woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

config: support for envvars

Browse Source
This commit is contained in:
Robert Swiecki 2017-05-27 04:06:28 +02:00
parent fc6680dda6
commit d7a805ec47
5 changed files with 201 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config.c
View File

@ -104,6 +104,12 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig
}
nsjconf->keep_env = njc->keep_env;
for (size_t i = 0; i < njc->n_envar; i++) {
struct charptr_t *p = utilMalloc(sizeof(struct charptr_t));
p->val = utilStrDup(njc->envar[i]);
TAILQ_INSERT_TAIL(&nsjconf->envs, p, pointers);
}
nsjconf->is_silent = njc->silent;
nsjconf->skip_setsid = njc->skip_setsid;

244
config.pb-c.c
View File

@ -7,22 +7,26 @@
#endif
#include "config.pb-c.h"
void nsjail__id_map__init(Nsjail__IdMap * message) {
void nsjail__id_map__init(Nsjail__IdMap * message)
{
static Nsjail__IdMap init_value = NSJAIL__ID_MAP__INIT;
*message = init_value;
}
size_t nsjail__id_map__get_packed_size(const Nsjail__IdMap * message) {
size_t nsjail__id_map__get_packed_size(const Nsjail__IdMap * message)
{
assert(message->base.descriptor == &nsjail__id_map__descriptor);
return protobuf_c_message_get_packed_size((const ProtobufCMessage *)(message));
}
size_t nsjail__id_map__pack(const Nsjail__IdMap * message, uint8_t * out) {
size_t nsjail__id_map__pack(const Nsjail__IdMap * message, uint8_t * out)
{
assert(message->base.descriptor == &nsjail__id_map__descriptor);
return protobuf_c_message_pack((const ProtobufCMessage *)message, out);
}
size_t nsjail__id_map__pack_to_buffer(const Nsjail__IdMap * message, ProtobufCBuffer * buffer) {
size_t nsjail__id_map__pack_to_buffer(const Nsjail__IdMap * message, ProtobufCBuffer * buffer)
{
assert(message->base.descriptor == &nsjail__id_map__descriptor);
return protobuf_c_message_pack_to_buffer((const ProtobufCMessage *)message, buffer);
}
@ -33,27 +37,32 @@ Nsjail__IdMap *nsjail__id_map__unpack
protobuf_c_message_unpack(&nsjail__id_map__descriptor, allocator, len, data);
}
void nsjail__id_map__free_unpacked(Nsjail__IdMap * message, ProtobufCAllocator * allocator) {
void nsjail__id_map__free_unpacked(Nsjail__IdMap * message, ProtobufCAllocator * allocator)
{
assert(message->base.descriptor == &nsjail__id_map__descriptor);
protobuf_c_message_free_unpacked((ProtobufCMessage *) message, allocator);
}
void nsjail__mount_pt__init(Nsjail__MountPt * message) {
void nsjail__mount_pt__init(Nsjail__MountPt * message)
{
static Nsjail__MountPt init_value = NSJAIL__MOUNT_PT__INIT;
*message = init_value;
}
size_t nsjail__mount_pt__get_packed_size(const Nsjail__MountPt * message) {
size_t nsjail__mount_pt__get_packed_size(const Nsjail__MountPt * message)
{
assert(message->base.descriptor == &nsjail__mount_pt__descriptor);
return protobuf_c_message_get_packed_size((const ProtobufCMessage *)(message));
}
size_t nsjail__mount_pt__pack(const Nsjail__MountPt * message, uint8_t * out) {
size_t nsjail__mount_pt__pack(const Nsjail__MountPt * message, uint8_t * out)
{
assert(message->base.descriptor == &nsjail__mount_pt__descriptor);
return protobuf_c_message_pack((const ProtobufCMessage *)message, out);
}
size_t nsjail__mount_pt__pack_to_buffer(const Nsjail__MountPt * message, ProtobufCBuffer * buffer) {
size_t nsjail__mount_pt__pack_to_buffer(const Nsjail__MountPt * message, ProtobufCBuffer * buffer)
{
assert(message->base.descriptor == &nsjail__mount_pt__descriptor);
return protobuf_c_message_pack_to_buffer((const ProtobufCMessage *)message, buffer);
}
@ -64,52 +73,62 @@ Nsjail__MountPt *nsjail__mount_pt__unpack
protobuf_c_message_unpack(&nsjail__mount_pt__descriptor, allocator, len, data);
}
void nsjail__mount_pt__free_unpacked(Nsjail__MountPt * message, ProtobufCAllocator * allocator) {
void nsjail__mount_pt__free_unpacked(Nsjail__MountPt * message, ProtobufCAllocator * allocator)
{
assert(message->base.descriptor == &nsjail__mount_pt__descriptor);
protobuf_c_message_free_unpacked((ProtobufCMessage *) message, allocator);
}
void nsjail__exe__init(Nsjail__Exe * message) {
void nsjail__exe__init(Nsjail__Exe * message)
{
static Nsjail__Exe init_value = NSJAIL__EXE__INIT;
*message = init_value;
}
size_t nsjail__exe__get_packed_size(const Nsjail__Exe * message) {
size_t nsjail__exe__get_packed_size(const Nsjail__Exe * message)
{
assert(message->base.descriptor == &nsjail__exe__descriptor);
return protobuf_c_message_get_packed_size((const ProtobufCMessage *)(message));
}
