woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
742 Commits 2 Branches 0 Tags 1.5 MiB
3ee825c4aa
Commit Graph

175 Commits

Author SHA1 Message Date
Robert Swiecki
54a522326f caps: simplify capability operations 2017-07-05 15:57:07 +02:00
Robert Swiecki
7ba602a6ed caps: move capability-setting code to caps.* 2017-07-05 13:03:14 +02:00
Robert Swiecki
b36c4fb26c make indent 2017-07-01 22:23:11 +02:00
Robert Swiecki
ac2928d1c2 cmdlink: use different name while printing symlinks/mount points 2017-06-29 00:38:20 +02:00
Robert Swiecki
e4aba73385 Allow to create symlinks 2017-06-29 00:32:20 +02:00
Robert Swiecki
7e0a4cdba8 Get number of CPUs early, as it's read from /proc 2017-06-22 03:06:53 +02:00
Robert Swiecki
7917222486 mount: Use /tmp/nsjail.[tmp|root].<orig_euid> 2017-06-21 18:29:02 +02:00
Robert Swiecki
69783dc200 config: max_cpu_num -> max_cpus 2017-06-21 17:52:16 +02:00
Robert Swiecki
f0d80bf435 cmdline: cast pid_t to unsigned long when using *rintf 2017-06-20 23:11:35 +02:00
Robert Swiecki
73f1d44c92 Allow to use IPv4 addr with --bindhost 2017-06-19 22:35:57 +02:00
Robert Swiecki
ceaed43133 config: implement max_cpu_num in PB 2017-06-19 17:05:01 +02:00
Robert Swiecki
0e7393cccf cmdline: implement affinity setting, to limit jailed process to n max cpus 2017-06-19 17:01:50 +02:00
Robert Swiecki
1dd3223b74 iface -> iface_vs 2017-06-12 22:20:21 +02:00
Robert Swiecki
63e4059f7a Slight fixes to log_fd 2017-06-12 00:27:27 +02:00
Tony Young
c55dc8cb12 Add an extra log_fd argument to specify an FD to log to. 
In some situations, setting --log to /proc/self/fd/# is not sufficient to log out to a different FD. For instance, if a master process passes its stderr to the child nsjail process as fd 3, the nsjail child may not always be able to log to /proc/self/fd/3, e.g. if the master process is running under systemd, whose /proc/self/fd/2 is actually a socket and not a pipe. However, having nsjail write to fd 3 directly is fine and there's no other good way to handle this situation.
 2017-06-11 22:12:18 +00:00
Tony Young
d0261d281d Add an --exec_file argument to allow argv[0] to differ from the binary being exec'd. 2017-06-09 00:00:12 +00:00
Robert Swiecki
9519f1038b mount: introduce mountDescribeMountPt 2017-05-29 16:52:24 +02:00
Robert Swiecki
0271586e81 Get rid of pivot_root_only - achieve the same in different way 2017-05-29 03:11:32 +02:00
Robert Swiecki
7b2fc9cdac add configs/firefox-with-cloned-net.cfg 2017-05-28 16:56:16 +02:00
Robert Swiecki
d7ccf0c9d8 Simplify uids/gids maps 2017-05-28 01:05:27 +02:00
Robert Swiecki
ed72ce3762 cmdline: avoid using %s with nullptr 2017-05-27 17:40:30 +02:00
Robert Swiecki
ec50c1346d mount: nonmandatory mounts 2017-05-27 15:17:11 +02:00
Robert Swiecki
f0cb243a89 config: allow skipping arguments in mount points 2017-05-27 15:01:34 +02:00
Robert Swiecki
03e8578e79 config: executable in config 2017-05-27 02:24:41 +02:00
Robert Swiecki
53f825115f More work on uid mappings 2017-05-26 23:26:07 +02:00
Robert Swiecki
4eaa6cc9d3 Rewrite uid mapping system 2017-05-26 23:07:47 +02:00
Robert Swiecki
8e39afa25f config: more options in the config #5 2017-05-26 15:22:59 +02:00
Robert Swiecki
08de9db57c config: more options in the config #4 2017-05-26 14:08:09 +02:00
Robert Swiecki
92939c754e config: more options in the config #3 2017-05-26 05:12:01 +02:00
Robert Swiecki
1bf794f492 config: add basic config support 2017-05-26 01:44:16 +02:00
Robert Swiecki
591188910e cmdline/mount: use 'none' as src for tmpfs/proc 2017-05-24 17:09:24 +02:00
Robert Swiecki
c1165cf120 mount: simplify checking for whether source is dir or file 2017-05-24 14:46:44 +02:00
Robert Swiecki
054c4a3b4b Merge branch 'master' of github.com:google/nsjail 2017-05-24 14:32:45 +02:00
Robert Swiecki
9c4c278021 Warn about uid/gid 0 2017-05-24 14:32:39 +02:00
Robert Swiecki
0d5befbd6f TLS semantics for subprocCloneFlagsToStr and mountFlagsToStr 2017-05-22 01:10:49 +02:00
Robert Swiecki
525ba9e2dd Convert mount flags to str 2017-05-21 17:37:18 +02:00
Serge Bazanski
00f7944718 Merge branch 'master' of github.com:google/nsjail into deprecate-iface-flag-names 2017-05-11 16:18:07 +01:00
Serge Bazanski
3b05a70b6b Deprecate current iface/macvlan options. 
