woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,231 Commits 2 Branches 0 Tags 1.5 MiB
84f6d75d26
Commit Graph

71 Commits

Author SHA1 Message Date
Andrew Haberlandt
12df56b9f1 Setup cgroup.subtree_control controllers when necessary in cgroupsv2 
This commit adds extra setup when cgroupsv2 is enabled. In particular,
we make sure that the root namespace has setup cgroup.subtree_control
with the controllers we need.

If the necessary controller are not listed, we have to move all
processes out of the root namespace before we can change this
(the 'no internal processes' rule:
https://unix.stackexchange.com/a/713343). Currently we only
handle the case where the nsjail process is the only process in
the cgroup. It seems like this would be relatively rare, but since
nsjail is frequently the root process in a Docker container (e.g.
for hosting CTF challenges), I think this case is common enough to
make it worth implementing.

This also adds `--detect_cgroupv2`, which will attempt to detect
whether `--cgroupv2_mount` is a valid cgroupv2 mount, and if so
it will set `use_cgroupv2`. This is useful in containerized
environments where you may not know the kernel version ahead of time.

References:
https://github.com/redpwn/jail/blob/master/internal/cgroup/cgroup2.go
 2022-11-17 17:09:40 -05:00
Robert Swiecki
856cb0f2ec When setting CPU affinity, take into consideration the current CPU 
affinity set. Use only CPU numbers, which exist in the current affinity
set. Maybe fixes https://github.com/google/nsjail/issues/200
 2022-08-04 19:22:33 +02:00
Patrick Steinhardt
df21a972b6 nsjail: Optionally forward fatal signals 
Currently, we always kill children by sending them a SIGKILL signal in
case we've got a fatal signal. This is rather inflexible and forbids
some usecases where e.g. child process listen for specific signals to
shut down gracefully.