size_t nsjail__exe__pack(const Nsjail__Exe * message, uint8_t * out) {
size_t nsjail__exe__pack(const Nsjail__Exe * message, uint8_t * out)
{
assert(message->base.descriptor == &nsjail__exe__descriptor);
return protobuf_c_message_pack((const ProtobufCMessage *)message, out);
}
size_t nsjail__exe__pack_to_buffer(const Nsjail__Exe * message, ProtobufCBuffer * buffer) {
size_t nsjail__exe__pack_to_buffer(const Nsjail__Exe * message, ProtobufCBuffer * buffer)
{
assert(message->base.descriptor == &nsjail__exe__descriptor);
return protobuf_c_message_pack_to_buffer((const ProtobufCMessage *)message, buffer);
}
Nsjail__Exe *nsjail__exe__unpack(ProtobufCAllocator * allocator, size_t len, const uint8_t * data) {
Nsjail__Exe *nsjail__exe__unpack(ProtobufCAllocator * allocator, size_t len, const uint8_t * data)
{
return (Nsjail__Exe *)
protobuf_c_message_unpack(&nsjail__exe__descriptor, allocator, len, data);
}
void nsjail__exe__free_unpacked(Nsjail__Exe * message, ProtobufCAllocator * allocator) {
void nsjail__exe__free_unpacked(Nsjail__Exe * message, ProtobufCAllocator * allocator)
{
assert(message->base.descriptor == &nsjail__exe__descriptor);
protobuf_c_message_free_unpacked((ProtobufCMessage *) message, allocator);
}
void nsjail__ns_jail_config__init(Nsjail__NsJailConfig * message) {
void nsjail__ns_jail_config__init(Nsjail__NsJailConfig * message)
{
static Nsjail__NsJailConfig init_value = NSJAIL__NS_JAIL_CONFIG__INIT;
*message = init_value;
}
size_t nsjail__ns_jail_config__get_packed_size(const Nsjail__NsJailConfig * message) {
size_t nsjail__ns_jail_config__get_packed_size(const Nsjail__NsJailConfig * message)
{
assert(message->base.descriptor == &nsjail__ns_jail_config__descriptor);
return protobuf_c_message_get_packed_size((const ProtobufCMessage *)(message));
}
size_t nsjail__ns_jail_config__pack(const Nsjail__NsJailConfig * message, uint8_t * out) {
size_t nsjail__ns_jail_config__pack(const Nsjail__NsJailConfig * message, uint8_t * out)
{
assert(message->base.descriptor == &nsjail__ns_jail_config__descriptor);
return protobuf_c_message_pack((const ProtobufCMessage *)message, out);
}
@ -431,7 +450,7 @@ static const protobuf_c_boolean nsjail__ns_jail_config__mount_proc__default_valu
static const uint64_t nsjail__ns_jail_config__cgroup_mem_max__default_value = 0ull;
static const uint64_t nsjail__ns_jail_config__cgroup_pids_max__default_value = 0ull;
static const protobuf_c_boolean nsjail__ns_jail_config__iface_no_lo__default_value = 0;
static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[55] = {
static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[56] = {
{
"mode",
1,
@ -589,8 +608,20 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
0, NULL, NULL /* reserved1,reserved2, etc */
},
{
"silent",
"envar",
16,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_STRING,
offsetof(Nsjail__NsJailConfig, n_envar),
offsetof(Nsjail__NsJailConfig, envar),
NULL,
NULL,
0, /* flags */
0, NULL, NULL /* reserved1,reserved2, etc */
},
{
"silent",
17,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -602,7 +633,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"skip_setsid",
17,
18,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -614,7 +645,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"pass_fd",
18,
19,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_INT32,
offsetof(Nsjail__NsJailConfig, n_pass_fd),
@ -626,7 +657,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"pivot_root_only",
19,
20,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -638,7 +669,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"disable_no_new_privs",
20,
21,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -650,7 +681,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"rlimit_as",
21,
22,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
@ -662,7 +693,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"rlimit_core",
22,
23,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
@ -674,7 +705,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"rlimit_cpu",
23,
24,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
@ -686,7 +717,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"rlimit_fsize",
24,
25,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
@ -698,7 +729,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"rlimit_nofile",
25,
26,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
@ -710,7 +741,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"rlimit_nproc",
