woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,192 Commits 2 Branches 0 Tags 1.5 MiB
603ba857e9
Commit Graph

1192 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
robertswiecki
a303054b50
Merge pull request #128 from disconnect3d/patch-2 
Update Dockerfile to use ubuntu:18.04 image
 2020-02-14 17:08:07 +01:00
Wiktor Garbacz
273ce6bc84 pipe socket traffic in and out of sandboxee 2020-02-14 17:07:14 +01:00
Wiktor Garbacz
b3b28b7dbf Makefile: fix kafel submodule init for parallel build 2020-01-27 10:32:10 +01:00
Robert Swiecki
04e5fae0e3 subproc: recognize CLONE_PIDFD 2019-12-10 11:09:14 +01:00
robertswiecki
8407e0be46
Merge pull request #129 from disconnect3d/patch-3 
Fix default rlimit_stack value
 2019-12-07 17:24:29 +01:00
Disconnect3d
7f9ed1ba12
Fix default rlimit_stack value 
The default `rlimit_stack` value was set to 1048576. However, this value is in MiB and so is later multiplied by 1024*1024 in b3d544d155/config.cc (L161-L162) and it ends up as a limit of 1 TB for the stack size.

This PR changes it to 8 MB which is a more sane default or, at least I took it from my virtual machine's ulimits:
```
$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 31175
max locked memory       (kbytes, -l) 16384
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 31175
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
```
 2019-12-07 17:05:45 +01:00
Disconnect3d
7eeab969f9
Update Dockerfile to use ubuntu:18.04 image 2019-12-07 14:24:32 +01:00
Wiktor Garbacz
1111bb135a allow setgroups when using exclusively newgid 2019-11-01 13:42:16 +01:00
Robert Swiecki
2ca90bf208 configs/: indent 2019-10-29 01:40:52 +01:00
Robert Swiecki
a78019993f configs/znc: remove a problematic quote 2019-10-04 00:35:36 +02:00
Robert Swiecki
2c648d5879 nsjail: don't restore console if nsjail runs in background 2019-10-04 00:33:29 +02:00
Robert Swiecki
b3d544d155 config: simplify log/logfd setting 2019-10-02 19:43:58 +02:00
Robert Swiecki
0b12cedc01 configs: new config for znc - remove log_fd 2019-10-02 08:28:23 +02:00
Robert Swiecki
af9d4294d9 configs: new config for znc 2019-10-01 08:27:17 +02:00
Robert Swiecki
64275d1417 configs/xchat: daemonize by default 2019-09-28 23:00:21 +02:00
Robert Swiecki
8fd94f817a Merge branch 'master' of ssh://github.com/google/nsjail 2019-09-12 22:22:04 +02:00
Robert Swiecki
9f064737de user: better formatting directives for printf'like functions 2019-09-12 22:21:49 +02:00
robertswiecki
ba90b12234
Merge pull request #123 from LMMilewski/master 
Fix typo in config.proto: s/lofs/logs/
 2019-09-07 02:04:39 +02:00
Lukasz Milewski
0bc575063b Fix typo in config.proto: s/lofs/logs/ 2019-09-06 15:08:30 -07:00
Robert Swiecki
3612c2a0b8 Merge branch 'master' of github.com:google/nsjail 2019-09-02 16:10:28 +02:00
Robert Swiecki
0773b75900 subproc: fix invalid conversions from util::syscall to syscall 2019-09-02 16:10:19 +02:00
Robert Swiecki
41305fdc4d mnt: shorter description of mount points 2019-08-31 22:08:02 +02:00
Robert Swiecki
e2c5c59bd3 standardize on envar vs envvar 2019-08-28 22:18:58 +02:00
Robert Swiecki
c1e40e809c log: close previous log descriptor a bit later: 2019-08-25 11:23:20 +02:00
Robert Swiecki
04f35c8848 mnt: use setcwd unconditionally with and w/o clone_newns 2019-08-25 11:17:12 +02:00
