, nullptr, 0x0607 }, "Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing" },
|
||||||
{ { "chroot", required_argument, NULL, 'c' }, "Directory containing / of the jail (default: none)" },
|
{ { "chroot", required_argument, nullptr, 'c' }, "Directory containing / of the jail (default: none)" },
|
||||||
{ { "no_pivotroot", no_argument, NULL, 0x600 }, "When creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" },
|
{ { "no_pivotroot", no_argument, nullptr, 0x600 }, "When creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" },
|
||||||
{ { "rw", no_argument, NULL, 0x601 }, "Mount chroot dir (/) R/W (default: R/O)" },
|
{ { "rw", no_argument, nullptr, 0x601 }, "Mount chroot dir (/) R/W (default: R/O)" },
|
||||||
{ { "user", required_argument, NULL, 'u' }, "Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times" },
|
{ { "user", required_argument, nullptr, 'u' }, "Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times" },
|
||||||
{ { "group", required_argument, NULL, 'g' }, "Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times" },
|
{ { "group", required_argument, nullptr, 'g' }, "Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times" },
|
||||||
{ { "hostname", required_argument, NULL, 'H' }, "UTS name (hostname) of the jail (default: 'NSJAIL')" },
|
{ { "hostname", required_argument, nullptr, 'H' }, "UTS name (hostname) of the jail (default: 'NSJAIL')" },
|
||||||
{ { "cwd", required_argument, NULL, 'D' }, "Directory in the namespace the process will run (default: '/')" },
|
{ { "cwd", required_argument, nullptr, 'D' }, "Directory in the namespace the process will run (default: '/')" },
|
||||||
{ { "port", required_argument, NULL, 'p' }, "TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)" },
|
{ { "port", required_argument, nullptr, 'p' }, "TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)" },
|
||||||
{ { "bindhost", required_argument, NULL, 0x604 }, "IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')" },
|
{ { "bindhost", required_argument, nullptr, 0x604 }, "IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')" },
|
||||||
{ { "max_conns", required_argument, NULL, 0x608 }, "Maximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" },
|
{ { "max_conns", required_argument, nullptr, 0x608 }, "Maximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" },
|
||||||
{ { "max_conns_per_ip", required_argument, NULL, 'i' }, "Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" },
|
{ { "max_conns_per_ip", required_argument, nullptr, 'i' }, "Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" },
|
||||||
{ { "log", required_argument, NULL, 'l' }, "Log file (default: use log_fd)" },
|
{ { "log", required_argument, nullptr, 'l' }, "Log file (default: use log_fd)" },
|
||||||
{ { "log_fd", required_argument, NULL, 'L' }, "Log FD (default: 2)" },
|
{ { "log_fd", required_argument, nullptr, 'L' }, "Log FD (default: 2)" },
|
||||||
{ { "time_limit", required_argument, NULL, 't' }, "Maximum time that a jail can exist, in seconds (default: 600)" },
|
{ { "time_limit", required_argument, nullptr, 't' }, "Maximum time that a jail can exist, in seconds (default: 600)" },
|
||||||
{ { "max_cpus", required_argument, NULL, 0x508 }, "Maximum number of CPUs a single jailed process can use (default: 0 'no limit')" },
|
{ { "max_cpus", required_argument, nullptr, 0x508 }, "Maximum number of CPUs a single jailed process can use (default: 0 'no limit')" },
|
||||||
