config: more options in the config #7

config.c

@@ -20,12 +20,14 @@
 */
 
 #include "common.h"
+
+#include <stdio.h>
+#include <sys/personality.h>
+
 #include "config.h"
 #include "log.h"
 #include "util.h"
 
-#include <stdio.h>
-
 #if !defined(NSJAIL_WITH_PROTOBUF)
 bool configParse(struct nsjconf_t * nsjconf UNUSED, const char *file UNUSED)
 {
@@ -56,8 +58,8 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig
 		LOG_E("Uknown running mode: %d", njc->mode);
 		return false;
 	}
-	if (njc->has_chroot) {
+	if (njc->has_chroot_dir) {
-		nsjconf->chroot = utilStrDupLen((char *)njc->chroot.data, njc->chroot.len);
+		nsjconf->chroot = utilStrDupLen((char *)njc->chroot_dir.data, njc->chroot_dir.len);
 	}
 	nsjconf->hostname = utilStrDupLen((char *)njc->hostname.data, njc->hostname.len);
 	nsjconf->cwd = utilStrDupLen((char *)njc->cwd.data, njc->cwd.len);
@@ -124,6 +126,36 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig
 		nsjconf->rl_stack = njc->rlimit_stack * 1024ULL * 1024ULL;
 	}
 
+	if (njc->persona_addr_compat_layout) {
+		nsjconf->personality |= ADDR_COMPAT_LAYOUT;
+	}
+	if (njc->persona_mmap_page_zero) {
+		nsjconf->personality |= MMAP_PAGE_ZERO;
+	}
+	if (njc->persona_read_implies_exec) {
+		nsjconf->personality |= READ_IMPLIES_EXEC;
+	}
+	if (njc->persona_addr_limit_3gb) {
+		nsjconf->personality |= ADDR_LIMIT_3GB;
+	}
+	if (njc->persona_addr_no_randomize) {
+		nsjconf->personality |= ADDR_NO_RANDOMIZE;
+	}
+
+	nsjconf->clone_newnet = njc->clone_newnet;
+	nsjconf->clone_newuser = njc->clone_newuser;
+	nsjconf->clone_newns = njc->clone_newns;
+	nsjconf->clone_newpid = njc->clone_newpid;
+	nsjconf->clone_newipc = njc->clone_newipc;
+	nsjconf->clone_newuts = njc->clone_newuts;
+	nsjconf->clone_newcgroup = njc->clone_newcgroup;
+
+	/* TODO
+	   for (size_t i = 0; i < njc->n_uid_mappings; i++) {
+	   struct mapping_t *p = utilMalloc(sizeof(struct mapping_t));
+	   }
+	 */
+
 	return true;
 }
 

config.example

@@ -1,10 +1,13 @@
 mode: ONCE
-chroot: "/"
+chroot_dir: "/"
 is_root_rw: false
 hostname: "TEST-NS"
 cwd: "/lib"
+
 bindhost: "::1"
 max_conns_per_ip: 10
+port: 31337
+
 time_limit: 100
 daemon: false
 keep_env: true
@@ -14,9 +17,24 @@ pass_fd: 100
 pass_fd: 3
 pivot_root_only: false
 disable_no_new_privs: false
+
 rlimit_as: 128
 rlimit_core: 0
 rlimit_cpu: 10
 rlimit_fsize: 0
 rlimit_nofile: 5
 rlimit_stack: 1
+
+persona_addr_compat_layout: false
+persona_mmap_page_zero: false
+persona_read_implies_exec: false
+persona_addr_limit_3gb: false
+persona_addr_no_randomize: false
+
+clone_newnet: true
+clone_newuser: true
+clone_newns: true
+clone_newpid: true
+clone_newipc: true
+clone_newuts: true
+clone_newcgroup: true

