Robert Swiecki
63e4059f7a
Slight fixes to log_fd
2017-06-12 00:27:27 +02:00
Tony Young
c55dc8cb12
Add an extra log_fd argument to specify an FD to log to.
...
In some situations, setting --log to /proc/self/fd/# is not sufficient to log out to a different FD. For instance, if a master process passes its stderr to the child nsjail process as fd 3, the nsjail child may not always be able to log to /proc/self/fd/3, e.g. if the master process is running under systemd, whose /proc/self/fd/2 is actually a socket and not a pipe. However, having nsjail write to fd 3 directly is fine and there's no other good way to handle this situation.
2017-06-11 22:12:18 +00:00
Tony Young
d0261d281d
Add an --exec_file argument to allow argv[0] to differ from the binary being exec'd.
2017-06-09 00:00:12 +00:00
Robert Swiecki
9519f1038b
mount: introduce mountDescribeMountPt
2017-05-29 16:52:24 +02:00
Robert Swiecki
0271586e81
Get rid of pivot_root_only - achieve the same in different way
2017-05-29 03:11:32 +02:00
Robert Swiecki
7b2fc9cdac
add configs/firefox-with-cloned-net.cfg
2017-05-28 16:56:16 +02:00
Robert Swiecki
d7ccf0c9d8
Simplify uids/gids maps
2017-05-28 01:05:27 +02:00
Robert Swiecki
ed72ce3762
cmdline: avoid using %s with nullptr
2017-05-27 17:40:30 +02:00
Robert Swiecki
ec50c1346d
mount: nonmandatory mounts
2017-05-27 15:17:11 +02:00
Robert Swiecki
f0cb243a89
config: allow skipping arguments in mount points
2017-05-27 15:01:34 +02:00
Robert Swiecki
03e8578e79
config: executable in config
2017-05-27 02:24:41 +02:00
Robert Swiecki
53f825115f
More work on uid mappings
2017-05-26 23:26:07 +02:00
Robert Swiecki
4eaa6cc9d3
Rewrite uid mapping system
2017-05-26 23:07:47 +02:00
Robert Swiecki
8e39afa25f
config: more options in the config #5
2017-05-26 15:22:59 +02:00
Robert Swiecki
08de9db57c
config: more options in the config #4
2017-05-26 14:08:09 +02:00
Robert Swiecki
92939c754e
config: more options in the config #3
2017-05-26 05:12:01 +02:00
Robert Swiecki
1bf794f492
config: add basic config support
2017-05-26 01:44:16 +02:00
Robert Swiecki
591188910e
cmdline/mount: use 'none' as src for tmpfs/proc
2017-05-24 17:09:24 +02:00
Robert Swiecki
c1165cf120
mount: simplify checking for whether source is dir or file
2017-05-24 14:46:44 +02:00
Robert Swiecki
054c4a3b4b
Merge branch 'master' of github.com:google/nsjail
2017-05-24 14:32:45 +02:00
Robert Swiecki
9c4c278021
Warn about uid/gid 0
2017-05-24 14:32:39 +02:00
Robert Swiecki
0d5befbd6f
TLS semantics for subprocCloneFlagsToStr and mountFlagsToStr
2017-05-22 01:10:49 +02:00
Robert Swiecki
525ba9e2dd
Convert mount flags to str
2017-05-21 17:37:18 +02:00
Serge Bazanski
00f7944718
Merge branch 'master' of github.com:google/nsjail into deprecate-iface-flag-names
2017-05-11 16:18:07 +01:00
Serge Bazanski
3b05a70b6b
Deprecate current iface/macvlan options.
...
This is in preparation for other networking models. The current option
names were very generic, and without namespacing them we could end up
with some very confusing naming.
Also some miscellaneous indentation fixes.