26,
27,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_UINT64,
offsetof(Nsjail__NsJailConfig, has_rlimit_nproc),
@ -722,7 +753,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"rlimit_stack",
27,
28,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_UINT64,
offsetof(Nsjail__NsJailConfig, has_rlimit_stack),
@ -734,7 +765,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"persona_addr_compat_layout",
28,
29,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -746,7 +777,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"persona_mmap_page_zero",
29,
30,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -758,7 +789,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"persona_read_implies_exec",
30,
31,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -770,7 +801,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"persona_addr_limit_3gb",
31,
32,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -782,7 +813,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"persona_addr_no_randomize",
32,
33,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -794,7 +825,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"clone_newnet",
33,
34,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -806,7 +837,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"clone_newuser",
34,
35,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -818,7 +849,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"clone_newns",
35,
36,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -830,7 +861,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"clone_newpid",
36,
37,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -842,7 +873,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"clone_newipc",
37,
38,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -854,7 +885,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"clone_newuts",
38,
39,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -866,7 +897,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"clone_newcgroup",
39,
40,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -878,7 +909,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"uidmap",
40,
41,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(Nsjail__NsJailConfig, n_uidmap),
@ -890,7 +921,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"gidmap",
41,
42,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(Nsjail__NsJailConfig, n_gidmap),
@ -902,7 +933,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"mount",
42,
43,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(Nsjail__NsJailConfig, n_mount),
@ -914,7 +945,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"mount_proc",
43,
44,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -926,7 +957,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"seccomp_policy_file",
44,
45,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -938,7 +969,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"seccomp_string",
45,
46,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -950,7 +981,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"cgroup_mem_max",
46,
47,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
@ -962,7 +993,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"cgroup_mem_mount",
47,
48,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -974,7 +1005,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"cgroup_mem_parent",
48,
49,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -986,7 +1017,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"cgroup_pids_max",
49,
50,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
@ -998,7 +1029,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"cgroup_pids_mount",
50,
51,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -1010,7 +1041,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"cgroup_pids_parent",
51,
52,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -1022,7 +1053,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"iface_no_lo",
52,
53,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
@ -1034,7 +1065,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"macvlan_iface",
53,
54,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -1046,7 +1077,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"macvlan_vs_ip",
54,
55,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -1058,7 +1089,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"macvlan_vs_nm",