{ { "daemon", no_argument, NULL, 'd' }, "Daemonize after start" },
|
{ { "daemon", no_argument, nullptr, 'd' }, "Daemonize after start" },
|
||||||
{ { "verbose", no_argument, NULL, 'v' }, "Verbose output" },
|
{ { "verbose", no_argument, nullptr, 'v' }, "Verbose output" },
|
||||||
{ { "quiet", no_argument, NULL, 'q' }, "Log warning and more important messages only" },
|
{ { "quiet", no_argument, nullptr, 'q' }, "Log warning and more important messages only" },
|
||||||
{ { "really_quiet", no_argument, NULL, 'Q' }, "Log fatal messages only" },
|
{ { "really_quiet", no_argument, nullptr, 'Q' }, "Log fatal messages only" },
|
||||||
{ { "keep_env", no_argument, NULL, 'e' }, "Pass all environment variables to the child process (default: all envars are cleared)" },
|
{ { "keep_env", no_argument, nullptr, 'e' }, "Pass all environment variables to the child process (default: all envars are cleared)" },
|
||||||
{ { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times). If the envar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envar value will be used" },
|
{ { "env", required_argument, nullptr, 'E' }, "Additional environment variable (can be used multiple times). If the envar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envar value will be used" },
|
||||||
{ { "keep_caps", no_argument, NULL, 0x0501 }, "Don't drop any capabilities" },
|
{ { "keep_caps", no_argument, nullptr, 0x0501 }, "Don't drop any capabilities" },
|
||||||
{ { "cap", required_argument, NULL, 0x0509 }, "Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)" },
|
{ { "cap", required_argument, nullptr, 0x0509 }, "Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)" },
|
||||||
{ { "silent", no_argument, NULL, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" },
|
{ { "silent", no_argument, nullptr, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" },
|
||||||
{ { "stderr_to_null", no_argument, NULL, 0x0503 }, "Redirect child process' fd:2 (STDERR_FILENO) to /dev/null" },
|
{ { "stderr_to_null", no_argument, nullptr, 0x0503 }, "Redirect child process' fd:2 (STDERR_FILENO) to /dev/null" },
|
||||||
{ { "skip_setsid", no_argument, NULL, 0x0504 }, "Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous" },
|
{ { "skip_setsid", no_argument, nullptr, 0x0504 }, "Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous" },
|
||||||
{ { "pass_fd", required_argument, NULL, 0x0505 }, "Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open" },
|
{ { "pass_fd", required_argument, nullptr, 0x0505 }, "Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open" },
|
||||||
{ { "disable_no_new_privs", no_argument, NULL, 0x0507 }, "Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)" },
|
{ { "disable_no_new_privs", no_argument, nullptr, 0x0507 }, "Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)" },
|
||||||
{ { "rlimit_as", required_argument, NULL, 0x0201 }, "RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 4096)" },
|
{ { "rlimit_as", required_argument, nullptr, 0x0201 }, "RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 4096)" },
|
||||||
{ { "rlimit_core", required_argument, NULL, 0x0202 }, "RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)" },
|
{ { "rlimit_core", required_argument, nullptr, 0x0202 }, "RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)" },
|
||||||
{ { "rlimit_cpu", required_argument, NULL, 0x0203 }, "RLIMIT_CPU, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 600)" },