2017-05-11 15:17:54 +01:00
Robert Swiecki
e0ffb55b04
cmdline: examples for --iface_cs
2017-05-11 15:33:15 +02:00
Robert Swiecki
cf163807db
Kafel: wrong check
2017-05-08 15:53:43 +02:00
Robert Swiecki
d9cb28b97d
Use kafel unconditionally
2017-05-08 15:50:29 +02:00
Robert Swiecki
6596adb5e2
cmdline: 'i'
2017-05-07 21:10:39 +02:00
Robert Swiecki
ec765851f4
apply --rw to /proc as well
2017-04-22 23:54:33 +02:00
Robert Swiecki
cc5d4b65c9
cgroups: support for PIDs
2017-04-20 17:48:20 +02:00
Sam Clegg
74010d0c45
Exit with non-zero status on bad command line option
2017-02-15 17:23:55 -08:00
Robert Swiecki
478d2b3789
cmdline: provide both -v/verbose and -q/quiet for logging
2017-02-14 21:54:02 +01:00
Robert Swiecki
9f832aa35a
Uid/Gid fix
2017-02-08 00:42:23 +01:00
Robert Swiecki
4a154733e0
Allow to specify multiple uid/gid maps
2017-02-08 00:36:32 +01:00
Robert Swiecki
a0cc72aa5c
cmdline: typo
2017-01-28 14:25:09 +01:00
Robert Swiecki
c9847562dd
Less use of USE_KAFEL
2016-10-17 18:17:08 +02:00
Robert Swiecki
238df2ed87
Missing USE_KAFEL defines
2016-10-17 18:09:05 +02:00
Robert Swiecki
950c91e4dd
Allow to use kafel_string
2016-10-12 03:52:08 +02:00
Robert Swiecki
df38185c6f
Slight rework of kafel use
2016-10-12 03:15:33 +02:00
Robert Swiecki
a30e2f107c
Make indent
2016-10-12 00:59:10 +02:00
Stephen Röttger
f4d43e3336
New option pivot_root_only to support nested namespaces
...
If pivot_root_only is setthe chroot in the job setup will be skipped.
2016-09-30 16:30:59 +02:00
robertswiecki
f995ff9475
Merge pull request #9 from sroettger/newuidmap
...
Support more complex uid and gid mappings
2016-09-30 16:03:33 +02:00
Stephen Röttger
1c950391a1
Support more complex uid and gid mappings
...
Introduces the new options uid_mapping and gid_mapping that specify
arbitrary custom mappings. If these options are used, nsjail will
use newuidmap/newgidmap to write the map files.
2016-09-30 15:30:15 +02:00
robertswiecki
8a63a24981
Merge pull request #8 from sroettger/no_no_new_privs
...
new flag to skip no_new_privs: --disable_no_new_privs
2016-09-30 15:27:07 +02:00
Stephen Röttger
6501357f98
new flag to skip no_new_privs: --disable_no_new_privs
2016-09-30 15:23:04 +02:00
Jagger
06e353a8e1
seccomp_policy cmdline
2016-09-30 11:57:11 +02:00
Wiktor Garbacz
551ed4ca05
Kafel support
2016-09-29 16:22:09 +02:00
Jagger
1d9b33b06b
Make MODE_STANDALONE_ONCE the default mode
2016-08-18 21:31:07 +02:00
Jagger
a00f5a6424
Dont mount /proc as RO
2016-08-16 22:42:15 +02:00
Jagger
88ce7d240a
Default chroot is empty now
2016-08-16 22:07:44 +02:00
Robert Swiecki
432c82bb34
Make it a bit more standards friendly
2016-07-21 15:48:47 +02:00
Jagger
1a9de4ef91
cmdline help
2016-06-19 19:21:45 +02:00
Jagger
3e91d44145
Use cgroups_mem_max to enable memory limits
2016-06-19 18:12:15 +02:00
Jagger
827e1a4e7d
Init cgroups from parent
2016-06-19 15:50:25 +02:00
Jagger
c93d926189
Create sub-cgroups instead of using the parent one
2016-06-19 14:58:18 +02:00
Jagger
e3a351b335
More memory cgroup controls
2016-06-19 13:54:36 +02:00
Jagger
a1f0ec7925
Support for CLONE_NEWCGROUP
2016-06-19 11:55:55 +02:00
Jagger
df97c0fe74
Use NULL as src for mounting proc and tmpfs
2016-06-19 01:35:06 +02:00
Jagger
2e523ae4b8
/proc is ro by defauly
2016-06-19 01:05:31 +02:00
Jagger
53d8e16a01
cmdline typos