55,
56,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -1070,7 +1101,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"macvlan_vs_gw",
56,
57,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
@ -1082,7 +1113,7 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
},
{
"exec_bin",
57,
58,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_MESSAGE,
0, /* quantifier_offset */
@ -1096,66 +1127,67 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
6, /* field[6] = bindhost */
43, /* field[43] = cgroup_mem_max */
44, /* field[44] = cgroup_mem_mount */
45, /* field[45] = cgroup_mem_parent */
46, /* field[46] = cgroup_pids_max */
47, /* field[47] = cgroup_pids_mount */
48, /* field[48] = cgroup_pids_parent */
44, /* field[44] = cgroup_mem_max */
45, /* field[45] = cgroup_mem_mount */
46, /* field[46] = cgroup_mem_parent */
47, /* field[47] = cgroup_pids_max */
48, /* field[48] = cgroup_pids_mount */
49, /* field[49] = cgroup_pids_parent */
1, /* field[1] = chroot_dir */
36, /* field[36] = clone_newcgroup */
34, /* field[34] = clone_newipc */
30, /* field[30] = clone_newnet */
32, /* field[32] = clone_newns */
33, /* field[33] = clone_newpid */
31, /* field[31] = clone_newuser */
35, /* field[35] = clone_newuts */
37, /* field[37] = clone_newcgroup */
35, /* field[35] = clone_newipc */
31, /* field[31] = clone_newnet */
33, /* field[33] = clone_newns */
34, /* field[34] = clone_newpid */
32, /* field[32] = clone_newuser */
36, /* field[36] = clone_newuts */
4, /* field[4] = cwd */
9, /* field[9] = daemon */
17, /* field[17] = disable_no_new_privs */
54, /* field[54] = exec_bin */
38, /* field[38] = gidmap */
18, /* field[18] = disable_no_new_privs */
13, /* field[13] = envar */
55, /* field[55] = exec_bin */
39, /* field[39] = gidmap */
3, /* field[3] = hostname */
49, /* field[49] = iface_no_lo */
50, /* field[50] = iface_no_lo */
2, /* field[2] = is_root_rw */
12, /* field[12] = keep_env */
10, /* field[10] = log_file */
11, /* field[11] = log_level */
50, /* field[50] = macvlan_iface */
53, /* field[53] = macvlan_vs_gw */
51, /* field[51] = macvlan_vs_ip */
52, /* field[52] = macvlan_vs_nm */
51, /* field[51] = macvlan_iface */
54, /* field[54] = macvlan_vs_gw */
52, /* field[52] = macvlan_vs_ip */
53, /* field[53] = macvlan_vs_nm */
7, /* field[7] = max_conns_per_ip */
0, /* field[0] = mode */
39, /* field[39] = mount */
40, /* field[40] = mount_proc */
15, /* field[15] = pass_fd */
25, /* field[25] = persona_addr_compat_layout */
28, /* field[28] = persona_addr_limit_3gb */
29, /* field[29] = persona_addr_no_randomize */
26, /* field[26] = persona_mmap_page_zero */
27, /* field[27] = persona_read_implies_exec */
16, /* field[16] = pivot_root_only */
40, /* field[40] = mount */
41, /* field[41] = mount_proc */
16, /* field[16] = pass_fd */
26, /* field[26] = persona_addr_compat_layout */
29, /* field[29] = persona_addr_limit_3gb */
30, /* field[30] = persona_addr_no_randomize */
27, /* field[27] = persona_mmap_page_zero */
28, /* field[28] = persona_read_implies_exec */
17, /* field[17] = pivot_root_only */
5, /* field[5] = port */
18, /* field[18] = rlimit_as */
19, /* field[19] = rlimit_core */
20, /* field[20] = rlimit_cpu */
21, /* field[21] = rlimit_fsize */
22, /* field[22] = rlimit_nofile */
23, /* field[23] = rlimit_nproc */
24, /* field[24] = rlimit_stack */
41, /* field[41] = seccomp_policy_file */
42, /* field[42] = seccomp_string */
13, /* field[13] = silent */
14, /* field[14] = skip_setsid */
19, /* field[19] = rlimit_as */
20, /* field[20] = rlimit_core */
21, /* field[21] = rlimit_cpu */
22, /* field[22] = rlimit_fsize */
23, /* field[23] = rlimit_nofile */
24, /* field[24] = rlimit_nproc */
25, /* field[25] = rlimit_stack */
42, /* field[42] = seccomp_policy_file */
43, /* field[43] = seccomp_string */
14, /* field[14] = silent */
15, /* field[15] = skip_setsid */
8, /* field[8] = time_limit */
37, /* field[37] = uidmap */
38, /* field[38] = uidmap */
};
static const ProtobufCIntRange nsjail__ns_jail_config__number_ranges[2 + 1] = {
{1, 0},
{6, 3},
{0, 55}
{0, 56}
};
const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = {
@ -1165,7 +1197,7 @@ const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = {
"Nsjail__NsJailConfig",
"nsjail",
sizeof(Nsjail__NsJailConfig),
55,
56,
nsjail__ns_jail_config__field_descriptors,
nsjail__ns_jail_config__field_indices_by_name,
2, nsjail__ns_jail_config__number_ranges,