|
{ { "rlimit_cpu", required_argument, nullptr, 0x0203 }, "RLIMIT_CPU, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 600)" },
|
||||||
{ { "rlimit_fsize", required_argument, NULL, 0x0204 }, "RLIMIT_FSIZE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 1)" },
|
{ { "rlimit_fsize", required_argument, nullptr, 0x0204 }, "RLIMIT_FSIZE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 1)" },
|
||||||
{ { "rlimit_nofile", required_argument, NULL, 0x0205 }, "RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 32)" },
|
{ { "rlimit_nofile", required_argument, nullptr, 0x0205 }, "RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 32)" },
|
||||||
{ { "rlimit_nproc", required_argument, NULL, 0x0206 }, "RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
{ { "rlimit_nproc", required_argument, nullptr, 0x0206 }, "RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
||||||
{ { "rlimit_stack", required_argument, NULL, 0x0207 }, "RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
{ { "rlimit_stack", required_argument, nullptr, 0x0207 }, "RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
||||||
{ { "rlimit_memlock", required_argument, NULL, 0x0209 }, "RLIMIT_MEMLOCK in KB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
{ { "rlimit_memlock", required_argument, nullptr, 0x0209 }, "RLIMIT_MEMLOCK in KB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
||||||
{ { "rlimit_rtprio", required_argument, NULL, 0x0210 }, "RLIMIT_RTPRIO, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
{ { "rlimit_rtprio", required_argument, nullptr, 0x0210 }, "RLIMIT_RTPRIO, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
||||||
{ { "rlimit_msgqueue", required_argument, NULL, 0x0211 }, "RLIMIT_MSGQUEUE in bytes, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
{ { "rlimit_msgqueue", required_argument, nullptr, 0x0211 }, "RLIMIT_MSGQUEUE in bytes, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
|
||||||
{ { "disable_rlimits", no_argument, NULL, 0x0208 }, "Disable all rlimits, default to limits set by parent" },
|
{ { "disable_rlimits", no_argument, nullptr, 0x0208 }, "Disable all rlimits, default to limits set by parent" },
|
||||||
{ { "persona_addr_compat_layout", no_argument, NULL, 0x0301 }, "personality(ADDR_COMPAT_LAYOUT)" },
|
{ { "persona_addr_compat_layout", no_argument, nullptr, 0x0301 }, "personality(ADDR_COMPAT_LAYOUT)" },
|
||||||
{ { "persona_mmap_page_zero", no_argument, NULL, 0x0302 }, "personality(MMAP_PAGE_ZERO)" },
|
{ { "persona_mmap_page_zero", no_argument, nullptr, 0x0302 }, "personality(MMAP_PAGE_ZERO)" },
|
||||||
{ { "persona_read_implies_exec", no_argument, NULL, 0x0303 }, "personality(READ_IMPLIES_EXEC)" },
|
{ { "persona_read_implies_exec", no_argument, nullptr, 0x0303 }, "personality(READ_IMPLIES_EXEC)" },
|
||||||
{ { "persona_addr_limit_3gb", no_argument, NULL, 0x0304 }, "personality(ADDR_LIMIT_3GB)" },
|
{ { "persona_addr_limit_3gb", no_argument, nullptr, 0x0304 }, "personality(ADDR_LIMIT_3GB)" },
|
||||||
{ { "persona_addr_no_randomize", no_argument, NULL, 0x0305 }, "personality(ADDR_NO_RANDOMIZE)" },
|
{ { "persona_addr_no_randomize", no_argument, nullptr, 0x0305 }, "personality(ADDR_NO_RANDOMIZE)" },
|
||||||
{ { "disable_clone_newnet", no_argument, NULL, 'N' }, "Don't use CLONE_NEWNET. Enable global networking inside the jail" },
|
{ { "disable_clone_newnet", no_argument, nullptr, 'N' }, "Don't use CLONE_NEWNET. Enable global networking inside the jail" },
