diff --git a/config.c b/config.c index 3028911..ce2e5bb 100644 --- a/config.c +++ b/config.c @@ -106,6 +106,7 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig TAILQ_INSERT_TAIL(&nsjconf->envs, p, pointers); } + nsjconf->keep_caps = njc->keep_caps; nsjconf->is_silent = njc->silent; nsjconf->skip_setsid = njc->skip_setsid; diff --git a/config.pb-c.c b/config.pb-c.c index c896cea..018b46c 100644 --- a/config.pb-c.c +++ b/config.pb-c.c @@ -7,26 +7,22 @@ #endif #include "config.pb-c.h" -void nsjail__id_map__init(Nsjail__IdMap * message) -{ +void nsjail__id_map__init(Nsjail__IdMap * message) { static Nsjail__IdMap init_value = NSJAIL__ID_MAP__INIT; *message = init_value; } -size_t nsjail__id_map__get_packed_size(const Nsjail__IdMap * message) -{ +size_t nsjail__id_map__get_packed_size(const Nsjail__IdMap * message) { assert(message->base.descriptor == &nsjail__id_map__descriptor); return protobuf_c_message_get_packed_size((const ProtobufCMessage *)(message)); } -size_t nsjail__id_map__pack(const Nsjail__IdMap * message, uint8_t * out) -{ +size_t nsjail__id_map__pack(const Nsjail__IdMap * message, uint8_t * out) { assert(message->base.descriptor == &nsjail__id_map__descriptor); return protobuf_c_message_pack((const ProtobufCMessage *)message, out); } -size_t nsjail__id_map__pack_to_buffer(const Nsjail__IdMap * message, ProtobufCBuffer * buffer) -{ +size_t nsjail__id_map__pack_to_buffer(const Nsjail__IdMap * message, ProtobufCBuffer * buffer) { assert(message->base.descriptor == &nsjail__id_map__descriptor); return protobuf_c_message_pack_to_buffer((const ProtobufCMessage *)message, buffer); } @@ -37,32 +33,27 @@ Nsjail__IdMap *nsjail__id_map__unpack protobuf_c_message_unpack(&nsjail__id_map__descriptor, allocator, len, data); } -void nsjail__id_map__free_unpacked(Nsjail__IdMap * message, ProtobufCAllocator * allocator) -{ +void nsjail__id_map__free_unpacked(Nsjail__IdMap * message, ProtobufCAllocator * allocator) { assert(message->base.descriptor == &nsjail__id_map__descriptor); protobuf_c_message_free_unpacked((ProtobufCMessage *) message, allocator); } -void nsjail__mount_pt__init(Nsjail__MountPt * message) -{ +void nsjail__mount_pt__init(Nsjail__MountPt * message) { static Nsjail__MountPt init_value = NSJAIL__MOUNT_PT__INIT; *message = init_value; } -size_t nsjail__mount_pt__get_packed_size(const Nsjail__MountPt * message) -{ +size_t nsjail__mount_pt__get_packed_size(const Nsjail__MountPt * message) { assert(message->base.descriptor == &nsjail__mount_pt__descriptor); return protobuf_c_message_get_packed_size((const ProtobufCMessage *)(message)); } -size_t nsjail__mount_pt__pack(const Nsjail__MountPt * message, uint8_t * out) -{ +size_t nsjail__mount_pt__pack(const Nsjail__MountPt * message, uint8_t * out) { assert(message->base.descriptor == &nsjail__mount_pt__descriptor); return protobuf_c_message_pack((const ProtobufCMessage *)message, out); } -size_t nsjail__mount_pt__pack_to_buffer(const Nsjail__MountPt * message, ProtobufCBuffer * buffer) -{ +size_t nsjail__mount_pt__pack_to_buffer(const Nsjail__MountPt * message, ProtobufCBuffer * buffer) { assert(message->base.descriptor == &nsjail__mount_pt__descriptor); return protobuf_c_message_pack_to_buffer((const ProtobufCMessage *)message, buffer); } @@ -73,62 +64,52 @@ Nsjail__MountPt *nsjail__mount_pt__unpack protobuf_c_message_unpack(&nsjail__mount_pt__descriptor, allocator, len, data); } -void nsjail__mount_pt__free_unpacked(Nsjail__MountPt * message, ProtobufCAllocator * allocator) -{ +void nsjail__mount_pt__free_unpacked(Nsjail__MountPt * message, ProtobufCAllocator * allocator) { assert(message->base.descriptor == &nsjail__mount_pt__descriptor); protobuf_c_message_free_unpacked((ProtobufCMessage *) message, allocator); } -void nsjail__exe__init(Nsjail__Exe * message) -{ +void nsjail__exe__init(Nsjail__Exe * message) { static Nsjail__Exe init_value = NSJAIL__EXE__INIT; *message = init_value; } -size_t nsjail__exe__get_packed_size(const Nsjail__Exe * message) -{ +size_t nsjail__exe__get_packed_size(const