2016-06-18 01:24:57 +02:00
Jagger
86ddf16279
Implement --pass_fd
2016-06-18 00:46:57 +02:00
Robert Swiecki
0339d0497f
Description for -Me
2016-05-10 15:54:10 +02:00
Jagger
19c9598631
Use examples
2016-05-10 00:54:25 +02:00
Jagger
99ca4c5df2
isprint misbehaves with some glibc versions
2016-05-05 03:53:53 +02:00
Jagger
8f68fab29c
--bindhost help
2016-03-11 02:57:02 +01:00
Jagger
75f96e4ca8
cmdline: [val] -> VALUE
2016-03-10 01:33:58 +01:00
Jagger
a71371e327
Check for gcc in Makefile
2016-03-09 00:56:20 +01:00
Jagger
22f6e31e89
Make nsjconf initialization from const struct
2016-03-02 02:35:38 +01:00
Jagger
e35b345163
Support for --chroot ""
2016-03-02 02:30:30 +01:00
Robert Swiecki
b89b8cfbc7
Fix common.h includes
2016-03-01 17:03:11 +01:00
Robert Swiecki
cc987ec775
Add locked mount flags during remounting
2016-03-01 15:36:32 +01:00
Jagger
6c5c80256d
Make valgrind silent
2016-02-29 22:22:03 +01:00
Robert Swiecki
296ef302e4
Better cmdline descriptions
2016-02-29 20:20:38 +01:00
Robert Swiecki
af6a6bb2dc
Don't initialize the 'vs' interface by default
2016-02-29 17:50:25 +01:00
Robert Swiecki
872a561b4c
Better description for --user / --group
2016-02-29 15:47:33 +01:00
Robert Swiecki
4cb1c01938
Default values for 'vs' interface
2016-02-29 15:36:31 +01:00
Jagger
e4ac7f411c
Default net values for 'vs'
2016-02-29 02:59:59 +01:00
Jagger
d2f47fff92
Add network configuration for the 'vs' interface
2016-02-29 02:51:55 +01:00
Jagger
43983cbb17
Add --iface_lo_up
2016-02-29 00:14:36 +01:00
Jagger
6218fe2336
Implementation of netSystemSbinIp
2016-02-28 23:40:34 +01:00
Jagger
8d641169e3
Initialize user/group maps from the parent process
2016-02-28 02:34:43 +01:00
Jagger
ad4b0105a7
No need to add (default:none) in cmdline
2016-02-28 01:52:09 +01:00
Robert Swiecki
be639261b5
Automatically create destination dir for 'proc' and 'tmpfs' mounts
2016-02-25 18:45:23 +01:00
Robert Swiecki
9852028522
Implement --bindhost
2016-02-25 18:27:48 +01:00
Robert Swiecki
5b78d31f3f
Remove (disable: false) from cmdline.c as it's obvious
2016-02-16 18:56:52 +01:00
Robert Swiecki
aebc3dba41
Env variables (setting/clearing)
2016-01-26 17:42:10 +01:00
Jagger
fd98f4009e
Default re-chroot to '/'
2016-01-25 22:27:06 +01:00
Robert Swiecki
87829e3f6e
Implement --skip_setsid
2016-01-25 18:09:32 +01:00
Jagger
d36deb5d0d
Use --user x:y notation (not working yet)
2016-01-23 07:05:24 +01:00
Jagger
24af1c6d98
Introduce util.c
2016-01-17 04:14:09 +01:00
Robert Swiecki
307a6f0257
Create a file/dir inside jail beforemounting
2016-01-14 15:44:29 +01:00
Robert Swiecki
42efeb6073
Add --cmd
2016-01-14 15:26:18 +01:00
Jagger
dcd80af9bc
Revert of .chroot = NULL
2016-01-09 16:11:31 +01:00
Jagger
2765e58c4e
Use TAILQ instead of LIST to insert new mount entries at the end
2016-01-09 16:09:05 +01:00
Jamy Timmermans
93abc40dde
Add a cwd
option
...
This way the process being spawned can be in a directory if the
spawner’s choosing (as ling as it’s available in the chroot)
2015-11-07 13:01:44 +01:00
Jagger
5f5e496179
Make it compile with -m32
2015-10-18 20:47:44 +02:00
Jagger
49faea78b0
Use 0x%tx for uintptr_t
2015-10-17 19:14:57 +02:00
Jagger
59cedfe10f
Use just a single list for mount-points (RO, RW, chroot)
2015-10-17 16:48:30 +02:00
Robert Swiecki
5202a7fc07
Use rlimit64
2015-10-13 19:06:59 +02:00