Use kafel unconditionally
This commit is contained in:
parent
9414b1a635
commit
d9cb28b97d
20
Makefile
20
Makefile
@ -23,26 +23,20 @@ CFLAGS += -O2 -c -std=gnu11 \
|
||||
-D_GNU_SOURCE \
|
||||
-fstack-protector-all -Wformat -Wformat=2 -Wformat-security -fPIE \
|
||||
-Wno-format-nonliteral \
|
||||
-Wall -Wextra -Werror
|
||||
-Wall -Wextra -Werror \
|
||||
-Ikafel/include
|
||||
|
||||
LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -Wl,-z,noexecstack
|
||||
|
||||
SRCS = nsjail.c cmdline.c contain.c log.c cgroup.c mount.c net.c pid.c sandbox.c subproc.c user.c util.c uts.c
|
||||
OBJS = $(SRCS:.c=.o)
|
||||
BIN = nsjail
|
||||
LIBS = kafel/libkafel.a
|
||||
|
||||
ifdef DEBUG
|
||||
CFLAGS += -g -ggdb -gdwarf-4
|
||||
endif
|
||||
|
||||
USE_KAFEL ?= yes
|
||||
ifneq ("$(wildcard kafel/include/kafel.h)","")
|
||||
ifeq ($(USE_KAFEL), yes)
|
||||
CFLAGS += -I./kafel/include/ -DUSE_KAFEL
|
||||
LIBS += kafel/libkafel.a
|
||||
endif
|
||||
endif
|
||||
|
||||
USE_NL3 ?= yes
|
||||
ifeq ("$(wildcard /usr/include/libnl3/netlink/route/link/macvlan.h)","/usr/include/libnl3/netlink/route/link/macvlan.h")
|
||||
ifeq ($(USE_NL3), yes)
|
||||
@ -59,19 +53,15 @@ all: $(BIN)
|
||||
$(BIN): $(OBJS) $(LIBS)
|
||||
$(CC) -o $(BIN) $(OBJS) $(LIBS) $(LDFLAGS)
|
||||
|
||||
ifneq ("$(wildcard kafel/Makefile)","")
|
||||
kafel/libkafel.a:
|
||||
$(MAKE) -C kafel
|
||||
endif
|
||||
|
||||
clean:
|
||||
$(RM) core Makefile.bak $(OBJS) $(BIN)
|
||||
ifneq ("$(wildcard kafel/Makefile)","")
|
||||
$(MAKE) -C kafel clean
|
||||
endif
|
||||
|
||||
depend:
|
||||
makedepend -Y. -- -- $(SRCS)
|
||||
makedepend -Y -Ykafel/include -- -- $(SRCS)
|
||||
|
||||
indent:
|
||||
indent -linux -l100 -lc100 *.c *.h; rm -f *~
|
||||
@ -87,7 +77,7 @@ cgroup.o: cgroup.h common.h log.h util.h
|
||||
mount.o: mount.h common.h log.h subproc.h util.h
|
||||
net.o: net.h common.h log.h subproc.h
|
||||
pid.o: pid.h common.h log.h subproc.h
|
||||
sandbox.o: sandbox.h common.h log.h
|
||||
sandbox.o: sandbox.h common.h log.h kafel/include/kafel.h
|
||||
subproc.o: subproc.h common.h cgroup.h contain.h log.h net.h sandbox.h user.h
|
||||
subproc.o: util.h
|
||||
user.o: user.h common.h log.h subproc.h util.h
|
||||
|
@ -764,11 +764,9 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
|
||||
p->outside_id = getgid();
|
||||
TAILQ_INSERT_HEAD(&nsjconf->gids, p, pointers);
|
||||
}
|
||||
#if !defined(USE_KAFEL)
|
||||
if (nsjconf->kafel_file != NULL || nsjconf->kafel_string != NULL) {
|
||||
LOG_F("Kafel policy specified but the kafel/ is not compiled in");
|
||||
}
|
||||
#endif /* !defined(USE_KAFEL) */
|
||||
|
||||
if (logInitLogFile(nsjconf, logfile, log_level) == false) {
|
||||
return false;
|
||||
|
@ -27,10 +27,7 @@
|
||||
|
||||
#include "common.h"
|
||||
#include "log.h"
|
||||
|
||||
#if defined(USE_KAFEL)
|
||||
#include "kafel.h"
|
||||
#endif // defined(USE_KAFEL)
|
||||
|
||||
#ifndef PR_SET_NO_NEW_PRIVS
|
||||
#define PR_SET_NO_NEW_PRIVS 38
|
||||
@ -38,7 +35,6 @@
|
||||
|
||||
static bool sandboxPrepareAndCommit(struct nsjconf_t *nsjconf __attribute__ ((unused)))
|
||||
{
|
||||
#if defined(USE_KAFEL)
|
||||
if (nsjconf->kafel_file == NULL && nsjconf->kafel_string == NULL) {
|
||||
return true;
|
||||
}
|
||||
@ -67,7 +63,6 @@ static bool sandboxPrepareAndCommit(struct nsjconf_t *nsjconf __attribute__ ((un
|
||||
PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
|
||||
return false;
|
||||
}
|
||||
#endif /* defined(USE_KAFEL) */
|
||||
return true;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user