|
||||||
{ { "disable_clone_newuser", no_argument, NULL, 0x0402 }, "Don't use CLONE_NEWUSER. Requires euid==0" },
|
{ { "disable_clone_newuser", no_argument, nullptr, 0x0402 }, "Don't use CLONE_NEWUSER. Requires euid==0" },
|
||||||
{ { "disable_clone_newns", no_argument, NULL, 0x0403 }, "Don't use CLONE_NEWNS" },
|
{ { "disable_clone_newns", no_argument, nullptr, 0x0403 }, "Don't use CLONE_NEWNS" },
|
||||||
{ { "disable_clone_newpid", no_argument, NULL, 0x0404 }, "Don't use CLONE_NEWPID" },
|
{ { "disable_clone_newpid", no_argument, nullptr, 0x0404 }, "Don't use CLONE_NEWPID" },
|
||||||
{ { "disable_clone_newipc", no_argument, NULL, 0x0405 }, "Don't use CLONE_NEWIPC" },
|
{ { "disable_clone_newipc", no_argument, nullptr, 0x0405 }, "Don't use CLONE_NEWIPC" },
|
||||||
{ { "disable_clone_newuts", no_argument, NULL, 0x0406 }, "Don't use CLONE_NEWUTS" },
|
{ { "disable_clone_newuts", no_argument, nullptr, 0x0406 }, "Don't use CLONE_NEWUTS" },
|
||||||
{ { "disable_clone_newcgroup", no_argument, NULL, 0x0407 }, "Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6" },
|
{ { "disable_clone_newcgroup", no_argument, nullptr, 0x0407 }, "Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6" },
|
||||||
{ { "enable_clone_newtime", no_argument, NULL, 0x0408 }, "Use CLONE_NEWTIME. Supported with kernel versions >= 5.3" },
|
{ { "enable_clone_newtime", no_argument, nullptr, 0x0408 }, "Use CLONE_NEWTIME. Supported with kernel versions >= 5.3" },
|
||||||
{ { "uid_mapping", required_argument, NULL, 'U' }, "Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present" },
|
{ { "uid_mapping", required_argument, nullptr, 'U' }, "Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present" },
|
||||||
{ { "gid_mapping", required_argument, NULL, 'G' }, "Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present" },
|
{ { "gid_mapping", required_argument, nullptr, 'G' }, "Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present" },
|
||||||
{ { "bindmount_ro", required_argument, NULL, 'R' }, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" },
|
{ { "bindmount_ro", required_argument, nullptr, 'R' }, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" },
|
||||||
{ { "bindmount", required_argument, NULL, 'B' }, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" },
|
{ { "bindmount", required_argument, nullptr, 'B' }, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" },
|
||||||
{ { "tmpfsmount", required_argument, NULL, 'T' }, "List of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'" },
|
{ { "tmpfsmount", required_argument, nullptr, 'T' }, "List of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'" },
|
||||||
{ { "mount", required_argument, NULL, 'm' }, "Arbitrary mount, format src:dst:fs_type:options" },
|
{ { "mount", required_argument, nullptr, 'm' }, "Arbitrary mount, format src:dst:fs_type:options" },
|
||||||
{ { "symlink", required_argument, NULL, 's' }, "Symlink, format src:dst" },
|
{ { "symlink", required_argument, nullptr, 's' }, "Symlink, format src:dst" },
|
||||||
{ { "disable_proc", no_argument, NULL, 0x0603 }, "Disable mounting procfs in the jail" },
|
{ { "disable_proc", no_argument, nullptr, 0x0603 }, "Disable mounting procfs in the jail" },
|
||||||
{ { "proc_path", required_argument, NULL, 0x0605 }, "Path used to mount procfs (default: '/proc')" },
|
{ { "proc_path", required_argument, nullptr, 0x0605 }, "Path used to mount procfs (default: '/proc')" },