7
config.pb-c.h
View File

@ -180,6 +180,11 @@ struct _Nsjail__NsJailConfig {
*when executing the binary
*/
protobuf_c_boolean keep_env;
/*
* EnvVars to be set before executing binaries
*/
size_t n_envar;
char **envar;
/*
* Should nsjail close FD=0,1,2 before executing the process
*/
@ -334,7 +339,7 @@ extern char nsjail__ns_jail_config__macvlan_vs_nm__default_value[];
extern char nsjail__ns_jail_config__macvlan_vs_gw__default_value[];
#define NSJAIL__NS_JAIL_CONFIG__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__ns_jail_config__descriptor) \
, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0,NULL, 1, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL }
, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0,NULL, 1, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL }
/* Nsjail__IdMap methods */
void nsjail__id_map__init(Nsjail__IdMap * message);

89
config.proto
View File

@ -73,95 +73,100 @@ message NsJailConfig
required uint32 time_limit = 11 [ default = 600 ];
/* Should nsjail go into background? */
required bool daemon = 12 [ default = false ];
/* File to save lofs to */
optional string log_file = 13;
/* Minimum log level displayed.
See 'msg LogLevel' description for more */
optional LogLevel log_level = 14;
/* Should the current environment variables be kept
when executing the binary */
required bool keep_env = 15 [ default = false ];
/* EnvVars to be set before executing binaries */
repeated string envar = 16;
/* Should nsjail close FD=0,1,2 before executing the process */
required bool silent = 16 [ default = false ];
required bool silent = 17 [ default = false ];
/* Should the child process have control over terminal?
Can be useful to allow /bin/sh to provide
job control / signals */
required bool skip_setsid = 17 [ default = false ];
required bool skip_setsid = 18 [ default = false ];
/* Which FDs should be passed to the newly executed process
By default only FD=0,1,2 are passed */
repeated int32 pass_fd = 18;
repeated int32 pass_fd = 19;
/* Should pivot_root be used instead of chroot?
Using pivot_root allows to have subnamespaces */
required bool pivot_root_only = 19 [ default = false ];
required bool pivot_root_only = 20 [ default = false ];
/* Setting it to true will allow to have set-uid binaries
inside the jail */
required bool disable_no_new_privs = 20 [ default = false ];
required bool disable_no_new_privs = 21 [ default = false ];
required uint64 rlimit_as = 21 [ default = 512 ]; /* In MiB */
required uint64 rlimit_core = 22 [ default = 0 ]; /* In MiB */
required uint64 rlimit_cpu = 23 [ default = 600 ]; /* In seconds */
required uint64 rlimit_fsize = 24 [ default = 1 ]; /* In MiB */
required uint64 rlimit_nofile = 25 [ default = 32 ];
optional uint64 rlimit_nproc = 26;
optional uint64 rlimit_stack = 27; /* In MiB */
required uint64 rlimit_as = 22 [ default = 512 ]; /* In MiB */
required uint64 rlimit_core = 23 [ default = 0 ]; /* In MiB */
required uint64 rlimit_cpu = 24 [ default = 600 ]; /* In seconds */
required uint64 rlimit_fsize = 25 [ default = 1 ]; /* In MiB */
required uint64 rlimit_nofile = 26 [ default = 32 ];
optional uint64 rlimit_nproc = 27;
optional uint64 rlimit_stack = 28; /* In MiB */
/* See 'man personality' for more */
required bool persona_addr_compat_layout = 28 [ default = false ];
required bool persona_mmap_page_zero = 29 [ default = false ];
required bool persona_read_implies_exec = 30 [ default = false ];
required bool persona_addr_limit_3gb = 31 [ default = false ];
required bool persona_addr_no_randomize = 32 [ default = false ];
required bool persona_addr_compat_layout = 29 [ default = false ];
required bool persona_mmap_page_zero = 30 [ default = false ];
required bool persona_read_implies_exec = 31 [ default = false ];
required bool persona_addr_limit_3gb = 32 [ default = false ];
required bool persona_addr_no_randomize = 33 [ default = false ];