config.pb-c.c

@@ -7,6 +7,42 @@
 #endif
 
 #include "config.pb-c.h"
+void nsjail__id_map__init(Nsjail__IdMap * message)
+{
+	static Nsjail__IdMap init_value = NSJAIL__ID_MAP__INIT;
+	*message = init_value;
+}
+
+size_t nsjail__id_map__get_packed_size(const Nsjail__IdMap * message)
+{
+	assert(message->base.descriptor == &nsjail__id_map__descriptor);
+	return protobuf_c_message_get_packed_size((const ProtobufCMessage *)(message));
+}
+
+size_t nsjail__id_map__pack(const Nsjail__IdMap * message, uint8_t * out)
+{
+	assert(message->base.descriptor == &nsjail__id_map__descriptor);
+	return protobuf_c_message_pack((const ProtobufCMessage *)message, out);
+}
+
+size_t nsjail__id_map__pack_to_buffer(const Nsjail__IdMap * message, ProtobufCBuffer * buffer)
+{
+	assert(message->base.descriptor == &nsjail__id_map__descriptor);
+	return protobuf_c_message_pack_to_buffer((const ProtobufCMessage *)message, buffer);
+}
+
+Nsjail__IdMap *nsjail__id_map__unpack
+    (ProtobufCAllocator * allocator, size_t len, const uint8_t * data) {
+	return (Nsjail__IdMap *)
+	    protobuf_c_message_unpack(&nsjail__id_map__descriptor, allocator, len, data);
+}
+
+void nsjail__id_map__free_unpacked(Nsjail__IdMap * message, ProtobufCAllocator * allocator)
+{
+	assert(message->base.descriptor == &nsjail__id_map__descriptor);
+	protobuf_c_message_free_unpacked((ProtobufCMessage *) message, allocator);
+}
+
 void nsjail__ns_jail_config__init(Nsjail__NsJailConfig * message)
 {
 	static Nsjail__NsJailConfig init_value = NSJAIL__NS_JAIL_CONFIG__INIT;
@@ -43,6 +79,73 @@ void nsjail__ns_jail_config__free_unpacked
 	protobuf_c_message_free_unpacked((ProtobufCMessage *) message, allocator);
 }
 