|
||||||
{ { "proc_rw", no_argument, NULL, 0x0606 }, "Is procfs mounted as R/W (default: R/O)" },
|
{ { "proc_rw", no_argument, nullptr, 0x0606 }, "Is procfs mounted as R/W (default: R/O)" },
|
||||||
{ { "seccomp_policy", required_argument, NULL, 'P' }, "Path to file containing seccomp-bpf policy (see kafel/)" },
|
{ { "seccomp_policy", required_argument, nullptr, 'P' }, "Path to file containing seccomp-bpf policy (see kafel/)" },
|
||||||
{ { "seccomp_string", required_argument, NULL, 0x0901 }, "String with kafel seccomp-bpf policy (see kafel/)" },
|
{ { "seccomp_string", required_argument, nullptr, 0x0901 }, "String with kafel seccomp-bpf policy (see kafel/)" },
|
||||||
{ { "seccomp_log", no_argument, NULL, 0x0902 }, "Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14" },
|
{ { "seccomp_log", no_argument, nullptr, 0x0902 }, "Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14" },
|
||||||
{ { "nice_level", required_argument, NULL, 0x0903 }, "Set jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19" },
|
{ { "nice_level", required_argument, nullptr, 0x0903 }, "Set jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19" },
|
||||||
{ { "cgroup_mem_max", required_argument, NULL, 0x0801 }, "Maximum number of bytes to use in the group (default: '0' - disabled)" },
|
{ { "cgroup_mem_max", required_argument, nullptr, 0x0801 }, "Maximum number of bytes to use in the group (default: '0' - disabled)" },
|
||||||
{ { "cgroup_mem_memsw_max", required_argument, NULL, 0x0804 }, "Maximum number of memory+swap bytes to use (default: '0' - disabled)" },
|
{ { "cgroup_mem_memsw_max", required_argument, nullptr, 0x0804 }, "Maximum number of memory+swap bytes to use (default: '0' - disabled)" },
|
||||||
{ { "cgroup_mem_swap_max", required_argument, NULL, 0x0805 }, "Maximum number of swap bytes to use (default: '-1' - disabled)" },
|
{ { "cgroup_mem_swap_max", required_argument, nullptr, 0x0805 }, "Maximum number of swap bytes to use (default: '-1' - disabled)" },
|
||||||
{ { "cgroup_mem_mount", required_argument, NULL, 0x0802 }, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')" },
|
{ { "cgroup_mem_mount", required_argument, nullptr, 0x0802 }, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')" },
|
||||||
{ { "cgroup_mem_parent", required_argument, NULL, 0x0803 }, "Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')" },
|
{ { "cgroup_mem_parent", required_argument, nullptr, 0x0803 }, "Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')" },
|
||||||
{ { "cgroup_pids_max", required_argument, NULL, 0x0811 }, "Maximum number of pids in a cgroup (default: '0' - disabled)" },
|
{ { "cgroup_pids_max", required_argument, nullptr, 0x0811 }, "Maximum number of pids in a cgroup (default: '0' - disabled)" },
|
||||||
{ { "cgroup_pids_mount", required_argument, NULL, 0x0812 }, "Location of pids cgroup FS (default: '/sys/fs/cgroup/pids')" },
|
{ { "cgroup_pids_mount", required_argument, nullptr, 0x0812 }, "Location of pids cgroup FS (default: '/sys/fs/cgroup/pids')" },
|
||||||
{ { "cgroup_pids_parent", required_argument, NULL, 0x0813 }, "Which pre-existing pids cgroup to use as a parent (default: 'NSJAIL')" },
|
{ { "cgroup_pids_parent", required_argument, nullptr, 0x0813 }, "Which pre-existing pids cgroup to use as a parent (default: 'NSJAIL')" },
|
||||||
{ { "cgroup_net_cls_classid", required_argument, NULL, 0x0821 }, "Class identifier of network packets in the group (default: '0' - disabled)" },