This is in preparation for other networking models. The current option
names were very generic, and without namespacing them we could end up
with some very confusing naming.

Also some miscellaneous indentation fixes.
 2017-05-11 15:17:54 +01:00
Robert Swiecki
e0ffb55b04 cmdline: examples for --iface_cs 2017-05-11 15:33:15 +02:00
Robert Swiecki
cf163807db Kafel: wrong check 2017-05-08 15:53:43 +02:00
Robert Swiecki
d9cb28b97d Use kafel unconditionally 2017-05-08 15:50:29 +02:00
Robert Swiecki
6596adb5e2 cmdline: 'i' 2017-05-07 21:10:39 +02:00
Robert Swiecki
ec765851f4 apply --rw to /proc as well 2017-04-22 23:54:33 +02:00
Robert Swiecki
cc5d4b65c9 cgroups: support for PIDs 2017-04-20 17:48:20 +02:00
Sam Clegg
74010d0c45 Exit with non-zero status on bad command line option 2017-02-15 17:23:55 -08:00
Robert Swiecki
478d2b3789 cmdline: provide both -v/verbose and -q/quiet for logging 2017-02-14 21:54:02 +01:00
Robert Swiecki
9f832aa35a Uid/Gid fix 2017-02-08 00:42:23 +01:00
Robert Swiecki
4a154733e0 Allow to specify multiple uid/gid maps 2017-02-08 00:36:32 +01:00
Robert Swiecki
a0cc72aa5c cmdline: typo 2017-01-28 14:25:09 +01:00
Robert Swiecki
c9847562dd Less use of USE_KAFEL 2016-10-17 18:17:08 +02:00
Robert Swiecki
238df2ed87 Missing USE_KAFEL defines 2016-10-17 18:09:05 +02:00
Robert Swiecki
950c91e4dd Allow to use kafel_string 2016-10-12 03:52:08 +02:00
Robert Swiecki
df38185c6f Slight rework of kafel use 2016-10-12 03:15:33 +02:00
Robert Swiecki
a30e2f107c Make indent 2016-10-12 00:59:10 +02:00
Stephen Röttger
f4d43e3336 New option pivot_root_only to support nested namespaces 
If pivot_root_only is setthe chroot in the job setup will be skipped.
 2016-09-30 16:30:59 +02:00
robertswiecki
f995ff9475 Merge pull request #9 from sroettger/newuidmap 
Support more complex uid and gid mappings
 2016-09-30 16:03:33 +02:00
Stephen Röttger
1c950391a1 Support more complex uid and gid mappings 
Introduces the new options uid_mapping and gid_mapping that specify
arbitrary custom mappings. If these options are used, nsjail will
use newuidmap/newgidmap to write the map files.
