woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

No need to add (default:none) in cmdline

Browse Source
This commit is contained in:
Jagger 2016-02-28 01:52:09 +01:00
parent be639261b5
commit ad4b0105a7
4 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmdline.c
View File

@ -338,9 +338,9 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
{{"disable_clone_newpid", no_argument, NULL, 0x0404}, "Don't use CLONE_NEWPID"},
{{"disable_clone_newipc", no_argument, NULL, 0x0405}, "Don't use CLONE_NEWIPC"},
{{"disable_clone_newuts", no_argument, NULL, 0x0406}, "Don't use CLONE_NEWUTS"},
{{"bindmount_ro", required_argument, NULL, 'R'}, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'. (default: none)"},
{{"bindmount", required_argument, NULL, 'B'}, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'. (default: none)"},
{{"tmpfsmount", required_argument, NULL, 'T'}, "List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax. (default: none)"},
{{"bindmount_ro", required_argument, NULL, 'R'}, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"},
{{"bindmount", required_argument, NULL, 'B'}, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"},
{{"tmpfsmount", required_argument, NULL, 'T'}, "List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax"},
{{"iface", required_argument, NULL, 'I'}, "Interface which will be cloned (MACVTAP) and put inside the subprocess' namespace"},
{{"tmpfs_size", required_argument, NULL, 0x0602}, "Number of bytes to allocate for tmpfsmounts (default: 4194304)"},
{{"disable_proc", no_argument, NULL, 0x0603}, "Disable mounting /proc in the jail"},

7
contain.c
View File

@ -68,6 +68,9 @@ static bool containUidGidMap(struct nsjconf_t *nsjconf)
return true;
}
sleep(10);
return true;
int fd;
char map[64];
if ((fd = open("/proc/self/uid_map", O_WRONLY | O_CLOEXEC)) == -1) {
@ -251,8 +254,8 @@ static bool containRemountRO(struct mounts_t *mpt)
if (mpt->flags &= MS_RDONLY) {
LOG_D("Re-mounting RO '%s'", mpt->dst);
if (mount
(mpt->dst, mpt->dst, NULL, MS_REC | MS_BIND | MS_PRIVATE | MS_REMOUNT | MS_RDONLY,
0) == -1) {
(mpt->dst, mpt->dst, NULL,
MS_REC | MS_BIND | MS_PRIVATE | MS_REMOUNT | MS_RDONLY, 0) == -1) {
PLOG_E("mount('%s', MS_REC|MS_BIND|MS_REMOUNT|MS_RDONLY)", mpt->dst);
return false;
}

4
net.c
View File

@ -77,7 +77,7 @@ bool netCloneMacVtapAndNS(struct nsjconf_t * nsjconf, int pid)
return true;
}
char iface[512];
char iface[16];
snprintf(iface, sizeof(iface), "%s.ns.%d", nsjconf->iface, pid);
#define SBIN_IP_PATH "/sbin/ip"
@ -88,7 +88,7 @@ bool netCloneMacVtapAndNS(struct nsjconf_t * nsjconf, int pid)
return false;
}
char pid_str[512];
char pid_str[256];
snprintf(pid_str, sizeof(pid_str), "%d", pid);
char *const argv_netns[] =
{ SBIN_IP_PATH, "link", "set", "dev", iface, "netns", pid_str, NULL };

1
subproc.c
View File

@ -241,6 +241,7 @@ void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_er
if (pid == 0) {
subprocNewProc(nsjconf, fd_in, fd_out, fd_err, pipefd[1]);
}
if (pid == -1) {
PLOG_E("clone(flags=%#x) failed. You probably need root privileges if your system "
"doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile your "