|
{ { "cgroup_net_cls_classid", required_argument, nullptr, 0x0821 }, "Class identifier of network packets in the group (default: '0' - disabled)" },
|
||||||
{ { "cgroup_net_cls_mount", required_argument, NULL, 0x0822 }, "Location of net_cls cgroup FS (default: '/sys/fs/cgroup/net_cls')" },
|
{ { "cgroup_net_cls_mount", required_argument, nullptr, 0x0822 }, "Location of net_cls cgroup FS (default: '/sys/fs/cgroup/net_cls')" },
|
||||||
{ { "cgroup_net_cls_parent", required_argument, NULL, 0x0823 }, "Which pre-existing net_cls cgroup to use as a parent (default: 'NSJAIL')" },
|
{ { "cgroup_net_cls_parent", required_argument, nullptr, 0x0823 }, "Which pre-existing net_cls cgroup to use as a parent (default: 'NSJAIL')" },
|
||||||
{ { "cgroup_cpu_ms_per_sec", required_argument, NULL, 0x0831 }, "Number of milliseconds of CPU time per second that the process group can use (default: '0' - no limit)" },
|
{ { "cgroup_cpu_ms_per_sec", required_argument, nullptr, 0x0831 }, "Number of milliseconds of CPU time per second that the process group can use (default: '0' - no limit)" },
|
||||||
{ { "cgroup_cpu_mount", required_argument, NULL, 0x0832 }, "Location of cpu cgroup FS (default: '/sys/fs/cgroup/cpu')" },
|
{ { "cgroup_cpu_mount", required_argument, nullptr, 0x0832 }, "Location of cpu cgroup FS (default: '/sys/fs/cgroup/cpu')" },
|
||||||
{ { "cgroup_cpu_parent", required_argument, NULL, 0x0833 }, "Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')" },
|
{ { "cgroup_cpu_parent", required_argument, nullptr, 0x0833 }, "Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')" },
|
||||||
{ { "cgroupv2_mount", required_argument, NULL, 0x0834}, "Location of cgroupv2 directory (default: '/sys/fs/cgroup')"},
|
{ { "cgroupv2_mount", required_argument, nullptr, 0x0834}, "Location of cgroupv2 directory (default: '/sys/fs/cgroup')"},
|
||||||
{ { "use_cgroupv2", no_argument, NULL, 0x0835}, "Use cgroup v2"},
|
{ { "use_cgroupv2", no_argument, nullptr, 0x0835}, "Use cgroup v2"},
|
||||||
{ { "detect_cgroupv2", no_argument, NULL, 0x0836}, "Use cgroupv2, if it is available. (Specify instead of use_cgroupv2)"},
|
{ { "detect_cgroupv2", no_argument, nullptr, 0x0836}, "Use cgroupv2, if it is available. (Specify instead of use_cgroupv2)"},
|
||||||
{ { "iface_no_lo", no_argument, NULL, 0x700 }, "Don't bring the 'lo' interface up" },
|
{ { "iface_no_lo", no_argument, nullptr, 0x700 }, "Don't bring the 'lo' interface up" },
|
||||||
{ { "iface_own", required_argument, NULL, 0x704 }, "Move this existing network interface into the new NET namespace. Can be specified multiple times" },
|
{ { "iface_own", required_argument, nullptr, 0x704 }, "Move this existing network interface into the new NET namespace. Can be specified multiple times" },
|
||||||
{ { "macvlan_iface", required_argument, NULL, 'I' }, "Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'" },
|
{ { "macvlan_iface", required_argument, nullptr, 'I' }, "Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'" },
|
||||||
{ { "macvlan_vs_ip", required_argument, NULL, 0x701 }, "IP of the 'vs' interface (e.g. \"192.168.0.1\")" },
|
{ { "macvlan_vs_ip", required_argument, nullptr, 0x701 }, "IP of the 'vs' interface (e.g. \"192.168.0.1\")" },
|
||||||
{ { "macvlan_vs_nm", required_argument, NULL, 0x702 }, "Netmask of the 'vs' interface (e.g. \"255.255.255.0\")" },
|
{ { "macvlan_vs_nm", required_argument, nullptr, 0x702 }, "Netmask of the 'vs' interface (e.g. \"255.255.255.0\")" },