Nsjail__Exe * message) { assert(message->base.descriptor == &nsjail__exe__descriptor); return protobuf_c_message_get_packed_size((const ProtobufCMessage *)(message)); } -size_t nsjail__exe__pack(const Nsjail__Exe * message, uint8_t * out) -{ +size_t nsjail__exe__pack(const Nsjail__Exe * message, uint8_t * out) { assert(message->base.descriptor == &nsjail__exe__descriptor); return protobuf_c_message_pack((const ProtobufCMessage *)message, out); } -size_t nsjail__exe__pack_to_buffer(const Nsjail__Exe * message, ProtobufCBuffer * buffer) -{ +size_t nsjail__exe__pack_to_buffer(const Nsjail__Exe * message, ProtobufCBuffer * buffer) { assert(message->base.descriptor == &nsjail__exe__descriptor); return protobuf_c_message_pack_to_buffer((const ProtobufCMessage *)message, buffer); } -Nsjail__Exe *nsjail__exe__unpack(ProtobufCAllocator * allocator, size_t len, const uint8_t * data) -{ +Nsjail__Exe *nsjail__exe__unpack(ProtobufCAllocator * allocator, size_t len, const uint8_t * data) { return (Nsjail__Exe *) protobuf_c_message_unpack(&nsjail__exe__descriptor, allocator, len, data); } -void nsjail__exe__free_unpacked(Nsjail__Exe * message, ProtobufCAllocator * allocator) -{ +void nsjail__exe__free_unpacked(Nsjail__Exe * message, ProtobufCAllocator * allocator) { assert(message->base.descriptor == &nsjail__exe__descriptor); protobuf_c_message_free_unpacked((ProtobufCMessage *) message, allocator); } -void nsjail__ns_jail_config__init(Nsjail__NsJailConfig * message) -{ +void nsjail__ns_jail_config__init(Nsjail__NsJailConfig * message) { static Nsjail__NsJailConfig init_value = NSJAIL__NS_JAIL_CONFIG__INIT; *message = init_value; } -size_t nsjail__ns_jail_config__get_packed_size(const Nsjail__NsJailConfig * message) -{ +size_t nsjail__ns_jail_config__get_packed_size(const Nsjail__NsJailConfig * message) { assert(message->base.descriptor == &nsjail__ns_jail_config__descriptor); return protobuf_c_message_get_packed_size((const ProtobufCMessage *)(message)); } -size_t nsjail__ns_jail_config__pack(const Nsjail__NsJailConfig * message, uint8_t * out) -{ +size_t nsjail__ns_jail_config__pack(const Nsjail__NsJailConfig * message, uint8_t * out) { assert(message->base.descriptor == &nsjail__ns_jail_config__descriptor); return protobuf_c_message_pack((const ProtobufCMessage *)message, out); } @@ -478,6 +459,7 @@ static const uint32_t nsjail__ns_jail_config__max_conns_per_ip__default_value = static const uint32_t nsjail__ns_jail_config__time_limit__default_value = 600u; static const protobuf_c_boolean nsjail__ns_jail_config__daemon__default_value = 0; static const protobuf_c_boolean nsjail__ns_jail_config__keep_env__default_value = 0; +static const protobuf_c_boolean nsjail__ns_jail_config__keep_caps__default_value = 0; static const protobuf_c_boolean nsjail__ns_jail_config__silent__default_value = 0; static const protobuf_c_boolean nsjail__ns_jail_config__skip_setsid__default_value = 0; static const protobuf_c_boolean nsjail__ns_jail_config__pivot_root_only__default_value = 0; @@ -506,7 +488,7 @@ static const protobuf_c_boolean nsjail__ns_jail_config__mount_proc__default_valu static const uint64_t nsjail__ns_jail_config__cgroup_mem_max__default_value = 0ull; static const uint64_t nsjail__ns_jail_config__cgroup_pids_max__default_value = 0ull; static const protobuf_c_boolean nsjail__ns_jail_config__iface_no_lo__default_value = 0; -static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[58] = { +static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[59] = { { "name", 1, @@ -700,11 +682,23 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ 0, NULL, NULL /* reserved1,reserved2, etc */ }, { - "silent", + "keep_caps", 19, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ + offsetof(Nsjail__NsJailConfig, keep_caps), + NULL, + &nsjail__ns_jail_config__keep_caps__default_value, + 0, /* flags */ + 0, NULL, NULL /* reserved1,reserved2, etc */ + }, + { + "silent", + 20, + PROTOBUF_C_LABEL_REQUIRED, + PROTOBUF_C_TYPE_BOOL, + 0, /* quantifier_offset */ offsetof(Nsjail__NsJailConfig, silent), NULL, &nsjail__ns_jail_config__silent__default_value, @@ -713,7 +707,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "skip_setsid", - 20, + 21, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -725,7 +719,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "pass_fd", - 21, + 22, PROTOBUF_C_LABEL_REPEATED, PROTOBUF_C_TYPE_INT32, offsetof(Nsjail__NsJailConfig, n_pass_fd), @@ -737,7 +731,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "pivot_root_only", - 22, + 23, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -749,7 +743,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "disable_no_new_privs", - 23, + 24, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -761,7 +755,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "rlimit_as", - 24, + 25, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_UINT64, 0, /* quantifier_offset */ @@ -773,7 +767,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "rlimit_core", - 25, + 26, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_UINT64, 0, /* quantifier_offset */ @@ -785,7 +779,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "rlimit_cpu", - 26, + 27, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_UINT64, 0, /* quantifier_offset */ @@ -797,7 +791,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "rlimit_fsize", - 27, + 28, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_UINT64, 0, /* quantifier_offset */ @@ -809,7 +803,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "rlimit_nofile", - 28, + 29, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_UINT64, 0, /* quantifier_offset */ @@ -821,7 +815,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "rlimit_nproc", - 29, + 30, PROTOBUF_C_LABEL_OPTIONAL, PROTOBUF_C_TYPE_UINT64, offsetof(Nsjail__NsJailConfig, has_rlimit_nproc), @@ -833,7 +827,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "rlimit_stack", - 30, + 31, PROTOBUF_C_LABEL_OPTIONAL, PROTOBUF_C_TYPE_UINT64, offsetof(Nsjail__NsJailConfig, has_rlimit_stack), @@ -845,7 +839,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "persona_addr_compat_layout", - 31, + 32, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -857,7 +851,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "persona_mmap_page_zero", - 32, + 33, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -869,7 +863,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "persona_read_implies_exec", - 33, + 34, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -881,7 +875,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "persona_addr_limit_3gb", - 34, + 35, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -893,7 +887,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "persona_addr_no_randomize", - 35, + 36, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -905,7 +899,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "clone_newnet", - 36, + 37, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -917,7 +911,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "clone_newuser", - 37, + 38, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -929,7 +923,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "clone_newns", - 38, + 39, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -941,7 +935,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "clone_newpid", - 39, + 40, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -953,7 +947,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "clone_newipc", - 40, + 41, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -965,7 +959,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "clone_newuts", - 41, + 42, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -977,7 +971,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "clone_newcgroup", - 42, + 43, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -989,7 +983,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "uidmap", - 43, + 44, PROTOBUF_C_LABEL_REPEATED, PROTOBUF_C_TYPE_MESSAGE, offsetof(Nsjail__NsJailConfig, n_uidmap), @@ -1001,7 +995,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "gidmap", - 44, + 45, PROTOBUF_C_LABEL_REPEATED, PROTOBUF_C_TYPE_MESSAGE, offsetof(Nsjail__NsJailConfig, n_gidmap), @@ -1013,7 +1007,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "mount_proc", - 45, + 46, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -1025,7 +1019,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "mount", - 46, + 47, PROTOBUF_C_LABEL_REPEATED, PROTOBUF_C_TYPE_MESSAGE, offsetof(Nsjail__NsJailConfig, n_mount), @@ -1037,7 +1031,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "seccomp_policy_file", - 47, + 48, PROTOBUF_C_LABEL_OPTIONAL, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1049,7 +1043,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "seccomp_string", - 48, + 49, PROTOBUF_C_LABEL_OPTIONAL, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1061,7 +1055,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "cgroup_mem_max", - 49, + 50, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_UINT64, 0, /* quantifier_offset */ @@ -1073,7 +1067,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "cgroup_mem_mount", - 50, + 51, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1085,7 +1079,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "cgroup_mem_parent", - 51, + 52, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1097,7 +1091,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "cgroup_pids_max", - 52, + 53, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_UINT64, 0, /* quantifier_offset */ @@ -1109,7 +1103,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "cgroup_pids_mount", - 53, + 54, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1121,7 +1115,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "cgroup_pids_parent", - 54, + 55, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1133,7 +1127,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "iface_no_lo", - 55, + 56, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_BOOL, 0, /* quantifier_offset */ @@ -1145,7 +1139,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "macvlan_iface", - 56, + 57, PROTOBUF_C_LABEL_OPTIONAL, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1157,7 +1151,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "macvlan_vs_ip", - 57, + 58, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1169,7 +1163,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "macvlan_vs_nm", - 58, + 59, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1181,7 +1175,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "macvlan_vs_gw", - 59, + 60, PROTOBUF_C_LABEL_REQUIRED, PROTOBUF_C_TYPE_STRING, 0, /* quantifier_offset */ @@ -1193,7 +1187,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ }, { "exec_bin", - 60, + 61, PROTOBUF_C_LABEL_OPTIONAL, PROTOBUF_C_TYPE_MESSAGE, 0, /* quantifier_offset */ @@ -1207,69 +1201,70 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[ static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = { 8, /* field[8] = bindhost */ - 46, /* field[46] = cgroup_mem_max */ - 47, /* field[47] = cgroup_mem_mount */ - 48, /* field[48] = cgroup_mem_parent */ - 49, /* field[49] = cgroup_pids_max */ - 50, /* field[50] = cgroup_pids_mount */ - 51, /* field[51] = cgroup_pids_parent */ + 47, /* field[47] = cgroup_mem_max */ + 48, /* field[48] = cgroup_mem_mount */ + 49, /* field[49] = cgroup_mem_parent */ + 50, /* field[50] = cgroup_pids_max */ + 51, /* field[51] = cgroup_pids_mount */ + 52, /* field[52] = cgroup_pids_parent */ 3, /* field[3] = chroot_dir */ - 39, /* field[39] = clone_newcgroup */ - 37, /* field[37] = clone_newipc */ - 33, /* field[33] = clone_newnet */ - 35, /* field[35] = clone_newns */ - 36, /* field[36] = clone_newpid */ - 34, /* field[34] = clone_newuser */ - 38, /* field[38] = clone_newuts */ + 40, /* field[40] = clone_newcgroup */ + 38, /* field[38] = clone_newipc */ + 34, /* field[34] = clone_newnet */ + 36, /* field[36] = clone_newns */ + 37, /* field[37] = clone_newpid */ + 