Patrick Steinhardt
91848d22bf
user: allow setting multiple groups without user namespaces
...
When not using a user namespace, then we'll completely ignore
whether multiple groups have been specified by the user and only set
up the process's GID. With user namespaces, we in fact cannot set up
supplementary groups as we have set up "/proc/self/setgroups" to
deny any call to setgroups(2). But we can do better than that when
not using user namespaces, as we're free to use that syscall.
As nsjail(1) documents that "--group" can be specified multiple
times without mentioning that this won't work with
"--disable_clone_newuser", change the code to make that
constellation work.
2019-06-20 12:12:16 +02:00
Robert Swiecki
83a28cd0d3
use TEMP_FAILURE_RETRY with some restartable funcs
2019-04-17 23:10:18 +02:00
Robert Swiecki
c861be28a9
configs/image-magic: make convert be overridable
2019-04-01 23:32:06 +02:00
Robert Swiecki
8d9aaec7f0
cmdline: don't clear cmdline exec_file is arguments are provided on cmdline
2019-04-01 22:46:39 +02:00
Robert Swiecki
1f022a2187
config.proto: Exe.path is required
2019-04-01 22:43:17 +02:00
Robert Swiecki
7aa8916077
cmdline: make sure that argv[0] exists
2019-04-01 22:42:14 +02:00
Robert Swiecki
56b99003b4
user: function naming
2019-03-31 15:16:24 +02:00
Robert Swiecki
7b8da74e9f
configs/firefox-with-cloned-net: add fontconfig config envvars
2019-03-30 16:20:04 +01:00
Robert Swiecki
8b339db721
configs/firefox: add fontconfig config envvars
2019-03-30 16:19:30 +01:00
Robert Swiecki
2b1bad6b5b
cmdline: allow to override config cmdline with cmdline cmdline
2019-03-30 16:10:14 +01:00
Robert Swiecki
e3db427f0b
configs/conver: revert the last one to properly figure it out
2019-03-30 15:49:18 +01:00
robertswiecki
e9d380e21f
Merge pull request #114 from disconnect3d/patch-1
...
Fixes issue #113
2019-03-30 15:45:04 +01:00
Disconnect3d
e6abcae13b
Fixes issue #113
2019-03-29 23:48:56 +01:00
Robert Swiecki
3a69090a89
nsjail: remove warning about CLONE_NEWUSER
2019-03-29 21:42:05 +01:00
Robert Swiecki
a2dacef5d7
allow to use nsjail w/o namespaces
2019-03-29 21:38:14 +01:00
Robert Swiecki
331f2bcd74
mnt: try /run/user/<uid>/nsjail as a root mount dir first
2019-03-28 23:25:15 +01:00
Robert Swiecki
9fe225dbe2
mnt: use /run/usr/<uid> first when mounting dirs
2019-03-18 16:37:04 +01:00
Robert Swiecki
8059747016
subproc: save/restore errno when printing error message twice
2019-03-12 17:07:24 +01:00
Robert Swiecki
46f463a62c
flush stdin after nsjail ends
2019-03-10 15:00:45 +01:00
robertswiecki
f80318fe2c
Merge pull request #109 from disconnect3d/fix-cgroup-cpu-mount-option
...
Fix #108 - missing cgroup_cpu_mount option setting
2019-03-06 08:18:35 +01:00
disconnect3d
de872dc6b8
Fix #108 - missing cgroup_cpu_mount option setting
2019-03-05 16:41:38 -06:00
robertswiecki
86f0f088ae
Merge pull request #107 from adamcarheden/tomcat
...
Added example config for tomcat
2019-03-01 16:48:18 +01:00
Adam Carheden
6f7a3fb8e9
Added example config for tomcat
2019-02-27 14:11:49 -07:00
Robert Swiecki
9b8d91bd7f
incrase the default RLIMIT_AS limit to 4GiB. 512MiB is not enough for many payloas, and cgroups should be used for memory limiting anyway
2019-02-06 17:06:42 +01:00
robertswiecki
5b374bbf8c
Merge pull request #104 from adamcarheden/libnl-dep
...
Fixed missing dependency on libnl-route-3-dev
2019-01-29 21:04:25 +01:00
Adam Carheden
7969e2b2aa
Fixed missing dependency on libnl-route-3-dev
2019-01-29 09:48:35 -07:00
Robert Swiecki
9782f7bb39
util: call ::syscall for syscall()
2019-01-21 22:42:34 +01:00
Robert Swiecki
061e32839f
use util::syscall whenever possible
2019-01-21 22:37:30 +01:00
Robert Swiecki
681fce1cc4
util: introduce syscall to avoid vararg argument parsing
2019-01-21 22:25:37 +01:00
Robert Swiecki
d1151ea4bd
contain: log formatting
2019-01-21 20:03:17 +01:00
Robert Swiecki
fafef711ad
configs/xorg: add /dev/[u]random
2019-01-20 21:41:10 +01:00
Robert Swiecki
91b81f4e7a
cmdline: more bried debug output
2019-01-20 18:43:42 +01:00
Robert Swiecki
1619efd2a9
log: don't print description of level with HELP/HELP_BOLD
2019-01-20 18:41:44 +01:00
Robert Swiecki
83fc152d7c
Make netlink3-route mandatory
2019-01-20 18:37:47 +01:00
happyCoder92
c7a313123b
Merge pull request #103 from remexre/master
...
Fixes typo in manpage.
2019-01-09 14:01:16 +01:00
Nathan Ringo
d1d61fc837
Fixes typo in manpage.
2019-01-09 00:24:34 -10:00
happyCoder92
bc18f0ef0f
Merge pull request #102 from jvvv/master
...
README.md: update cgroup_cpu_ms_per_sec
2019-01-07 14:39:57 +01:00
Robert Swiecki
f2fc5a9406
open might return EINTR
2019-01-06 00:03:36 +01:00
Robert Swiecki
48f67f131a
subproc: PLOG -> LOG
2019-01-04 01:41:26 +01:00
Robert Swiecki
6a4315f318
More of RETURN_ON_FAILURE
2019-01-01 11:36:02 +01:00
John Vogel
a6e069f514
README.md: update cgroup_cpu_ms_per_sec
2018-12-22 01:03:34 -05:00
Robert Swiecki
6a4f5c110b
make indent
2018-12-17 08:46:31 +01:00
Robert Swiecki
28092c45ce
logs: va_end() used too early
2018-12-16 14:22:01 +01:00
Robert Swiecki
451f064851
logs: avoid multiple syscall(__NR_write) in logs
2018-12-16 11:55:33 +01:00
Robert Swiecki
40083ed115
logs: use anonymous struct
2018-12-16 07:47:22 +01:00
Robert Swiecki
432c38ad23
cmdline: clarify cgroup_cpu_ms_per_sec
2018-12-05 14:35:16 +01:00
Robert Swiecki
864aa72a2a
subproc: print more data on sigsys
2018-12-05 10:10:21 +01:00
Robert Swiecki
dfba744bfc
Merge branch 'master' of ssh://github.com/google/nsjail
2018-11-25 23:12:43 +01:00
robertswiecki
7a5cf69883
Merge pull request #99 from rutsky/writeToFd_return_type
...
fix writeToFD() return type in declaration
2018-11-25 23:12:23 +01:00
Vladimir Rutsky
ec0d4174f1
fix writeToFD() return type in declaration
...
In 25a7791d
return type of writeToFD() was changed from `ssize_t` to `bool`, but header wasn't updated.
2018-11-25 18:26:52 +01:00