|
||||||
{ { "macvlan_vs_gw", required_argument, NULL, 0x703 }, "Default GW for the 'vs' interface (e.g. \"192.168.0.1\")" },
|
{ { "macvlan_vs_gw", required_argument, nullptr, 0x703 }, "Default GW for the 'vs' interface (e.g. \"192.168.0.1\")" },
|
||||||
{ { "macvlan_vs_ma", required_argument, NULL, 0x705 }, "MAC-address of the 'vs' interface (e.g. \"ba:ad:ba:be:45:00\")" },
|
{ { "macvlan_vs_ma", required_argument, nullptr, 0x705 }, "MAC-address of the 'vs' interface (e.g. \"ba:ad:ba:be:45:00\")" },
|
||||||
{ { "macvlan_vs_mo", required_argument, NULL, 0x706 }, "Mode of the 'vs' interface. Can be either 'private', 'vepa', 'bridge' or 'passthru' (default: 'private')" },
|
{ { "macvlan_vs_mo", required_argument, nullptr, 0x706 }, "Mode of the 'vs' interface. Can be either 'private', 'vepa', 'bridge' or 'passthru' (default: 'private')" },
|
||||||
{ { "disable_tsc", no_argument, NULL, 0x707 }, "Disable rdtsc and rdtscp instructions. WARNING: To make it effective, you also need to forbid `prctl(PR_SET_TSC, PR_TSC_ENABLE, ...)` in seccomp rules! (x86 and x86_64 only). Dynamic binaries produced by GCC seem to rely on RDTSC, but static ones should work." },
|
{ { "disable_tsc", no_argument, nullptr, 0x707 }, "Disable rdtsc and rdtscp instructions. WARNING: To make it effective, you also need to forbid `prctl(PR_SET_TSC, PR_TSC_ENABLE, ...)` in seccomp rules! (x86 and x86_64 only). Dynamic binaries produced by GCC seem to rely on RDTSC, but static ones should work." },
|
||||||
{ { "forward_signals", no_argument, NULL, 0x708 }, "Forward fatal signals to the child process instead of always using SIKGILL." },
|
{ { "forward_signals", no_argument, nullptr, 0x708 }, "Forward fatal signals to the child process instead of always using SIKGILL." },
|
||||||
};
|
};
|
||||||
// clang-format on
|
// clang-format on
|
||||||
|
|
||||||
|
@ -236,7 +236,7 @@ static bool containMakeFdsCOEProc(nsjconf_t* nsjconf) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
DIR* dir = fdopendir(dirfd);
|
DIR* dir = fdopendir(dirfd);
|
||||||
if (dir == NULL) {
|
if (dir == nullptr) {
|
||||||
PLOG_W("fdopendir(fd=%d)", dirfd);
|
PLOG_W("fdopendir(fd=%d)", dirfd);
|
||||||
close(dirfd);
|
close(dirfd);
|
||||||
return false;
|
return false;
|
||||||
@ -245,12 +245,12 @@ static bool containMakeFdsCOEProc(nsjconf_t* nsjconf) {
|
|||||||
for (;;) {
|
for (;;) {
|
||||||
errno = 0;
|
errno = 0;
|
||||||
struct dirent* entry = readdir(dir);
|
struct dirent* entry = readdir(dir);
|
||||||
if (entry == NULL && errno != 0) {
|
if (entry == nullptr && errno != 0) {
|
||||||
PLOG_D("readdir('/proc/self/fd')");
|
PLOG_D("readdir('/proc/self/fd')");
|
||||||
closedir(dir);
|
closedir(dir);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (entry == NULL) {
|
if (entry == nullptr) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (strcmp(".", entry->d_name) == 0) {
|
if (strcmp(".", entry->d_name) == 0) {
|
||||||
|
6
mnt.cc
6
mnt.cc
@ -114,7 +114,7 @@ static bool isDir(const char* path) {
|
|||||||
/*
|
/*
|
||||||
* If the source dir is NULL, we assume it's a dir (for /proc and tmpfs)
|
* If the source dir is NULL, we assume it's a dir (for /proc and tmpfs)
|
||||||
*/
|
*/
|
||||||
if (path == NULL) {
|
if (path == nullptr) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
struct stat st;
|
struct stat st;
|
||||||
@ -535,7 +535,7 @@ static bool addMountPt(mount_t* mnt, const std::string& src, const std::string&
