woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,230 Commits 2 Branches 0 Tags 1.5 MiB
98ec95ca85
Commit Graph

39 Commits

Author SHA1 Message Date
Robert Swiecki
94b022fece util: implement rLimName() to use in cmdline/config 2023-10-10 01:23:52 +02:00
Robert Swiecki
f388cad3e0 contain: use prlimit64 instead of setrlimit64 which seems to be glibc-specific, so it compiles with musl too 2023-09-29 18:11:40 +02:00
Robert Swiecki
275de833ba indent: use 'AlignEscapedNewlines: Right' to put backslashed in macros at ends of lines 2023-09-22 16:43:40 +02:00
Robert Swiecki
d1b74c2238 util: put QC() in () 2023-09-22 16:40:56 +02:00
Robert Swiecki
cc4245d23a make indent depend + style of comments 2022-11-22 22:15:01 +01:00
Andrew Haberlandt
12df56b9f1 Setup cgroup.subtree_control controllers when necessary in cgroupsv2 
This commit adds extra setup when cgroupsv2 is enabled. In particular,
we make sure that the root namespace has setup cgroup.subtree_control
with the controllers we need.

If the necessary controller are not listed, we have to move all
processes out of the root namespace before we can change this
(the 'no internal processes' rule:
https://unix.stackexchange.com/a/713343). Currently we only
handle the case where the nsjail process is the only process in
the cgroup. It seems like this would be relatively rare, but since
nsjail is frequently the root process in a Docker container (e.g.
for hosting CTF challenges), I think this case is common enough to
make it worth implementing.

This also adds `--detect_cgroupv2`, which will attempt to detect
whether `--cgroupv2_mount` is a valid cgroupv2 mount, and if so
it will set `use_cgroupv2`. This is useful in containerized
environments where you may not know the kernel version ahead of time.

References:
https://github.com/redpwn/jail/blob/master/internal/cgroup/cgroup2.go
 2022-11-17 17:09:40 -05:00
Robert Swiecki
c63e5b39e8 use QC() across the code 2022-08-10 15:23:53 +02:00
Robert Swiecki
f628f74b00 mnt: quote paths in log messages 2022-08-09 12:06:42 +02:00
Robert Swiecki
681fce1cc4 util: introduce syscall to avoid vararg argument parsing 2019-01-21 22:25:37 +01:00
Vladimir Rutsky
ec0d4174f1 fix writeToFD() return type in declaration 
In 25a7791d return type of writeToFD() was changed from `ssize_t` to `bool`, but header wasn't updated.
 2018-11-25 18:26:52 +01:00
Wiktor Garbacz
26d086f986 cgroup: refactor cgroup code 
Extract common functions, use c++ strings.

Fixes #83
 2018-07-26 14:46:36 +02:00
Robert Swiecki
d6e825ddb3 util: c++ version of sprintf 2018-06-16 02:16:24 +02:00
Robert Swiecki
86b36088cf util: remove unused sSnPrintf 2018-05-24 18:32:01 +02:00
Robert Swiecki
2b6955e48c A few c++isms more 2018-05-23 18:19:17 +02:00
Robert Swiecki
c4a7af980f util: simplify string splitting 2018-02-20 14:16:28 +01:00
Robert Swiecki
f1a6b08962 cmdline: simplify string splitting 2018-02-11 14:56:30 +01:00
Robert Swiecki
b7f0acb021 util: remove unused functions 2018-02-10 23:54:36 +01:00
Robert Swiecki
f2a52533be convert some funcs returning pointers to to TLS to std::string 2018-02-10 21:19:47 +01:00
Robert Swiecki
a6c34999f2 util: move to C++ 2018-02-09 18:45:50 +01:00
Robert Swiecki
0a311af2ad nsjail: make nsjail.c nsjail.cc 2018-02-08 15:24:17 +01:00
Robert Swiecki
152d6d68ae simplify includes, remove unneeded, add needed 2017-10-18 14:46:17 +02:00
Robert Swiecki
74b43346bd make indent 2017-10-08 23:00:45 +02:00
Robert Swiecki
86b71f3d1a util: implement utilTimeToStr 2017-06-21 18:46:19 +02:00
Robert Swiecki
fa2796fe65 util: Implement utilSigName() 2017-06-20 00:16:38 +02:00
Robert Swiecki
0e7393cccf cmdline: implement affinity setting, to limit jailed process to n max cpus 2017-06-19 17:01:50 +02:00
Robert Swiecki
7b2fc9cdac add configs/firefox-with-cloned-net.cfg 2017-05-28 16:56:16 +02:00
Robert Swiecki
f0cb243a89 config: allow skipping arguments in mount points 2017-05-27 15:01:34 +02:00
Robert Swiecki
b5e37a6c4a config: support mounts 2017-05-27 01:16:12 +02:00
Robert Swiecki
4eaa6cc9d3 Rewrite uid mapping system 2017-05-26 23:07:47 +02:00
Robert Swiecki
46526d0873 config: basic parsing 2017-05-26 02:24:36 +02:00
Robert Swiecki
4a154733e0 Allow to specify multiple uid/gid maps 2017-02-08 00:36:32 +01:00
Robert Swiecki
d96f730631 Recursive dir creation 2016-08-18 18:59:06 +02:00
Jagger
73c847fc98 Print /proc/<pid>/syscall upon SIGSYS 2016-05-08 03:09:43 +02:00
Jagger
eff4796c95 Correct (non-resrved) header guards 2016-03-11 02:45:43 +01:00
Robert Swiecki
b89b8cfbc7 Fix common.h includes 2016-03-01 17:03:11 +01:00
Jagger
8d641169e3 Initialize user/group maps from the parent process 2016-02-28 02:34:43 +01:00
Robert Swiecki
0ac43cddf0 No need to include log.h in util.h 2016-01-20 18:05:42 +01:00
Robert Swiecki
4f90b612d0 correct guard macro comment 2016-01-20 18:00:13 +01:00
Robert Swiecki
19de49b375 Missing util.* 2016-01-20 17:55:40 +01:00