Use kafel unconditionally
This commit is contained in:
Robert Swiecki
parent
9414b1a635
commit
d9cb28b97d
20
Makefile
20
Makefile
@ -23,26 +23,20 @@ CFLAGS += -O2 -c -std=gnu11 \
|
|||||||
-D_GNU_SOURCE \
|
-D_GNU_SOURCE \
|
||||||
-fstack-protector-all -Wformat -Wformat=2 -Wformat-security -fPIE \
|
-fstack-protector-all -Wformat -Wformat=2 -Wformat-security -fPIE \
|
||||||
-Wno-format-nonliteral \
|
-Wno-format-nonliteral \
|
||||||
-Wall -Wextra -Werror
|
-Wall -Wextra -Werror \
|
||||||
|
-Ikafel/include
|
||||||
|
|
||||||
LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -Wl,-z,noexecstack
|
LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -Wl,-z,noexecstack
|
||||||
|
|
||||||
SRCS = nsjail.c cmdline.c contain.c log.c cgroup.c mount.c net.c pid.c sandbox.c subproc.c user.c util.c uts.c
|
SRCS = nsjail.c cmdline.c contain.c log.c cgroup.c mount.c net.c pid.c sandbox.c subproc.c user.c util.c uts.c
|
||||||
OBJS = $(SRCS:.c=.o)
|
OBJS = $(SRCS:.c=.o)
|
||||||
BIN = nsjail
|
BIN = nsjail
|
||||||
|
LIBS = kafel/libkafel.a
|
||||||
|
|
||||||
ifdef DEBUG
|
ifdef DEBUG
|
||||||
CFLAGS += -g -ggdb -gdwarf-4
|
CFLAGS += -g -ggdb -gdwarf-4
|
||||||
endif
|
endif
|
||||||
|
|
||||||
USE_KAFEL ?= yes
|
|
||||||
ifneq ("$(wildcard kafel/include/kafel.h)","")
|
|
||||||
ifeq ($(USE_KAFEL), yes)
|
|
||||||
CFLAGS += -I./kafel/include/ -DUSE_KAFEL
|
|
||||||
LIBS += kafel/libkafel.a
|
|
||||||
endif
|
|
||||||
endif
|
|
||||||
|
|
||||||
USE_NL3 ?= yes
|
USE_NL3 ?= yes
|
||||||
ifeq ("$(wildcard /usr/include/libnl3/netlink/route/link/macvlan.h)","/usr/include/libnl3/netlink/route/link/macvlan.h")
|
ifeq ("$(wildcard /usr/include/libnl3/netlink/route/link/macvlan.h)","/usr/include/libnl3/netlink/route/link/macvlan.h")
|
||||||
ifeq ($(USE_NL3), yes)
|
ifeq ($(USE_NL3), yes)
|
||||||
@ -59,19 +53,15 @@ all: $(BIN)
|
|||||||
$(BIN): $(OBJS) $(LIBS)
|
$(BIN): $(OBJS) $(LIBS)
|
||||||
$(CC) -o $(BIN) $(OBJS) $(LIBS) $(LDFLAGS)
|
$(CC) -o $(BIN) $(OBJS) $(LIBS) $(LDFLAGS)
|
||||||
|
|
||||||
ifneq ("$(wildcard kafel/Makefile)","")
|
|
||||||
kafel/libkafel.a:
|
kafel/libkafel.a:
|
||||||
$(MAKE) -C kafel
|
$(MAKE) -C kafel
|
||||||
endif
|
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
$(RM) core Makefile.bak $(OBJS) $(BIN)
|
$(RM) core Makefile.bak $(OBJS) $(BIN)
|
||||||
ifneq ("$(wildcard kafel/Makefile)","")
|
|
||||||
$(MAKE) -C kafel clean
|
$(MAKE) -C kafel clean
|
||||||
endif
|
|
||||||
|
|
||||||
depend:
|
depend:
|
||||||
makedepend -Y. -- -- $(SRCS)
|
makedepend -Y -Ykafel/include -- -- $(SRCS)
|
||||||
|
|
||||||
indent:
|
indent:
|
||||||
indent -linux -l100 -lc100 *.c *.h; rm -f *~
|
indent -linux -l100 -lc100 *.c *.h; rm -f *~
|
||||||
@ -87,7 +77,7 @@ cgroup.o: cgroup.h common.h log.h util.h