+static const int32_t nsjail__id_map__global_id__default_value = -1;
+static const uint32_t nsjail__id_map__count__default_value = 1u;
+static const ProtobufCFieldDescriptor nsjail__id_map__field_descriptors[3] = {
+	{
+	 "inside_id",
+	 1,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_UINT32,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__IdMap, inside_id),
+	 NULL,
+	 NULL,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "global_id",
+	 2,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_INT32,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__IdMap, global_id),
+	 NULL,
+	 &nsjail__id_map__global_id__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "count",
+	 3,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_UINT32,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__IdMap, count),
+	 NULL,
+	 &nsjail__id_map__count__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+};
+
+static const unsigned nsjail__id_map__field_indices_by_name[] = {
+	2,			/* field[2] = count */
+	1,			/* field[1] = global_id */
+	0,			/* field[0] = inside_id */
+};
+
+static const ProtobufCIntRange nsjail__id_map__number_ranges[1 + 1] = {
+	{1, 0},
+	{0, 3}
+};
+
+const ProtobufCMessageDescriptor nsjail__id_map__descriptor = {
+	PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
+	"nsjail.IdMap",
+	"IdMap",
+	"Nsjail__IdMap",
+	"nsjail",
+	sizeof(Nsjail__IdMap),
+	3,
+	nsjail__id_map__field_descriptors,
+	nsjail__id_map__field_indices_by_name,
+	1, nsjail__id_map__number_ranges,
+	(ProtobufCMessageInit) nsjail__id_map__init,
+	NULL, NULL, NULL	/* reserved[123] */
+};
+
 uint8_t nsjail__ns_jail_config__hostname__default_value_data[] = "NSJAIL";
 uint8_t nsjail__ns_jail_config__cwd__default_value_data[] = "/";
 uint8_t nsjail__ns_jail_config__bindhost__default_value_data[] = "::";
@@ -68,7 +171,22 @@ static const uint64_t nsjail__ns_jail_config__rlimit_core__default_value = 0ull;
 static const uint64_t nsjail__ns_jail_config__rlimit_cpu__default_value = 600ull;
 static const uint64_t nsjail__ns_jail_config__rlimit_fsize__default_value = 1ull;
 static const uint64_t nsjail__ns_jail_config__rlimit_nofile__default_value = 32ull;
-static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[25] = {
+static const protobuf_c_boolean nsjail__ns_jail_config__persona_addr_compat_layout__default_value =
+    0;
+static const protobuf_c_boolean nsjail__ns_jail_config__persona_mmap_page_zero__default_value = 0;
+static const protobuf_c_boolean nsjail__ns_jail_config__persona_read_implies_exec__default_value =
+    0;
+static const protobuf_c_boolean nsjail__ns_jail_config__persona_addr_limit_3gb__default_value = 0;
+static const protobuf_c_boolean nsjail__ns_jail_config__persona_addr_no_randomize__default_value =
+    0;
+static const protobuf_c_boolean nsjail__ns_jail_config__clone_newnet__default_value = 1;
+static const protobuf_c_boolean nsjail__ns_jail_config__clone_newuser__default_value = 1;
+static const protobuf_c_boolean nsjail__ns_jail_config__clone_newns__default_value = 1;
+static const protobuf_c_boolean nsjail__ns_jail_config__clone_newpid__default_value = 1;
+static const protobuf_c_boolean nsjail__ns_jail_config__clone_newipc__default_value = 1;
+static const protobuf_c_boolean nsjail__ns_jail_config__clone_newuts__default_value = 1;
+static const protobuf_c_boolean nsjail__ns_jail_config__clone_newcgroup__default_value = 0;
+static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[39] = {
 	{
 	 "mode",
 	 1,
@@ -82,12 +200,12 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
 	 0, NULL, NULL		/* reserved1,reserved2, etc */
 	 },
 	{
-	 "chroot",
+	 "chroot_dir",
 	 2,
 	 PROTOBUF_C_LABEL_OPTIONAL,
 	 PROTOBUF_C_TYPE_BYTES,
-	 offsetof(Nsjail__NsJailConfig, has_chroot),
+	 offsetof(Nsjail__NsJailConfig, has_chroot_dir),
-	 offsetof(Nsjail__NsJailConfig, chroot),
+	 offsetof(Nsjail__NsJailConfig, chroot_dir),
 	 NULL,
 	 NULL,
 	 0,			/* flags */
@@ -369,11 +487,186 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
 	 0,			/* flags */
 	 0, NULL, NULL		/* reserved1,reserved2, etc */
 	 },
+	{
+	 "persona_addr_compat_layout",
+	 28,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, persona_addr_compat_layout),
+	 NULL,
+	 &nsjail__ns_jail_config__persona_addr_compat_layout__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "persona_mmap_page_zero",
+	 29,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, persona_mmap_page_zero),
+	 NULL,
+	 &nsjail__ns_jail_config__persona_mmap_page_zero__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "persona_read_implies_exec",
+	 30,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, persona_read_implies_exec),
+	 NULL,
+	 &nsjail__ns_jail_config__persona_read_implies_exec__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "persona_addr_limit_3gb",
+	 31,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, persona_addr_limit_3gb),
+	 NULL,
+	 &nsjail__ns_jail_config__persona_addr_limit_3gb__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "persona_addr_no_randomize",
+	 32,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, persona_addr_no_randomize),
+	 NULL,
+	 &nsjail__ns_jail_config__persona_addr_no_randomize__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "clone_newnet",
+	 33,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, clone_newnet),
+	 NULL,
+	 &nsjail__ns_jail_config__clone_newnet__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "clone_newuser",
+	 34,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, clone_newuser),
+	 NULL,
+	 &nsjail__ns_jail_config__clone_newuser__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "clone_newns",
+	 35,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, clone_newns),
+	 NULL,
+	 &nsjail__ns_jail_config__clone_newns__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "clone_newpid",
+	 36,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, clone_newpid),
+	 NULL,
+	 &nsjail__ns_jail_config__clone_newpid__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "clone_newipc",
+	 37,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, clone_newipc),
+	 NULL,
+	 &nsjail__ns_jail_config__clone_newipc__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "clone_newuts",
+	 38,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, clone_newuts),
+	 NULL,
+	 &nsjail__ns_jail_config__clone_newuts__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "clone_newcgroup",
+	 39,
+	 PROTOBUF_C_LABEL_REQUIRED,
+	 PROTOBUF_C_TYPE_BOOL,
+	 0,			/* quantifier_offset */
+	 offsetof(Nsjail__NsJailConfig, clone_newcgroup),
+	 NULL,
+	 &nsjail__ns_jail_config__clone_newcgroup__default_value,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "newuidmap",
+	 40,
+	 PROTOBUF_C_LABEL_REPEATED,
+	 PROTOBUF_C_TYPE_MESSAGE,
+	 offsetof(Nsjail__NsJailConfig, n_newuidmap),
+	 offsetof(Nsjail__NsJailConfig, newuidmap),
+	 &nsjail__id_map__descriptor,
+	 NULL,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
+	{
+	 "newgidmap",
+	 41,
+	 PROTOBUF_C_LABEL_REPEATED,
+	 PROTOBUF_C_TYPE_MESSAGE,
+	 offsetof(Nsjail__NsJailConfig, n_newgidmap),
+	 offsetof(Nsjail__NsJailConfig, newgidmap),
+	 &nsjail__id_map__descriptor,
+	 NULL,
+	 0,			/* flags */
+	 0, NULL, NULL		/* reserved1,reserved2, etc */
+	 },
 };
 