35, /* field[35] = clone_newuser */ + 39, /* field[39] = clone_newuts */ 6, /* field[6] = cwd */ 11, /* field[11] = daemon */ 1, /* field[1] = description */ - 20, /* field[20] = disable_no_new_privs */ + 21, /* field[21] = disable_no_new_privs */ 15, /* field[15] = envar */ - 57, /* field[57] = exec_bin */ - 41, /* field[41] = gidmap */ + 58, /* field[58] = exec_bin */ + 42, /* field[42] = gidmap */ 5, /* field[5] = hostname */ - 52, /* field[52] = iface_no_lo */ + 53, /* field[53] = iface_no_lo */ 4, /* field[4] = is_root_rw */ + 16, /* field[16] = keep_caps */ 14, /* field[14] = keep_env */ 12, /* field[12] = log_file */ 13, /* field[13] = log_level */ - 53, /* field[53] = macvlan_iface */ - 56, /* field[56] = macvlan_vs_gw */ - 54, /* field[54] = macvlan_vs_ip */ - 55, /* field[55] = macvlan_vs_nm */ + 54, /* field[54] = macvlan_iface */ + 57, /* field[57] = macvlan_vs_gw */ + 55, /* field[55] = macvlan_vs_ip */ + 56, /* field[56] = macvlan_vs_nm */ 9, /* field[9] = max_conns_per_ip */ 2, /* field[2] = mode */ - 43, /* field[43] = mount */ - 42, /* field[42] = mount_proc */ + 44, /* field[44] = mount */ + 43, /* field[43] = mount_proc */ 0, /* field[0] = name */ - 18, /* field[18] = pass_fd */ - 28, /* field[28] = persona_addr_compat_layout */ - 31, /* field[31] = persona_addr_limit_3gb */ - 32, /* field[32] = persona_addr_no_randomize */ - 29, /* field[29] = persona_mmap_page_zero */ - 30, /* field[30] = persona_read_implies_exec */ - 19, /* field[19] = pivot_root_only */ + 19, /* field[19] = pass_fd */ + 29, /* field[29] = persona_addr_compat_layout */ + 32, /* field[32] = persona_addr_limit_3gb */ + 33, /* field[33] = persona_addr_no_randomize */ + 30, /* field[30] = persona_mmap_page_zero */ + 31, /* field[31] = persona_read_implies_exec */ + 20, /* field[20] = pivot_root_only */ 7, /* field[7] = port */ - 21, /* field[21] = rlimit_as */ - 22, /* field[22] = rlimit_core */ - 23, /* field[23] = rlimit_cpu */ - 24, /* field[24] = rlimit_fsize */ - 25, /* field[25] = rlimit_nofile */ - 26, /* field[26] = rlimit_nproc */ - 27, /* field[27] = rlimit_stack */ - 44, /* field[44] = seccomp_policy_file */ - 45, /* field[45] = seccomp_string */ - 16, /* field[16] = silent */ - 17, /* field[17] = skip_setsid */ + 22, /* field[22] = rlimit_as */ + 23, /* field[23] = rlimit_core */ + 24, /* field[24] = rlimit_cpu */ + 25, /* field[25] = rlimit_fsize */ + 26, /* field[26] = rlimit_nofile */ + 27, /* field[27] = rlimit_nproc */ + 28, /* field[28] = rlimit_stack */ + 45, /* field[45] = seccomp_policy_file */ + 46, /* field[46] = seccomp_string */ + 17, /* field[17] = silent */ + 18, /* field[18] = skip_setsid */ 10, /* field[10] = time_limit */ - 40, /* field[40] = uidmap */ + 41, /* field[41] = uidmap */ }; static const ProtobufCIntRange nsjail__ns_jail_config__number_ranges[2 + 1] = { {1, 0}, {8, 5}, - {0, 58} + {0, 59} }; const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = { @@ -1279,7 +1274,7 @@ const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = { "Nsjail__NsJailConfig", "nsjail", sizeof(Nsjail__NsJailConfig), - 58, + 59, nsjail__ns_jail_config__field_descriptors, nsjail__ns_jail_config__field_indices_by_name, 2, nsjail__ns_jail_config__number_ranges, diff --git a/config.pb-c.h b/config.pb-c.h index ef4ede2..ab56919 100644 --- a/config.pb-c.h +++ b/config.pb-c.h @@ -220,6 +220,10 @@ struct _Nsjail__NsJailConfig { */ size_t n_envar; char **envar; + /* + * Should capabilities be preserved or dropped + */ + protobuf_c_boolean keep_caps; /* * Should nsjail close FD=0,1,2 before executing the process */ @@ -380,7 +384,7 @@ extern char nsjail__ns_jail_config__macvlan_vs_nm__default_value[]; extern char nsjail__ns_jail_config__macvlan_vs_gw__default_value[]; #define NSJAIL__NS_JAIL_CONFIG__INIT \ { PROTOBUF_C_MESSAGE_INIT (&nsjail__ns_jail_config__descriptor) \ - , nsjail__ns_jail_config__name__default_value, nsjail__ns_jail_config__description__default_value, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0, 0,NULL, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL } + , nsjail__ns_jail_config__name__default_value, nsjail__ns_jail_config__description__default_value, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0, 0,NULL, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL } /* Nsjail__IdMap methods */ void nsjail__id_map__init(Nsjail__IdMap * message); diff --git a/config.proto b/config.proto index e681e15..6c17017 100644 --- a/config.proto +++ b/config.proto @@ -100,88 +100,90 @@ message NsJailConfig /* EnvVars to be set before executing binaries */ repeated string envar = 18; + /* Should capabilities be preserved or dropped */ + required bool keep_caps = 19 [ default = false ]; /* Should nsjail close FD=0,1,2 before executing the process */ - required bool silent = 19 [ default = false ]; + required bool silent = 20 [ default = false ]; /* Should the child process have control over terminal? Can be useful to allow /bin/sh to provide job control / signals */ - required bool skip_setsid = 20 [ default = false ]; + required bool skip_setsid = 21 [ default = false ]; /* Which FDs should be passed to the newly executed process By default only FD=0,1,2 are passed */ - repeated int32 pass_fd = 21; + repeated int32 pass_fd = 22; /* Should pivot_root be used instead of chroot? Using pivot_root allows to have subnamespaces */ - required bool pivot_root_only = 22 [ default = false ]; + required bool pivot_root_only = 23 [ default = false ]; /* Setting it to true will allow to have set-uid binaries inside the jail */ - required bool disable_no_new_privs = 23 [ default = false ]; + required bool disable_no_new_privs = 24 [ default = false ]; - required uint64 rlimit_as = 24 [ default = 512 ]; /* In MiB */ - required uint64 rlimit_core = 25 [ default = 0 ]; /* In MiB */ - required uint64 rlimit_cpu = 26 [ default = 600 ]; /* In seconds */ - required uint64 rlimit_fsize = 27 [ default = 1 ]; /* In MiB */ - required uint64 rlimit_nofile = 28 [ default = 32 ]; - optional uint64 rlimit_nproc = 29; /* This is system-wide: tricky to use */ - optional uint64 rlimit_stack = 30; /* In MiB */ + required uint64 rlimit_as = 25 [ default = 512 ]; /* In MiB */ + required uint64 rlimit_core = 26 [ default = 0 ]; /* In MiB */ + required uint64 rlimit_cpu = 27 [ default = 600 ]; /* In seconds */ + required uint64 rlimit_fsize = 28 [ default = 1 ]; /* In MiB */ + required uint64 rlimit_nofile = 29 [ default = 32 ]; + optional uint64 rlimit_nproc = 30; /* This is system-wide: tricky to use */ + optional uint64 rlimit_stack = 31; /* In MiB */ /* See 'man personality' for more */ - required bool persona_addr_compat_layout = 31 [ default = false ]; - required bool persona_mmap_page_zero = 32 [ default = false ]; - required bool persona_read_implies_exec = 33 [ default = false ]; - required bool persona_addr_limit_3gb = 34 [ default = false ]; - required bool persona_addr_no_randomize = 35 [ default = false ]; + required bool persona_addr_compat_layout = 32 [ default = false ]; + required bool persona_mmap_page_zero = 33 [ default = false ]; + required bool persona_read_implies_exec = 34 [ default = false ]; + required bool persona_addr_limit_3gb = 35 [ default = false ]; + required bool persona_addr_no_randomize = 36 [ default = false ]; /* Which name-spaces should be used? */ - required bool clone_newnet = 36 [ default = true ]; - required bool clone_newuser = 37 [ default = true ]; - required bool clone_newns = 38 [ default = true ]; - required bool clone_newpid = 39 [ default = true ]; - required bool clone_newipc = 40 [ default = true ]; - required bool clone_newuts = 41 [ default = true ]; + required bool clone_newnet = 37 [ default = true ]; + required bool clone_newuser = 38 [ default = true ]; + required bool clone_newns = 39 [ default = true ]; + required bool clone_newpid = 40 [ default = true ]; + required bool clone_newipc = 41 [ default = true ]; + required bool clone_newuts = 42 [ default = true ]; /* It's only supported in newer kernels, hence disabled by default */ - required bool