Robert Swiecki
|
bd0c3fea69
|
sandbox: move to C++
|
2018-02-09 17:16:41 +01:00 |
|
Robert Swiecki
|
21e1495c24
|
contain: move to C++
|
2018-02-09 17:09:58 +01:00 |
|
Robert Swiecki
|
a2daa94722
|
subproc: move to C++
|
2018-02-09 17:03:02 +01:00 |
|
Robert Swiecki
|
840b75025c
|
cmdline: move to C++
|
2018-02-09 15:44:29 +01:00 |
|
Robert Swiecki
|
0a311af2ad
|
nsjail: make nsjail.c nsjail.cc
|
2018-02-08 15:24:17 +01:00 |
|
Robert Swiecki
|
750cf04916
|
Merge branch 'master' of github.com:google/nsjail
|
2018-02-08 15:23:26 +01:00 |
|
Robert Swiecki
|
d7cb58e280
|
Add missing O_RDONLY here and there
|
2018-02-08 15:23:15 +01:00 |
|
Robert Swiecki
|
30e84f7add
|
cgroup: set cpu period as well
|
2018-02-04 04:23:45 +01:00 |
|
Robert Swiecki
|
3ee825c4aa
|
cgroups: add support for CPU cgroup
|
2018-02-04 04:15:19 +01:00 |
|
Robert Swiecki
|
19ea0703f2
|
sandbox: compile seccomp-bpf policy once only
|
2018-02-01 14:19:01 +01:00 |
|
Robert Swiecki
|
354c5ae47b
|
open kafel file in each kafel subproc individually to avoid file pos sharing
|
2018-01-31 16:04:39 +01:00 |
|
Robert Swiecki
|
6e63fd4115
|
rewind kafel file before using
|
2018-01-31 14:40:23 +01:00 |
|
robertswiecki
|
b60d38557d
|
Merge pull request #72 from rutsky/fix_tmpfs_size
fix tmpfs size setting
|
2018-01-08 02:50:30 +01:00 |
|
Vladimir Rutsky
|
f8a8506996
|
fix tmpfs size setting
Broken since c35857cff2 commit.
Signed-off-by: Vladimir Rutsky <rutsky@google.com>
|
2018-01-08 02:02:19 +01:00 |
|
robertswiecki
|
6e3993b9ca
|
Merge pull request #68 from rutsky/fix_mode_in_error_messages
fix permission values in error messages
|
2018-01-02 22:55:42 +01:00 |
|
Vladimir Rutsky
|
87c19b803f
|
fix permission values in error messages
Signed-off-by: Vladimir Rutsky <rutsky@google.com>
|
2018-01-02 22:43:45 +01:00 |
|
robertswiecki
|
f7c4e4b13d
|
Merge pull request #67 from maxmati/master
Remove redundant check if UTS namespace is enabled
|
2017-12-20 22:32:47 +01:00 |
|
Mateusz Nowotyński
|
600f7fcc89
|
Remove redundant check if UTS namespace is enabled
|
2017-12-20 19:56:44 +01:00 |
|
Robert Swiecki
|
b7b6faf5df
|
new kafel
|
2017-12-18 02:04:44 +01:00 |
|
robertswiecki
|
a92461042c
|
Merge pull request #66 from kant/patch-1
Minor fixes (proposal)
|
2017-12-09 14:13:11 +01:00 |
|
Darío Hereñú
|
2eaa979b5a
|
Minor fixes (proposal)
|
2017-12-09 09:05:37 -03:00 |
|
Robert Swiecki
|
e55ab672c2
|
configs: use rlimit_cpu_type instead of rlimit_cpu: 18446744073709551615
|
2017-12-07 15:35:52 +01:00 |
|
Robert Swiecki
|
f31d539e72
|
configs/ #typos
|
2017-12-07 15:06:31 +01:00 |
|
Robert Swiecki
|
928e5344f1
|
New config for xchat2 #typos
|
2017-12-07 15:03:23 +01:00 |
|
Robert Swiecki
|
86b6789bed
|
New config for xchat2
|
2017-12-07 14:39:19 +01:00 |
|
Robert Swiecki
|
750d37aefd
|
configs/firefox*: add fontconfig
|
2017-12-05 22:23:48 +01:00 |
|
Robert Swiecki
|
8fe58806f2
|
configs/imagemagick: more syscalls allowed