 static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
 	6,			/* field[6] = bindhost */
-	1,			/* field[1] = chroot */
+	1,			/* field[1] = chroot_dir */
+	36,			/* field[36] = clone_newcgroup */
+	34,			/* field[34] = clone_newipc */
+	30,			/* field[30] = clone_newnet */
+	32,			/* field[32] = clone_newns */
+	33,			/* field[33] = clone_newpid */
+	31,			/* field[31] = clone_newuser */
+	35,			/* field[35] = clone_newuts */
 	4,			/* field[4] = cwd */
 	9,			/* field[9] = daemon */
 	17,			/* field[17] = disable_no_new_privs */
@@ -384,7 +677,14 @@ static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
 	11,			/* field[11] = log_level */
 	7,			/* field[7] = max_conns_per_ip */
 	0,			/* field[0] = mode */
+	38,			/* field[38] = newgidmap */
+	37,			/* field[37] = newuidmap */
 	15,			/* field[15] = pass_fd */
+	25,			/* field[25] = persona_addr_compat_layout */
+	28,			/* field[28] = persona_addr_limit_3gb */
+	29,			/* field[29] = persona_addr_no_randomize */
+	26,			/* field[26] = persona_mmap_page_zero */
+	27,			/* field[27] = persona_read_implies_exec */
 	16,			/* field[16] = pivot_root_only */
 	5,			/* field[5] = port */
 	18,			/* field[18] = rlimit_as */
@@ -402,7 +702,7 @@ static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
 static const ProtobufCIntRange nsjail__ns_jail_config__number_ranges[2 + 1] = {
 	{1, 0},
 	{6, 3},
-	{0, 25}
+	{0, 39}
 };
 
 const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = {
@@ -412,7 +712,7 @@ const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = {
 	"Nsjail__NsJailConfig",
 	"nsjail",
 	sizeof(Nsjail__NsJailConfig),
-	25,
+	39,
 	nsjail__ns_jail_config__field_descriptors,
 	nsjail__ns_jail_config__field_indices_by_name,
 	2, nsjail__ns_jail_config__number_ranges,

config.pb-c.h

@@ -12,6 +12,7 @@ PROTOBUF_C__BEGIN_DECLS
 #elif 1002001 < PROTOBUF_C_MIN_COMPILER_VERSION
 #error This file was generated by an older version of protoc-c which is incompatible with your libprotobuf-c headers. Please regenerate this file with a newer version of protoc-c.
 #endif
+typedef struct _Nsjail__IdMap Nsjail__IdMap;
 typedef struct _Nsjail__NsJailConfig Nsjail__NsJailConfig;
 