clone_newcgroup = 42 [ default = false ]; + required bool clone_newcgroup = 43 [ default = false ]; /* Mappings for UIDs and GIDs. See the description for 'msg IdMap' for more */ - repeated IdMap uidmap = 43; - repeated IdMap gidmap = 44; + repeated IdMap uidmap = 44; + repeated IdMap gidmap = 45; /* Should /proc be mounted (R/O)? This can also be added in the 'mount' section below */ - required bool mount_proc = 45 [ default = false ]; + required bool mount_proc = 46 [ default = false ]; /* Mount points inside the jail. See the description for 'msg MountPt' for more */ - repeated MountPt mount = 46; + repeated MountPt mount = 47; /* Kafel seccomp-bpf policy file or a string: Homepage of the project: https://github.com/google/kafel */ - optional string seccomp_policy_file = 47; - optional string seccomp_string = 48; + optional string seccomp_policy_file = 48; + optional string seccomp_string = 49; /* If > 0, maximum cumulative size of RAM used inside any jail */ - required uint64 cgroup_mem_max = 49 [ default = 0 ]; /* In MiB */ + required uint64 cgroup_mem_max = 50 [ default = 0 ]; /* In MiB */ /* Mount point for cgroups-memory in your system */ - required string cgroup_mem_mount = 50 [ default = "/sys/fs/cgroup/memory" ]; + required string cgroup_mem_mount = 51 [ default = "/sys/fs/cgroup/memory" ]; /* Writeable directory (for the nsjail user) under cgroup_mem_mount */ - required string cgroup_mem_parent = 51 [ default = "NSJAIL" ]; + required string cgroup_mem_parent = 52 [ default = "NSJAIL" ]; /* If > 0, maximum number of PIDs (threads/processes) inside jail */ - required uint64 cgroup_pids_max = 52 [ default = 0 ]; + required uint64 cgroup_pids_max = 53 [ default = 0 ]; /* Mount point for cgroups-pids in your system */ - required string cgroup_pids_mount = 53 [ default = "/sys/fs/cgroup/pids" ]; + required string cgroup_pids_mount = 54 [ default = "/sys/fs/cgroup/pids" ]; /* Writeable directory (for the nsjail user) under cgroup_pids_mount */ - required string cgroup_pids_parent = 54 [ default = "NSJAIL" ]; + required string cgroup_pids_parent = 55 [ default = "NSJAIL" ]; /* Should the 'lo' interface be brought up (active) inside this jail? */ - required bool iface_no_lo = 55 [ default = false ]; + required bool iface_no_lo = 56 [ default = false ]; /* Parameters for the cloned MACVLAN interface inside jail */ - optional string macvlan_iface = 56; /* Interface to be cloned, eg 'eth0' */ - required string macvlan_vs_ip = 57 [ default = "192.168.0.2" ]; - required string macvlan_vs_nm = 58 [ default = "255.255.255.0" ]; - required string macvlan_vs_gw = 59 [ default = "192.168.0.1" ]; + optional string macvlan_iface = 57; /* Interface to be cloned, eg 'eth0' */ + required string macvlan_vs_ip = 58 [ default = "192.168.0.2" ]; + required string macvlan_vs_nm = 59 [ default = "255.255.255.0" ]; + required string macvlan_vs_gw = 60 [ default = "192.168.0.1" ]; /* Binary path (with arguments) to be executed. If not specified here, it can be specified with cmd-line as "-- /path/to/command arg1 arg2" */ - optional Exe exec_bin = 60; + optional Exe exec_bin = 61; } diff --git a/configs/bash-with-fake-geteuid.cfg b/configs/bash-with-fake-geteuid.cfg index ea8c31d..44ff747 100644 --- a/configs/bash-with-fake-geteuid.cfg +++ b/configs/bash-with-fake-geteuid.cfg @@ -9,8 +9,8 @@ This is an example policy, hence it repeats many default values from the https://github.com/google/nsjail/blob/master/config.proto PB schema" mode: ONCE -hostname: "TEST-NS" -cwd: "/" +hostname: "JAILED-BASH" +cwd: "/tmp" bindhost: "::1" max_conns_per_ip: 10 @@ -23,8 +23,9 @@ keep_env: false envar: "ENVAR1=VALUE1" envar: "ENVAR2=VALUE2" envar: "TERM=linux" -envar: "PS1=[INSIDE-NSJAIL-SH]: " +envar: "PS1=[\\H:\\w]\\$ " +keep_caps: true silent: false skip_setsid: false pass_fd: 100 @@ -54,13 +55,13 @@ clone_newuts: true clone_newcgroup: true uidmap { - inside_id: "999999" + inside_id: "0" outside_id: "" count: 1 } gidmap { - inside_id: "999998" + inside_id: "0" outside_id: "" count: 1 }