|
2017-12-05 22:13:00 +01:00 |
|
Robert Swiecki
|
af7bfc16aa
|
config.cc: set exec_file only if arg0 is set
|
2017-12-05 15:44:53 +01:00 |
|
Robert Swiecki
|
5c8397860c
|
configs: some fixes thanks to the write-up at https://offbyinfinity.com/2017/12/sandboxing-imagemagick-with-nsjail/
|
2017-12-05 15:01:27 +01:00 |
|
Robert Swiecki
|
e8e2f4b011
|
user: correct check for getpwnam/gegrpnam failures
|
2017-12-02 02:53:32 +01:00 |
|
Robert Swiecki
|
dd0b51eded
|
remove _NSConcreteStackBlock as we don't use defer{} any more
|
2017-11-20 17:03:06 +01:00 |
|
Robert Swiecki
|
d7bcad2076
|
nsjail.h: different if guards for TEMP_FAILURE_RETRY
|
2017-11-08 17:20:57 +01:00 |
|
robertswiecki
|
26d0a278c6
|
Merge pull request #64 from ebadi/master
Minor fixes
|
2017-11-08 17:16:53 +01:00 |
|
Hamid Ebadi
|
be8fb2ad73
|
Minor fixes
|
2017-11-08 16:45:02 +01:00 |
|
robertswiecki
|
9b6759f1a1
|
Merge pull request #63 from ShikChen/master
Fix max_conns_per_ip
|
2017-11-04 17:52:59 +01:00 |
|
shik
|
9e355cbcfc
|
fix max_conns_per_ip
|
2017-11-04 22:15:31 +08:00 |
|
Robert Swiecki
|
a07ee95595
|
cmdline: comment on skip_setsid
|
2017-11-02 13:13:07 +01:00 |
|
Robert Swiecki
|
e2f96f6019
|
config.proto: comment on skip_setsid
|
2017-11-02 13:08:08 +01:00 |
|
Robert Swiecki
|
6dec393fb2
|
subproc: actually si_syscall don't show syscalls
|
2017-11-01 14:21:50 +01:00 |
|
robertswiecki
|
27c05b367f
|
Merge pull request #61 from jvvv/master
Adjust documents for clone_newcgroup change.
|
2017-10-28 23:36:02 +02:00 |
|
John Vogel
|
8f39ec5436
|
Adjust documents for clone_newcgroup change.
Change --enable_clone_newcgroup to --disable_clone_newcgroup.
Add comment about kernel version for clone_newcgroup option.
|
2017-10-27 00:33:07 -04:00 |
|
Robert Swiecki
|
ca705b4fea
|
Makefile: remove relro,now as it doesn't allow to compile under some archs
|
2017-10-27 01:53:05 +02:00 |
|
Robert Swiecki
|
55c35f380f
|
mount: add info about mounting /proc
|
2017-10-26 23:00:15 +02:00 |
|
Robert Swiecki
|
a3c00c7321
|
subproc: reflow comments
|
2017-10-26 22:57:14 +02:00 |
|
Robert Swiecki
|
a87cd58bee
|
cmdline/config: make --enable_clone_newcgroup obsolete by enabling CLONE_NEWCGROUP by default. This can be disabled by flags/config #2
|
2017-10-26 16:19:30 +02:00 |
|
Robert Swiecki
|
3734b8801f
|
cmdline/config: make --enable_clone_newcgroup obsolete by enabling CLONE_NEWCGROUP by default. This can be disabled by flags/config
|
2017-10-26 16:16:05 +02:00 |
|
Robert Swiecki
|
805ceb4363
|
configs/ increas rlimit_nofile for firefox
|
2017-10-26 02:43:40 +02:00 |
|
Robert Swiecki
|
c04ca63190
|
mount: const'antize the mountPair struct
|
2017-10-26 02:29:15 +02:00 |
|
Robert Swiecki
|
2ab64972fd
|
mount: an array of known mount/vfsmount flag pairs
|
2017-10-26 02:27:18 +02:00 |
|
Robert Swiecki
|
91991fc75e
|
mount: don't reuse flags from statvfs directly for remounting
|
2017-10-26 02:17:52 +02:00 |
|