diff --git a/cmdline.c b/cmdline.c index 0bbf8f8..0720c39 100644 --- a/cmdline.c +++ b/cmdline.c @@ -338,9 +338,9 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf) {{"disable_clone_newpid", no_argument, NULL, 0x0404}, "Don't use CLONE_NEWPID"}, {{"disable_clone_newipc", no_argument, NULL, 0x0405}, "Don't use CLONE_NEWIPC"}, {{"disable_clone_newuts", no_argument, NULL, 0x0406}, "Don't use CLONE_NEWUTS"}, - {{"bindmount_ro", required_argument, NULL, 'R'}, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'. (default: none)"}, - {{"bindmount", required_argument, NULL, 'B'}, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'. (default: none)"}, - {{"tmpfsmount", required_argument, NULL, 'T'}, "List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax. (default: none)"}, + {{"bindmount_ro", required_argument, NULL, 'R'}, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"}, + {{"bindmount", required_argument, NULL, 'B'}, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"}, + {{"tmpfsmount", required_argument, NULL, 'T'}, "List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax"}, {{"iface", required_argument, NULL, 'I'}, "Interface which will be cloned (MACVTAP) and put inside the subprocess' namespace"}, {{"tmpfs_size", required_argument, NULL, 0x0602}, "Number of bytes to allocate for tmpfsmounts (default: 4194304)"}, {{"disable_proc", no_argument, NULL, 0x0603}, "Disable mounting /proc in the jail"}, diff --git a/contain.c b/contain.c index d04ba89..e5a6501 100644 --- a/contain.c +++ b/contain.c @@ -68,6 +68,9 @@ static bool containUidGidMap(struct nsjconf_t *nsjconf) return true; } + sleep(10); + return true; + int fd; char map[64]; if ((fd = open("/proc/self/uid_map", O_WRONLY | O_CLOEXEC)) == -1) { @@ -251,8 +254,8 @@ static bool containRemountRO(struct mounts_t *mpt) if (mpt->flags &= MS_RDONLY) { LOG_D("Re-mounting RO '%s'", mpt->dst); if (mount - (mpt->dst, mpt->dst, NULL, MS_REC | MS_BIND | MS_PRIVATE | MS_REMOUNT | MS_RDONLY, - 0) == -1) { + (mpt->dst, mpt->dst, NULL, + MS_REC | MS_BIND | MS_PRIVATE | MS_REMOUNT | MS_RDONLY, 0) == -1) { PLOG_E("mount('%s', MS_REC|MS_BIND|MS_REMOUNT|MS_RDONLY)", mpt->dst); return false; } diff --git a/net.c b/net.c index b6d8a9c..9fff3cc 100644 --- a/net.c +++ b/net.c @@ -77,7 +77,7 @@ bool netCloneMacVtapAndNS(struct nsjconf_t * nsjconf, int pid) return true; } - char iface[512]; + char iface[16]; snprintf(iface, sizeof(iface), "%s.ns.%d", nsjconf->iface, pid); #define SBIN_IP_PATH "/sbin/ip" @@ -88,7 +88,7 @@ bool netCloneMacVtapAndNS(struct nsjconf_t * nsjconf, int pid) return false; } - char pid_str[512]; + char pid_str[256]; snprintf(pid_str, sizeof(pid_str), "%d", pid); char *const argv_netns[] = { SBIN_IP_PATH, "link", "set", "dev", iface, "netns", pid_str, NULL }; diff --git a/subproc.c b/subproc.c index 0b73e2f..ac2e461 100644 --- a/subproc.c +++ b/subproc.c @@ -241,6 +241,7 @@ void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_er if (pid == 0) { subprocNewProc(nsjconf, fd_in, fd_out, fd_err, pipefd[1]); } + if (pid == -1) { PLOG_E("clone(flags=%#x) failed. You probably need root privileges if your system " "doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile your "