Robert Swiecki
d9efc0b3a7 mnt: use setcwd unconditionally with and w/o clone_newns 2019-08-25 11:16:12 +02:00
Robert Swiecki
b435292e9a log: a bit clearer calls to dup() 2019-08-22 13:59:15 +02:00
Robert Swiecki
c291b11ae6 Fix missing chdir in non-CLONE_NEWNS path 2019-08-21 14:29:35 +02:00
Robert Swiecki
5abfae7161 log: simplify logging code 2019-08-20 14:16:21 +02:00
Robert Swiecki
fe762a37b9 config.proto: move disable_rl higher 2019-08-19 14:28:45 +02:00
robertswiecki
a0cdc71ab2
Merge pull request #120 from jaylees14/disable-rlimits 
Add flag to disable rlimits
 2019-08-19 14:26:27 +02:00
Robert Swiecki
ac6e19d4ec Merge branch 'master' of github.com:google/nsjail 2019-08-19 11:35:17 +02:00
Robert Swiecki
f07c523543 net/cmdline: better checks for TCP port values 2019-08-19 11:34:34 +02:00
Jay Lees
86293b052e Add flag to disable rlimits 2019-08-05 03:25:22 -07:00
Robert Swiecki
0b1d5ac039 cgroup-code: remove some spaces to make code more consistent 2019-08-04 09:54:38 +02:00
Robert Swiecki
b120acd5b5 make indent depend 2019-08-04 09:50:34 +02:00
robertswiecki
5376996acc
Merge pull request #119 from jaylees14/cgroup-v2 
[cgroup-v2] support cgroup v2 for mem, cpu and pids
 2019-08-04 09:49:35 +02:00
Jay Lees
08f62b6f76 [cgroup-v2] support cgroup v2 for mem, cpu and pids 2019-07-26 07:02:17 -07:00
Robert Swiecki
2044488520 configs/imagemagick-convert: add madvise 2019-07-12 16:07:06 +02:00
Robert Swiecki
4628ded479 Merge branch 'master' of github.com:google/nsjail 2019-07-01 14:52:32 +02:00
Robert Swiecki
d10c9fb90d Disable securebits again to avoid spawned programs unexpectedly retaining capabilities after a UID/GID change 2019-07-01 14:51:32 +02:00
Robert Swiecki
28d2220b1e cmdline: no need to check for nice values 2019-06-30 22:03:57 +02:00
Robert Swiecki
494a5f63cd Add nice_level to cmd-line/config options 2019-06-30 21:50:56 +02:00
Robert Swiecki
21413c4157 user: typo 2019-06-28 19:08:21 +02:00
Robert Swiecki
317555b687 user: don't fail on setgroup() if not groups were specified 2019-06-28 13:31:43 +02:00
robertswiecki
d56adc39c9
Merge pull request #116 from pks-t/pks/setgroups-without-userns 
user: allow setting multiple groups without user namespaces
 2019-06-24 14:26:19 +02:00
Patrick Steinhardt
91848d22bf user: allow setting multiple groups without user namespaces 
When not using a user namespace, then we'll completely ignore
whether multiple groups have been specified by the user and only set
up the process's GID. With user namespaces, we in fact cannot set up
supplementary groups as we have set up "/proc/self/setgroups" to
deny any call to setgroups(2). But we can do better than that when
not using user namespaces, as we're free to use that syscall.

As nsjail(1) documents that "--group" can be specified multiple
times without mentioning that this won't work with
"--disable_clone_newuser", change the code to make that
constellation work.
 2019-06-20 12:12:16 +02:00
Robert Swiecki
83a28cd0d3 use TEMP_FAILURE_RETRY with some restartable funcs 2019-04-17 23:10:18 +02:00
Robert Swiecki
c861be28a9 configs/image-magic: make convert be overridable 2019-04-01 23:32:06 +02:00
Robert Swiecki
8d9aaec7f0 cmdline: don't clear cmdline exec_file is arguments are provided on cmdline 2019-04-01 22:46:39 +02:00