 /* --- enums --- */
@@ -32,11 +33,21 @@ typedef enum _Nsjail__LogLevel {
 
 /* --- messages --- */
 
+struct _Nsjail__IdMap {
+	ProtobufCMessage base;
+	uint32_t inside_id;
+	int32_t global_id;
+	uint32_t count;
+};
+#define NSJAIL__ID_MAP__INIT \
+ { PROTOBUF_C_MESSAGE_INIT (&nsjail__id_map__descriptor) \
+    , 0, -1, 1u }
+
 struct _Nsjail__NsJailConfig {
 	ProtobufCMessage base;
 	Nsjail__Mode mode;
-	protobuf_c_boolean has_chroot;
+	protobuf_c_boolean has_chroot_dir;
-	ProtobufCBinaryData chroot;
+	ProtobufCBinaryData chroot_dir;
 	protobuf_c_boolean is_root_rw;
 	ProtobufCBinaryData hostname;
 	ProtobufCBinaryData cwd;
@@ -65,14 +76,38 @@ struct _Nsjail__NsJailConfig {
 	uint64_t rlimit_nproc;
 	protobuf_c_boolean has_rlimit_stack;
 	uint64_t rlimit_stack;
+	protobuf_c_boolean persona_addr_compat_layout;
+	protobuf_c_boolean persona_mmap_page_zero;
+	protobuf_c_boolean persona_read_implies_exec;
+	protobuf_c_boolean persona_addr_limit_3gb;
+	protobuf_c_boolean persona_addr_no_randomize;
+	protobuf_c_boolean clone_newnet;
+	protobuf_c_boolean clone_newuser;
+	protobuf_c_boolean clone_newns;
+	protobuf_c_boolean clone_newpid;
+	protobuf_c_boolean clone_newipc;
+	protobuf_c_boolean clone_newuts;
+	protobuf_c_boolean clone_newcgroup;
+	size_t n_newuidmap;
+	Nsjail__IdMap **newuidmap;
+	size_t n_newgidmap;
+	Nsjail__IdMap **newgidmap;
 };
 extern uint8_t nsjail__ns_jail_config__hostname__default_value_data[];
 extern uint8_t nsjail__ns_jail_config__cwd__default_value_data[];
 extern uint8_t nsjail__ns_jail_config__bindhost__default_value_data[];
 #define NSJAIL__NS_JAIL_CONFIG__INIT \
  { PROTOBUF_C_MESSAGE_INIT (&nsjail__ns_jail_config__descriptor) \
-    , NSJAIL__MODE__ONCE, 0,{0,NULL}, 0, { 6, nsjail__ns_jail_config__hostname__default_value_data }, { 1, nsjail__ns_jail_config__cwd__default_value_data }, 0u, { 2, nsjail__ns_jail_config__bindhost__default_value_data }, 0u, 600u, 0, 0,{0,NULL}, 0,0, 0, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0 }
+    , NSJAIL__MODE__ONCE, 0,{0,NULL}, 0, { 6, nsjail__ns_jail_config__hostname__default_value_data }, { 1, nsjail__ns_jail_config__cwd__default_value_data }, 0u, { 2, nsjail__ns_jail_config__bindhost__default_value_data }, 0u, 600u, 0, 0,{0,NULL}, 0,0, 0, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL }
 