Add a new command configuration `--forward_signals` that allows the user
to opt-in to forwarding fatal signals to the child process.
 2022-06-05 19:38:32 +02:00
Michał Kowalczyk
16b4416d75 Add disable_tsc option 
Implemented via prctl(PR_SET_TSC, PR_TSC_SIGSEGV, ...).
 2022-02-17 23:53:13 +01:00
Philip
bf93e8a25d cgroup2: use cgroup_mem_swap_max and cgroup_mem_memsw_max 2021-11-01 10:28:41 +01:00
Johan Kartiwa
29a556068a Add support for setting cgroup memory.memsw.limit_in_bytes 2021-10-11 15:46:36 +02:00
Wiktor Garbacz
4136dd50d8 Merge branch 'use_switchroot' 2021-08-03 17:44:57 +02:00
Eli Zrihen
b83d6f7421 Renaming use_switchroot option with no_pivotroot 2021-07-20 15:45:58 +03:00
Eli Zrihen
0f903ba9a0 Added rt, memlock & msgq limits 2021-07-19 17:21:34 +03:00
Eli Zrihen
dab1713ac9 Added use_switchroot option 2021-06-17 14:57:01 +03:00
Eli Zrihen
5c8b3835b7 MACVLAN modes support 2021-06-16 16:59:12 +03:00
Robert Swiecki
056809ed3b Initial support for CLONE_NEWTIME 2021-05-11 14:48:45 +02:00
Philip Papurt
32f2287fbb
net: add support for max_conns 2021-02-09 17:13:35 -05:00
Robert Swiecki
608618ea7b subproc: kill a process once in the -Ml mode once the TCP connection has ended 2020-08-30 22:02:08 +02:00
Wiktor Garbacz
a47123b8a7 fix POLLNVAL in pipeTraffic 2020-02-17 15:57:13 +01:00
Robert Swiecki
2cf562160d nsjail/pid/subproc: a). keep childrens' PIDs in a map indexed by pid b). correctly fetch remote IPv6 address text 2020-02-16 22:34:19 +01:00
Wiktor Garbacz
273ce6bc84 pipe socket traffic in and out of sandboxee 2020-02-14 17:07:14 +01:00
Jay Lees
86293b052e Add flag to disable rlimits 2019-08-05 03:25:22 -07:00
Jay Lees
08f62b6f76 [cgroup-v2] support cgroup v2 for mem, cpu and pids 2019-07-26 07:02:17 -07:00
Robert Swiecki
494a5f63cd Add nice_level to cmd-line/config options 2019-06-30 21:50:56 +02:00
Robert Swiecki
a2dacef5d7 allow to use nsjail w/o namespaces 2019-03-29 21:38:14 +01:00
Wiktor Garbacz
7fe87b41c7 code formatting 2018-10-24 10:31:14 +02:00
Micky Del Favero
233a7296fe Added --macvlan_vs_ma switch to be able to set macvlan's mac-address. 
Signed-off-by: Micky Del Favero <micky@BeeCloudy.net>
 2018-10-23 15:05:50 +02:00
Robert Swiecki
5bf23a0e58 cmdline: more stderr_to_null closer to is_silent 2018-06-25 04:10:42 +02:00
Robert Swiecki
272a85477a config: Implement --stderr_to_null 2018-06-25 03:12:27 +02:00
Robert Swiecki
04627982d0 logs: use log file/level immediately 2018-06-07 16:51:50 +02:00
Robert Swiecki
7d57fc81be cmdline: add iface_own to take ownership of one of the global interfaces 2018-05-30 15:26:09 +02:00
Robert Swiecki
b8798fc9a7 use strtoimax when needed 2018-05-26 13:54:17 +02:00
Robert Swiecki
4394fa725e sandbox: add support for SECCOMP_FILTER_FLAG_LOG 2018-05-23 15:32:45 +02:00
Robert Swiecki
864b7fc718 cmdline: remove tmpfs_size from nsjconf_t 2018-02-18 02:47:46 +01:00
Robert Swiecki
dc5e6676a7 nsjail: ignore SIGTTIN/SIGTTOU 2018-02-15 01:33:33 +01:00
Robert Swiecki
8a22a4abb6 convert exec file and argv to string/vector 2018-02-12 16:52:05 +01:00
Robert Swiecki
5a35f00e28 mnt: move mnt_t to std::string 2018-02-11 23:44:43 +01:00
Robert Swiecki
7b9178f5d7 make indent depend 2018-02-11 04:02:43 +01:00
Robert Swiecki
d875f23ae0 cgroup: switch const char* to std::string 2018-02-11 03:39:07 +01:00
Robert Swiecki
55e8e09c4a net: convert net::connToText to std::string 2018-02-11 00:17:44 +01:00
Robert Swiecki
7a55ffb3a6 sandbox: convert kafel file/string as std::string 2018-02-10 23:46:15 +01:00
Robert Swiecki
de3f1371f0 convert proc_path to std::string 2018-02-10 20:16:17 +01:00
Robert Swiecki
b691b8796c nsjail: iface_no_lo -> iface_lo 2018-02-10 18:22:51 +01:00
Robert Swiecki
7bddb40d87 net: move all iface_vs* options from char* to std::string 2018-02-10 18:18:40 +01:00
Robert Swiecki
97278f191b log: rename log to logs due to clash with glibc's log 2018-02-10 17:49:15 +01:00
Robert Swiecki
ecd4c32d9a mnt: replace sys/queue with std::vector 2018-02-10 14:38:01 +01:00
Robert Swiecki
1761ed4fdc move common.h to macros.h 2018-02-10 05:25:55 +01:00
Robert Swiecki
381e6a1af7 nsjail: move pids queue to a vector 2018-02-10 05:13:25 +01:00
Robert Swiecki
c34b52ab78 nsjail: convert a couple of struct fields to std::string 2018-02-10 04:10:18 +01:00
Robert Swiecki
93005ef03d nsjail: convert gids/uids to vector of structs 2018-02-10 00:37:23 +01:00
Robert Swiecki
9399373ee7 nsjail: envs to vector of strings 2018-02-09 23:04:57 +01:00
Robert Swiecki
63eb13ecde nsjail: move openfd from queue to vector 2018-02-09 22:47:00 +01:00
Robert Swiecki
d1d310e70f nsjail: convert caps from queue to vector 2018-02-09 22:35:33 +01:00
Robert Swiecki
7f72cbd497 all: move to C++ 2018-02-09 18:55:42 +01:00