|
|||||||
mount.o: mount.h common.h log.h subproc.h util.h
|
mount.o: mount.h common.h log.h subproc.h util.h
|
||||||
net.o: net.h common.h log.h subproc.h
|
net.o: net.h common.h log.h subproc.h
|
||||||
pid.o: pid.h common.h log.h subproc.h
|
pid.o: pid.h common.h log.h subproc.h
|
||||||
sandbox.o: sandbox.h common.h log.h
|
sandbox.o: sandbox.h common.h log.h kafel/include/kafel.h
|
||||||
subproc.o: subproc.h common.h cgroup.h contain.h log.h net.h sandbox.h user.h
|
subproc.o: subproc.h common.h cgroup.h contain.h log.h net.h sandbox.h user.h
|
||||||
subproc.o: util.h
|
subproc.o: util.h
|
||||||
user.o: user.h common.h log.h subproc.h util.h
|
user.o: user.h common.h log.h subproc.h util.h
|
||||||
|
|||||||
@ -764,11 +764,9 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
|
|||||||
p->outside_id = getgid();
|
p->outside_id = getgid();
|
||||||
TAILQ_INSERT_HEAD(&nsjconf->gids, p, pointers);
|
TAILQ_INSERT_HEAD(&nsjconf->gids, p, pointers);
|
||||||
}
|
}
|
||||||
#if !defined(USE_KAFEL)
|
|
||||||
if (nsjconf->kafel_file != NULL || nsjconf->kafel_string != NULL) {
|
if (nsjconf->kafel_file != NULL || nsjconf->kafel_string != NULL) {
|
||||||
LOG_F("Kafel policy specified but the kafel/ is not compiled in");
|
LOG_F("Kafel policy specified but the kafel/ is not compiled in");
|
||||||
}
|
}
|
||||||
#endif /* !defined(USE_KAFEL) */
|
|
||||||
|
|
||||||
if (logInitLogFile(nsjconf, logfile, log_level) == false) {
|
if (logInitLogFile(nsjconf, logfile, log_level) == false) {
|
||||||
return false;
|
return false;
|
||||||
|
|||||||
@ -27,10 +27,7 @@
|
|||||||
|
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
|
|
||||||
#if defined(USE_KAFEL)
|
|
||||||
#include "kafel.h"
|
#include "kafel.h"
|
||||||
#endif // defined(USE_KAFEL)
|
|
||||||
|
|
||||||
#ifndef PR_SET_NO_NEW_PRIVS
|
#ifndef PR_SET_NO_NEW_PRIVS
|
||||||
#define PR_SET_NO_NEW_PRIVS 38
|
#define PR_SET_NO_NEW_PRIVS 38
|
||||||
@ -38,7 +35,6 @@
|
|||||||
|
|
||||||
static bool sandboxPrepareAndCommit(struct nsjconf_t *nsjconf __attribute__ ((unused)))
|
static bool sandboxPrepareAndCommit(struct nsjconf_t *nsjconf __attribute__ ((unused)))
|
||||||
{
|
{
|
||||||
#if defined(USE_KAFEL)
|
|
||||||
if (nsjconf->kafel_file == NULL && nsjconf->kafel_string == NULL) {
|
if (nsjconf->kafel_file == NULL && nsjconf->kafel_string == NULL) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -67,7 +63,6 @@ static bool sandboxPrepareAndCommit(struct nsjconf_t *nsjconf __attribute__ ((un
|
|||||||
PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
|
PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
#endif /* defined(USE_KAFEL) */
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user