 2016-09-30 15:30:15 +02:00
robertswiecki
8a63a24981 Merge pull request #8 from sroettger/no_no_new_privs 
new flag to skip no_new_privs: --disable_no_new_privs
 2016-09-30 15:27:07 +02:00
Stephen Röttger
6501357f98 new flag to skip no_new_privs: --disable_no_new_privs 2016-09-30 15:23:04 +02:00
Jagger
06e353a8e1 seccomp_policy cmdline 2016-09-30 11:57:11 +02:00
Wiktor Garbacz
551ed4ca05 Kafel support 2016-09-29 16:22:09 +02:00
Jagger
1d9b33b06b Make MODE_STANDALONE_ONCE the default mode 2016-08-18 21:31:07 +02:00
Jagger
a00f5a6424 Dont mount /proc as RO 2016-08-16 22:42:15 +02:00
Jagger
88ce7d240a Default chroot is empty now 2016-08-16 22:07:44 +02:00
Robert Swiecki
432c82bb34 Make it a bit more standards friendly 2016-07-21 15:48:47 +02:00
Jagger
1a9de4ef91 cmdline help 2016-06-19 19:21:45 +02:00
Jagger
3e91d44145 Use cgroups_mem_max to enable memory limits 2016-06-19 18:12:15 +02:00
Jagger
827e1a4e7d Init cgroups from parent 2016-06-19 15:50:25 +02:00
Jagger
c93d926189 Create sub-cgroups instead of using the parent one 2016-06-19 14:58:18 +02:00
Jagger
e3a351b335 More memory cgroup controls 2016-06-19 13:54:36 +02:00
Jagger
a1f0ec7925 Support for CLONE_NEWCGROUP 2016-06-19 11:55:55 +02:00
Jagger
df97c0fe74 Use NULL as src for mounting proc and tmpfs 2016-06-19 01:35:06 +02:00
Jagger
2e523ae4b8 /proc is ro by defauly 2016-06-19 01:05:31 +02:00
Jagger
53d8e16a01 cmdline typos 2016-06-18 01:24:57 +02:00
Jagger
86ddf16279 Implement --pass_fd 2016-06-18 00:46:57 +02:00
Robert Swiecki
0339d0497f Description for -Me 2016-05-10 15:54:10 +02:00
Jagger
19c9598631 Use examples 2016-05-10 00:54:25 +02:00
Jagger
99ca4c5df2 isprint misbehaves with some glibc versions 2016-05-05 03:53:53 +02:00
Jagger
8f68fab29c --bindhost help 2016-03-11 02:57:02 +01:00
Jagger
75f96e4ca8 cmdline: [val] -> VALUE 2016-03-10 01:33:58 +01:00
Jagger
a71371e327 Check for gcc in Makefile 2016-03-09 00:56:20 +01:00
Jagger
22f6e31e89 Make nsjconf initialization from const struct 2016-03-02 02:35:38 +01:00
Jagger
e35b345163 Support for --chroot "" 2016-03-02 02:30:30 +01:00
Robert Swiecki
b89b8cfbc7 Fix common.h includes 2016-03-01 17:03:11 +01:00
Robert Swiecki
cc987ec775 Add locked mount flags during remounting 2016-03-01 15:36:32 +01:00
Jagger
6c5c80256d Make valgrind silent 2016-02-29 22:22:03 +01:00
Robert Swiecki
296ef302e4 Better cmdline descriptions 2016-02-29 20:20:38 +01:00
Robert Swiecki
af6a6bb2dc Don't initialize the 'vs' interface by default 2016-02-29 17:50:25 +01:00
Robert Swiecki
872a561b4c Better description for --user / --group 2016-02-29 15:47:33 +01:00
Robert Swiecki
4cb1c01938 Default values for 'vs' interface 2016-02-29 15:36:31 +01:00
Jagger
e4ac7f411c Default net values for 'vs' 2016-02-29 02:59:59 +01:00
Jagger
d2f47fff92 Add network configuration for the 'vs' interface 2016-02-29 02:51:55 +01:00
Jagger
43983cbb17 Add --iface_lo_up 2016-02-29 00:14:36 +01:00
Jagger
6218fe2336 Implementation of netSystemSbinIp 2016-02-28 23:40:34 +01:00
Jagger
8d641169e3 Initialize user/group maps from the parent process 2016-02-28 02:34:43 +01:00
Jagger
ad4b0105a7 No need to add (default:none) in cmdline 2016-02-28 01:52:09 +01:00
Robert Swiecki
be639261b5 Automatically create destination dir for 'proc' and 'tmpfs' mounts 2016-02-25 18:45:23 +01:00
Robert Swiecki
9852028522 Implement --bindhost 2016-02-25 18:27:48 +01:00
Robert Swiecki
5b78d31f3f Remove (disable: false) from cmdline.c as it's obvious 2016-02-16 18:56:52 +01:00
Robert Swiecki
aebc3dba41 Env variables (setting/clearing) 2016-01-26 17:42:10 +01:00