woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,051 Commits 2 Branches 0 Tags 1.5 MiB
66fa45364c
Commit Graph

1051 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Robert Swiecki
28d2220b1e cmdline: no need to check for nice values 2019-06-30 22:03:57 +02:00
Robert Swiecki
494a5f63cd Add nice_level to cmd-line/config options 2019-06-30 21:50:56 +02:00
Robert Swiecki
21413c4157 user: typo 2019-06-28 19:08:21 +02:00
Robert Swiecki
317555b687 user: don't fail on setgroup() if not groups were specified 2019-06-28 13:31:43 +02:00
robertswiecki
d56adc39c9
Merge pull request #116 from pks-t/pks/setgroups-without-userns 
user: allow setting multiple groups without user namespaces
 2019-06-24 14:26:19 +02:00
Patrick Steinhardt
91848d22bf user: allow setting multiple groups without user namespaces 
When not using a user namespace, then we'll completely ignore
whether multiple groups have been specified by the user and only set
up the process's GID. With user namespaces, we in fact cannot set up
supplementary groups as we have set up "/proc/self/setgroups" to
deny any call to setgroups(2). But we can do better than that when
not using user namespaces, as we're free to use that syscall.

As nsjail(1) documents that "--group" can be specified multiple
times without mentioning that this won't work with
"--disable_clone_newuser", change the code to make that
constellation work.
 2019-06-20 12:12:16 +02:00
Robert Swiecki
83a28cd0d3 use TEMP_FAILURE_RETRY with some restartable funcs 2019-04-17 23:10:18 +02:00
Robert Swiecki
c861be28a9 configs/image-magic: make convert be overridable 2019-04-01 23:32:06 +02:00
Robert Swiecki
8d9aaec7f0 cmdline: don't clear cmdline exec_file is arguments are provided on cmdline 2019-04-01 22:46:39 +02:00
Robert Swiecki
1f022a2187 config.proto: Exe.path is required 2019-04-01 22:43:17 +02:00
Robert Swiecki
7aa8916077 cmdline: make sure that argv[0] exists 2019-04-01 22:42:14 +02:00
Robert Swiecki
56b99003b4 user: function naming 2019-03-31 15:16:24 +02:00
Robert Swiecki
7b8da74e9f configs/firefox-with-cloned-net: add fontconfig config envvars 2019-03-30 16:20:04 +01:00
Robert Swiecki
8b339db721 configs/firefox: add fontconfig config envvars 2019-03-30 16:19:30 +01:00
Robert Swiecki
2b1bad6b5b cmdline: allow to override config cmdline with cmdline cmdline 2019-03-30 16:10:14 +01:00
Robert Swiecki
e3db427f0b configs/conver: revert the last one to properly figure it out 2019-03-30 15:49:18 +01:00
robertswiecki
e9d380e21f
Merge pull request #114 from disconnect3d/patch-1 
Fixes issue #113
 2019-03-30 15:45:04 +01:00
Disconnect3d
e6abcae13b
Fixes issue #113 2019-03-29 23:48:56 +01:00
Robert Swiecki
3a69090a89 nsjail: remove warning about CLONE_NEWUSER 2019-03-29 21:42:05 +01:00
Robert Swiecki
a2dacef5d7 allow to use nsjail w/o namespaces 2019-03-29 21:38:14 +01:00
Robert Swiecki
331f2bcd74 mnt: try /run/user/<uid>/nsjail as a root mount dir first 2019-03-28 23:25:15 +01:00
Robert Swiecki
9fe225dbe2 mnt: use /run/usr/<uid> first when mounting dirs 2019-03-18 16:37:04 +01:00
Robert Swiecki
8059747016 subproc: save/restore errno when printing error message twice 2019-03-12 17:07:24 +01:00
Robert Swiecki
46f463a62c flush stdin after nsjail ends 2019-03-10 15:00:45 +01:00
robertswiecki
f80318fe2c
Merge pull request #109 from disconnect3d/fix-cgroup-cpu-mount-option 
Fix #108 - missing cgroup_cpu_mount option setting
 2019-03-06 08:18:35 +01:00
disconnect3d
de872dc6b8 Fix #108 - missing cgroup_cpu_mount option setting 2019-03-05 16:41:38 -06:00
robertswiecki
86f0f088ae
Merge pull request #107 from adamcarheden/tomcat 
Added example config for tomcat
 2019-03-01 16:48:18 +01:00
Adam Carheden
6f7a3fb8e9 Added example config for tomcat 2019-02-27 14:11:49 -07:00
Robert Swiecki
9b8d91bd7f incrase the default RLIMIT_AS limit to 4GiB. 512MiB is not enough for many payloas, and cgroups should be used for memory limiting anyway 2019-02-06 17:06:42 +01:00
robertswiecki
5b374bbf8c
Merge pull request #104 from adamcarheden/libnl-dep 
Fixed missing dependency on libnl-route-3-dev
 2019-01-29 21:04:25 +01:00
Adam Carheden
7969e2b2aa Fixed missing dependency on libnl-route-3-dev 2019-01-29 09:48:35 -07:00
Robert Swiecki
9782f7bb39 util: call ::syscall for syscall() 2019-01-21 22:42:34 +01:00
Robert Swiecki
061e32839f use util::syscall whenever possible 2019-01-21 22:37:30 +01:00
Robert Swiecki
681fce1cc4 util: introduce syscall to avoid vararg argument parsing 2019-01-21 22:25:37 +01:00
Robert Swiecki
d1151ea4bd contain: log formatting 2019-01-21 20:03:17 +01:00
Robert Swiecki
fafef711ad configs/xorg: add /dev/[u]random 2019-01-20 21:41:10 +01:00
Robert Swiecki
91b81f4e7a cmdline: more bried debug output 2019-01-20 18:43:42 +01:00
Robert Swiecki
1619efd2a9 log: don't print description of level with HELP/HELP_BOLD 2019-01-20 18:41:44 +01:00
Robert Swiecki
83fc152d7c Make netlink3-route mandatory 2019-01-20 18:37:47 +01:00
happyCoder92
c7a313123b
Merge pull request #103 from remexre/master 
Fixes typo in manpage.
 2019-01-09 14:01:16 +01:00
Nathan Ringo
d1d61fc837
Fixes typo in manpage. 2019-01-09 00:24:34 -10:00
happyCoder92
bc18f0ef0f
Merge pull request #102 from jvvv/master 
README.md: update cgroup_cpu_ms_per_sec
 2019-01-07 14:39:57 +01:00
Robert Swiecki
f2fc5a9406 open might return EINTR 2019-01-06 00:03:36 +01:00
Robert Swiecki
48f67f131a subproc: PLOG -> LOG 2019-01-04 01:41:26 +01:00
Robert Swiecki
6a4315f318 More of RETURN_ON_FAILURE 2019-01-01 11:36:02 +01:00
John Vogel
a6e069f514 README.md: update cgroup_cpu_ms_per_sec 2018-12-22 01:03:34 -05:00
Robert Swiecki
6a4f5c110b make indent 2018-12-17 08:46:31 +01:00
Robert Swiecki
28092c45ce logs: va_end() used too early 2018-12-16 14:22:01 +01:00
Robert Swiecki
451f064851 logs: avoid multiple syscall(__NR_write) in logs 2018-12-16 11:55:33 +01:00
Robert Swiecki
40083ed115 logs: use anonymous struct 2018-12-16 07:47:22 +01:00