Robert Swiecki
69783dc200
config: max_cpu_num -> max_cpus
2017-06-21 17:52:16 +02:00
Robert Swiecki
0e7393cccf
cmdline: implement affinity setting, to limit jailed process to n max cpus
2017-06-19 17:01:50 +02:00
Robert Swiecki
1dd3223b74
iface -> iface_vs
2017-06-12 22:20:21 +02:00
Tony Young
c55dc8cb12
Add an extra log_fd argument to specify an FD to log to.
...
In some situations, setting --log to /proc/self/fd/# is not sufficient to log out to a different FD. For instance, if a master process passes its stderr to the child nsjail process as fd 3, the nsjail child may not always be able to log to /proc/self/fd/3, e.g. if the master process is running under systemd, whose /proc/self/fd/2 is actually a socket and not a pipe. However, having nsjail write to fd 3 directly is fine and there's no other good way to handle this situation.
2017-06-11 22:12:18 +00:00
Tony Young
d0261d281d
Add an --exec_file argument to allow argv[0] to differ from the binary being exec'd.
2017-06-09 00:00:12 +00:00
Robert Swiecki
0271586e81
Get rid of pivot_root_only - achieve the same in different way
2017-05-29 03:11:32 +02:00
Robert Swiecki
7b2fc9cdac
add configs/firefox-with-cloned-net.cfg
2017-05-28 16:56:16 +02:00
Robert Swiecki
d7ccf0c9d8
Simplify uids/gids maps
2017-05-28 01:05:27 +02:00
Robert Swiecki
ec50c1346d
mount: nonmandatory mounts
2017-05-27 15:17:11 +02:00
Robert Swiecki
53f825115f
More work on uid mappings
2017-05-26 23:26:07 +02:00
Robert Swiecki
4eaa6cc9d3
Rewrite uid mapping system
2017-05-26 23:07:47 +02:00
Robert Swiecki
08de9db57c
config: more options in the config #4
2017-05-26 14:08:09 +02:00
Robert Swiecki
92939c754e
config: more options in the config #3
2017-05-26 05:12:01 +02:00
Robert Swiecki
c1165cf120
mount: simplify checking for whether source is dir or file
2017-05-24 14:46:44 +02:00
Robert Swiecki
cc5d4b65c9
cgroups: support for PIDs
2017-04-20 17:48:20 +02:00
Robert Swiecki
478d2b3789
cmdline: provide both -v/verbose and -q/quiet for logging
2017-02-14 21:54:02 +01:00
Robert Swiecki
719585ee5a
common: good types for uids
2017-02-08 23:21:03 +01:00
Robert Swiecki
4a154733e0
Allow to specify multiple uid/gid maps
2017-02-08 00:36:32 +01:00
Robert Swiecki
c9847562dd
Less use of USE_KAFEL
2016-10-17 18:17:08 +02:00
Robert Swiecki
950c91e4dd
Allow to use kafel_string
2016-10-12 03:52:08 +02:00
Robert Swiecki
df38185c6f
Slight rework of kafel use
2016-10-12 03:15:33 +02:00
Stephen Röttger
f4d43e3336
New option pivot_root_only to support nested namespaces
...
If pivot_root_only is setthe chroot in the job setup will be skipped.
2016-09-30 16:30:59 +02:00
robertswiecki
f995ff9475
Merge pull request #9 from sroettger/newuidmap
...
Support more complex uid and gid mappings
2016-09-30 16:03:33 +02:00
Stephen Röttger
1c950391a1
Support more complex uid and gid mappings
...
Introduces the new options uid_mapping and gid_mapping that specify
arbitrary custom mappings. If these options are used, nsjail will
use newuidmap/newgidmap to write the map files.
2016-09-30 15:30:15 +02:00
robertswiecki
8a63a24981
Merge pull request #8 from sroettger/no_no_new_privs
...
new flag to skip no_new_privs: --disable_no_new_privs
2016-09-30 15:27:07 +02:00
Stephen Röttger
6501357f98
new flag to skip no_new_privs: --disable_no_new_privs
2016-09-30 15:23:04 +02:00
Wiktor Garbacz
551ed4ca05
Kafel support
2016-09-29 16:22:09 +02:00
Robert Swiecki
1dc33c7bcf
Remove defer{} calls
2016-07-29 15:38:22 +02:00
Robert Swiecki
432c82bb34
Make it a bit more standards friendly
2016-07-21 15:48:47 +02:00
Robert Swiecki
8a501f4ad6
Conflicting enum types
2016-07-21 15:34:46 +02:00
Jagger
c93d926189
Create sub-cgroups instead of using the parent one
2016-06-19 14:58:18 +02:00
Jagger
e3a351b335
More memory cgroup controls
2016-06-19 13:54:36 +02:00
Jagger
a1f0ec7925
Support for CLONE_NEWCGROUP
2016-06-19 11:55:55 +02:00
Jagger
86ddf16279
Implement --pass_fd
2016-06-18 00:46:57 +02:00
Jagger
73c847fc98
Print /proc/<pid>/syscall upon SIGSYS
2016-05-08 03:09:43 +02:00
Jagger
57a523dd08
Use defer {} instead of DEFER()
2016-04-23 04:22:31 +02:00
Jagger
eff4796c95
Correct (non-resrved) header guards
2016-03-11 02:45:43 +01:00
Jagger
5bd1bca6dd
Merge
2016-03-10 22:57:08 +01:00
Jagger
4ae2c027ac
Cleaner impl. of DEFER
2016-03-10 22:56:26 +01:00
Robert Swiecki
1d5cccdfce
Cleaner defer implementation
2016-03-10 16:01:16 +01:00
Jagger
410b0f1d51
Fix strmerge
2016-03-08 22:40:29 +01:00
Robert Swiecki
833cf5d2c8
Indent
2016-03-08 18:23:26 +01:00
Robert Swiecki
e561dc6bb1
Implement defer()
2016-03-08 18:22:50 +01:00
Robert Swiecki
4cb1c01938
Default values for 'vs' interface
2016-02-29 15:36:31 +01:00
Jagger
d2f47fff92
Add network configuration for the 'vs' interface
2016-02-29 02:51:55 +01:00
Jagger
43983cbb17
Add --iface_lo_up
2016-02-29 00:14:36 +01:00
Jagger
6218fe2336
Implementation of netSystemSbinIp
2016-02-28 23:40:34 +01:00
Robert Swiecki
9852028522
Implement --bindhost
2016-02-25 18:27:48 +01:00
Robert Swiecki
aebc3dba41
Env variables (setting/clearing)
2016-01-26 17:42:10 +01:00
Robert Swiecki
87829e3f6e
Implement --skip_setsid
2016-01-25 18:09:32 +01:00