woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
504 Commits 2 Branches 0 Tags 1.5 MiB
69783dc200
Commit Graph

64 Commits

Author SHA1 Message Date
Robert Swiecki
69783dc200 config: max_cpu_num -> max_cpus 2017-06-21 17:52:16 +02:00
Robert Swiecki
0e7393cccf cmdline: implement affinity setting, to limit jailed process to n max cpus 2017-06-19 17:01:50 +02:00
Robert Swiecki
1dd3223b74 iface -> iface_vs 2017-06-12 22:20:21 +02:00
Tony Young
c55dc8cb12 Add an extra log_fd argument to specify an FD to log to. 
In some situations, setting --log to /proc/self/fd/# is not sufficient to log out to a different FD. For instance, if a master process passes its stderr to the child nsjail process as fd 3, the nsjail child may not always be able to log to /proc/self/fd/3, e.g. if the master process is running under systemd, whose /proc/self/fd/2 is actually a socket and not a pipe. However, having nsjail write to fd 3 directly is fine and there's no other good way to handle this situation.
 2017-06-11 22:12:18 +00:00
Tony Young
d0261d281d Add an --exec_file argument to allow argv[0] to differ from the binary being exec'd. 2017-06-09 00:00:12 +00:00
Robert Swiecki
0271586e81 Get rid of pivot_root_only - achieve the same in different way 2017-05-29 03:11:32 +02:00
Robert Swiecki
7b2fc9cdac add configs/firefox-with-cloned-net.cfg 2017-05-28 16:56:16 +02:00
Robert Swiecki
d7ccf0c9d8 Simplify uids/gids maps 2017-05-28 01:05:27 +02:00
Robert Swiecki
ec50c1346d mount: nonmandatory mounts 2017-05-27 15:17:11 +02:00
Robert Swiecki
53f825115f More work on uid mappings 2017-05-26 23:26:07 +02:00
Robert Swiecki
4eaa6cc9d3 Rewrite uid mapping system 2017-05-26 23:07:47 +02:00
Robert Swiecki
08de9db57c config: more options in the config #4 2017-05-26 14:08:09 +02:00
Robert Swiecki
92939c754e config: more options in the config #3 2017-05-26 05:12:01 +02:00
Robert Swiecki
c1165cf120 mount: simplify checking for whether source is dir or file 2017-05-24 14:46:44 +02:00
Robert Swiecki
cc5d4b65c9 cgroups: support for PIDs 2017-04-20 17:48:20 +02:00
Robert Swiecki
478d2b3789 cmdline: provide both -v/verbose and -q/quiet for logging 2017-02-14 21:54:02 +01:00
Robert Swiecki
719585ee5a common: good types for uids 2017-02-08 23:21:03 +01:00
Robert Swiecki
4a154733e0 Allow to specify multiple uid/gid maps 2017-02-08 00:36:32 +01:00
Robert Swiecki
c9847562dd Less use of USE_KAFEL 2016-10-17 18:17:08 +02:00
Robert Swiecki
950c91e4dd Allow to use kafel_string 2016-10-12 03:52:08 +02:00
Robert Swiecki
df38185c6f Slight rework of kafel use 2016-10-12 03:15:33 +02:00
Stephen Röttger
f4d43e3336 New option pivot_root_only to support nested namespaces 
If pivot_root_only is setthe chroot in the job setup will be skipped.
 2016-09-30 16:30:59 +02:00
robertswiecki
f995ff9475 Merge pull request #9 from sroettger/newuidmap 
Support more complex uid and gid mappings
 2016-09-30 16:03:33 +02:00
Stephen Röttger
1c950391a1 Support more complex uid and gid mappings 
Introduces the new options uid_mapping and gid_mapping that specify
arbitrary custom mappings. If these options are used, nsjail will
use newuidmap/newgidmap to write the map files.
 2016-09-30 15:30:15 +02:00
robertswiecki
8a63a24981 Merge pull request #8 from sroettger/no_no_new_privs 
new flag to skip no_new_privs: --disable_no_new_privs
 2016-09-30 15:27:07 +02:00
Stephen Röttger
6501357f98 new flag to skip no_new_privs: --disable_no_new_privs 2016-09-30 15:23:04 +02:00
Wiktor Garbacz
551ed4ca05 Kafel support 2016-09-29 16:22:09 +02:00
Robert Swiecki
1dc33c7bcf Remove defer{} calls 2016-07-29 15:38:22 +02:00
Robert Swiecki
432c82bb34 Make it a bit more standards friendly 2016-07-21 15:48:47 +02:00
Robert Swiecki
8a501f4ad6 Conflicting enum types 2016-07-21 15:34:46 +02:00
Jagger
c93d926189 Create sub-cgroups instead of using the parent one 2016-06-19 14:58:18 +02:00
Jagger
e3a351b335 More memory cgroup controls 2016-06-19 13:54:36 +02:00
Jagger
a1f0ec7925 Support for CLONE_NEWCGROUP 2016-06-19 11:55:55 +02:00
Jagger
86ddf16279 Implement --pass_fd 2016-06-18 00:46:57 +02:00
Jagger
73c847fc98 Print /proc/<pid>/syscall upon SIGSYS 2016-05-08 03:09:43 +02:00
Jagger
57a523dd08 Use defer {} instead of DEFER() 2016-04-23 04:22:31 +02:00
Jagger
eff4796c95 Correct (non-resrved) header guards 2016-03-11 02:45:43 +01:00
Jagger
5bd1bca6dd Merge 2016-03-10 22:57:08 +01:00
Jagger
4ae2c027ac Cleaner impl. of DEFER 2016-03-10 22:56:26 +01:00
Robert Swiecki
1d5cccdfce Cleaner defer implementation 2016-03-10 16:01:16 +01:00
Jagger
410b0f1d51 Fix strmerge 2016-03-08 22:40:29 +01:00
Robert Swiecki
833cf5d2c8 Indent 2016-03-08 18:23:26 +01:00
Robert Swiecki
e561dc6bb1 Implement defer() 2016-03-08 18:22:50 +01:00
Robert Swiecki
4cb1c01938 Default values for 'vs' interface 2016-02-29 15:36:31 +01:00
Jagger
d2f47fff92 Add network configuration for the 'vs' interface 2016-02-29 02:51:55 +01:00
Jagger
43983cbb17 Add --iface_lo_up 2016-02-29 00:14:36 +01:00
Jagger
6218fe2336 Implementation of netSystemSbinIp 2016-02-28 23:40:34 +01:00
Robert Swiecki
9852028522 Implement --bindhost 2016-02-25 18:27:48 +01:00
Robert Swiecki
aebc3dba41 Env variables (setting/clearing) 2016-01-26 17:42:10 +01:00
Robert Swiecki
87829e3f6e Implement --skip_setsid 2016-01-25 18:09:32 +01:00