/* Which name-spaces should be used? */
required bool clone_newnet = 33 [ default = true ];
required bool clone_newuser = 34 [ default = true ];
required bool clone_newns = 35 [ default = true ];
required bool clone_newpid = 36 [ default = true ];
required bool clone_newipc = 37 [ default = true ];
required bool clone_newuts = 38 [ default = true ];
required bool clone_newnet = 34 [ default = true ];
required bool clone_newuser = 35 [ default = true ];
required bool clone_newns = 36 [ default = true ];
required bool clone_newpid = 37 [ default = true ];
required bool clone_newipc = 38 [ default = true ];
required bool clone_newuts = 39 [ default = true ];
/* It's only supported in newer kernels, hence disabled by default */
required bool clone_newcgroup = 39 [ default = false ];
required bool clone_newcgroup = 40 [ default = false ];
/* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
for more */
repeated IdMap uidmap = 40;
repeated IdMap gidmap = 41;
repeated IdMap uidmap = 41;
repeated IdMap gidmap = 42;
/* Mount points inside the jail. See the description for 'msg MountPt'
for more */
repeated MountPt mount = 42;
repeated MountPt mount = 43;
/* Should /proc be mounted? One can also force this in the 'mount' */
required bool mount_proc = 43 [ default = true ];
required bool mount_proc = 44 [ default = true ];
/* Kafel seccomp policy file or string.
Homepage of the project: https://github.com/google/kafel */
optional string seccomp_policy_file = 44;
optional string seccomp_string = 45;
optional string seccomp_policy_file = 45;
optional string seccomp_string = 46;
/* If > 0, maximum cumulative size of RAM used inside jail */
required uint64 cgroup_mem_max = 46 [ default = 0 ]; /* In MiB */
required uint64 cgroup_mem_max = 47 [ default = 0 ]; /* In MiB */
/* Mount point for cgroups-memory */
required string cgroup_mem_mount = 47 [ default = "/sys/fs/cgroup/memory" ];
required string cgroup_mem_mount = 48 [ default = "/sys/fs/cgroup/memory" ];
/* Writeable directory (for the nsjail user) under cgroup_mem_mount */
required string cgroup_mem_parent = 48 [ default = "NSJAIL" ];
required string cgroup_mem_parent = 49 [ default = "NSJAIL" ];
/* If > 0, maximum number of PIDs (threads/processes) inside jail */
required uint64 cgroup_pids_max = 49 [ default = 0 ];
required uint64 cgroup_pids_max = 50 [ default = 0 ];
/* Mount point for cgroups-memory */
required string cgroup_pids_mount = 50 [ default = "/sys/fs/cgroup/pids" ];
required string cgroup_pids_mount = 51 [ default = "/sys/fs/cgroup/pids" ];
/* Writeable directory (for the nsjail user) under cgroup_pids_mount */
required string cgroup_pids_parent = 51 [ default = "NSJAIL" ];
required string cgroup_pids_parent = 52 [ default = "NSJAIL" ];
/* Should the 'lo' interface be brought up inside jail? */
required bool iface_no_lo = 52 [ default = false ];
required bool iface_no_lo = 53 [ default = false ];
/* Parameters for the cloned MACVLAN interface inside jail */
optional string macvlan_iface = 53; /* Interface to be cloned, eg 'eth0' */
required string macvlan_vs_ip = 54 [ default = "192.168.0.2" ];
required string macvlan_vs_nm = 55 [ default = "255.255.255.0" ];
required string macvlan_vs_gw = 56 [ default = "192.168.0.1" ];
optional string macvlan_iface = 54; /* Interface to be cloned, eg 'eth0' */
required string macvlan_vs_ip = 55 [ default = "192.168.0.2" ];
required string macvlan_vs_nm = 56 [ default = "255.255.255.0" ];
required string macvlan_vs_gw = 57 [ default = "192.168.0.1" ];
/* Binary with arguments to be executed. If not specified here, it can be
specified with the command-line as "-- /path/to/command arg1 arg2" */
optional Exe exec_bin = 57;
optional Exe exec_bin = 58;
}

4
configs/config1.example
View File

@ -10,7 +10,11 @@ port: 31337
time_limit: 100
daemon: false
keep_env: false
envar: "ENVAR1=VALUE1"
envar: "ENVAR2=VALUE2"
silent: false
skip_setsid: false
pass_fd: 100