|
|||||||
const std::string& src_content, bool is_symlink) {
|
const std::string& src_content, bool is_symlink) {
|
||||||
if (!src_env.empty()) {
|
if (!src_env.empty()) {
|
||||||
const char* e = getenv(src_env.c_str());
|
const char* e = getenv(src_env.c_str());
|
||||||
if (e == NULL) {
|
if (e == nullptr) {
|
||||||
LOG_W("No such envar:%s", QC(src_env));
|
LOG_W("No such envar:%s", QC(src_env));
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -545,7 +545,7 @@ static bool addMountPt(mount_t* mnt, const std::string& src, const std::string&
|
|||||||
|
|
||||||
if (!dst_env.empty()) {
|
if (!dst_env.empty()) {
|
||||||
const char* e = getenv(dst_env.c_str());
|
const char* e = getenv(dst_env.c_str());
|
||||||
if (e == NULL) {
|
if (e == nullptr) {
|
||||||
LOG_W("No such envar:%s", QC(dst_env));
|
LOG_W("No such envar:%s", QC(dst_env));
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
8
net.cc
8
net.cc
@ -57,7 +57,7 @@ namespace net {
|
|||||||
static bool cloneIface(
|
static bool cloneIface(
|
||||||
nsjconf_t* nsjconf, struct nl_sock* sk, struct nl_cache* link_cache, int pid) {
|
nsjconf_t* nsjconf, struct nl_sock* sk, struct nl_cache* link_cache, int pid) {
|
||||||
struct rtnl_link* rmv = rtnl_link_macvlan_alloc();
|
struct rtnl_link* rmv = rtnl_link_macvlan_alloc();
|
||||||
if (rmv == NULL) {
|
if (rmv == nullptr) {
|
||||||
LOG_E("rtnl_link_macvlan_alloc()");
|
LOG_E("rtnl_link_macvlan_alloc()");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -271,7 +271,7 @@ int getRecvSocket(const char* bindhost, int port) {
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
auto connstr = connToText(sockfd, false /* remote */, NULL);
|
auto connstr = connToText(sockfd, false /* remote */, nullptr);
|
||||||
LOG_I("Listening on %s", connstr.c_str());
|
LOG_I("Listening on %s", connstr.c_str());
|
||||||
|
|
||||||
return sockfd;
|
return sockfd;
|
||||||
@ -288,8 +288,8 @@ int acceptConn(int listenfd) {
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
auto connremotestr = connToText(connfd, true /* remote */, NULL);
|
auto connremotestr = connToText(connfd, true /* remote */, nullptr);
|
||||||
auto connlocalstr = connToText(connfd, false /* remote */, NULL);
|
auto connlocalstr = connToText(connfd, false /* remote */, nullptr);
|
||||||
LOG_I("New connection from: %s on: %s", connremotestr.c_str(), connlocalstr.c_str());
|
LOG_I("New connection from: %s on: %s", connremotestr.c_str(), connlocalstr.c_str());
|
||||||
|
|
||||||
return connfd;
|
return connfd;
|
||||||
|
4
user.cc
4
user.cc
@ -319,7 +319,7 @@ static uid_t parseUid(const std::string& id) {
|
|||||||
return getuid();
|
return getuid();
|
||||||
}
|
}
|
||||||
struct passwd* pw = getpwnam(id.c_str());
|
struct passwd* pw = getpwnam(id.c_str());
|
||||||
if (pw != NULL) {
|
if (pw != nullptr) {
|
||||||
return pw->pw_uid;
|
return pw->pw_uid;
|
||||||
}
|
}
|
||||||
if (util::isANumber(id.c_str())) {
|
if (util::isANumber(id.c_str())) {
|
||||||
@ -333,7 +333,7 @@ static gid_t parseGid(const std::string& id) {
|
|||||||
return getgid();
|
return getgid();
|
||||||
}
|
}
|
||||||
struct group* gr = getgrnam(id.c_str());
|
struct group* gr = getgrnam(id.c_str());
|
||||||
if (gr != NULL) {
|
if (gr != nullptr) {
|
||||||
return gr->gr_gid;
|
return gr->gr_gid;
|
||||||
}
|
}
|
||||||
if (util::isANumber(id.c_str())) {
|
if (util::isANumber(id.c_str())) {
|
||||||
|
Loading…
Reference in New Issue
Block a user