+/* Nsjail__IdMap methods */
+void nsjail__id_map__init(Nsjail__IdMap * message);
+size_t nsjail__id_map__get_packed_size(const Nsjail__IdMap * message);
+size_t nsjail__id_map__pack(const Nsjail__IdMap * message, uint8_t * out);
+size_t nsjail__id_map__pack_to_buffer(const Nsjail__IdMap * message, ProtobufCBuffer * buffer);
+Nsjail__IdMap *nsjail__id_map__unpack
+    (ProtobufCAllocator * allocator, size_t len, const uint8_t * data);
+void nsjail__id_map__free_unpacked(Nsjail__IdMap * message, ProtobufCAllocator * allocator);
 /* Nsjail__NsJailConfig methods */
 void nsjail__ns_jail_config__init(Nsjail__NsJailConfig * message);
 size_t nsjail__ns_jail_config__get_packed_size(const Nsjail__NsJailConfig * message);
@@ -85,6 +120,8 @@ void nsjail__ns_jail_config__free_unpacked
     (Nsjail__NsJailConfig * message, ProtobufCAllocator * allocator);
 /* --- per-message closures --- */
 
+typedef void (*Nsjail__IdMap_Closure)
+ (const Nsjail__IdMap * message, void *closure_data);
 typedef void (*Nsjail__NsJailConfig_Closure)
  (const Nsjail__NsJailConfig * message, void *closure_data);
 
@@ -94,6 +131,7 @@ typedef void (*Nsjail__NsJailConfig_Closure)
 
 extern const ProtobufCEnumDescriptor nsjail__mode__descriptor;
 extern const ProtobufCEnumDescriptor nsjail__log_level__descriptor;
+extern const ProtobufCMessageDescriptor nsjail__id_map__descriptor;
 extern const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor;
 
 PROTOBUF_C__END_DECLS

config.proto

@@ -17,15 +17,23 @@ enum LogLevel {
 	FATAL = 4;
 }
 
+message IdMap {
+	required uint32 inside_id = 1;
+	required int32 global_id = 2 [default = -1];
+	required uint32 count = 3 [default = 1];
+}
+
 message NsJailConfig {
 	required Mode mode = 1 [default = ONCE];
-	optional bytes chroot = 2;
+	optional bytes chroot_dir = 2;
 	required bool is_root_rw = 3 [default = false];
 	required bytes hostname = 6 [default = "NSJAIL"];
 	required bytes cwd = 7 [default = "/"];
+
 	required uint32 port = 8 [default = 0];
 	required bytes bindhost = 9 [default = "::"];
 	required uint32 max_conns_per_ip = 10 [default = 0];
+
 	required uint32 time_limit = 11 [default = 600];
 	required bool daemon = 12 [default = false];
 	optional bytes log_file = 13;
@@ -36,6 +44,7 @@ message NsJailConfig {
 	repeated int32 pass_fd = 18;
 	required bool pivot_root_only = 19 [ default = false];
 	required bool disable_no_new_privs = 20 [default = false];
+
 	required uint64 rlimit_as = 21 [default = 512];
 	required uint64 rlimit_core = 22 [default = 0];
 	required uint64 rlimit_cpu = 23 [default = 600];
@@ -43,5 +52,21 @@ message NsJailConfig {
 	required uint64 rlimit_nofile = 25 [default = 32];
 	optional uint64 rlimit_nproc = 26;
 	optional uint64 rlimit_stack = 27;
-	
+
+	required bool persona_addr_compat_layout = 28 [default = false];
+	required bool persona_mmap_page_zero = 29 [default = false];
+	required bool persona_read_implies_exec = 30 [default = false];
+	required bool persona_addr_limit_3gb = 31 [default = false];
+	required bool persona_addr_no_randomize = 32 [default = false];
+
+	required bool clone_newnet = 33 [default = true];
+	required bool clone_newuser = 34 [default = true];
+	required bool clone_newns = 35 [default = true];
+	required bool clone_newpid = 36 [default = true];
+	required bool clone_newipc = 37 [default = true];
+	required bool clone_newuts = 38 [default = true];
+	required bool clone_newcgroup = 39 [default = false];
+
+	repeated IdMap newuidmap = 40;
+	repeated IdMap newgidmap = 41;
 }