woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
253 Commits 2 Branches 0 Tags 1.5 MiB
9a3c53e9a9
Commit Graph

253 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Robert Swiecki
9a3c53e9a9 Print time with INFO 2016-10-21 16:49:50 +02:00
Robert Swiecki
cf71ab14f6 Make it compile w/o libnl3 2016-10-18 13:54:27 +02:00
Robert Swiecki
4dd5c38f91 Use subprocClone instead of syscall(__NR_clone) 2016-10-18 09:47:15 +02:00
Robert Swiecki
37a5d15fa8 Comment type + make indent 2016-10-17 22:53:31 +02:00
Robert Swiecki
c9847562dd Less use of USE_KAFEL 2016-10-17 18:17:08 +02:00
Robert Swiecki
238df2ed87 Missing USE_KAFEL defines 2016-10-17 18:09:05 +02:00
Robert Swiecki
d0a3edd67f log: don't print function name with INFO logs 2016-10-17 15:49:20 +02:00
Robert Swiecki
b1ca8dd1b5 subproc: comments 2016-10-17 15:47:50 +02:00
Robert Swiecki
c3462e2529 Typo: subproccloneFunc -> subprocCloneFunc 2016-10-15 02:58:42 +02:00
Robert Swiecki
2a8faeba7a Make use of subprocClone, plus remove use of syscall(__NR_getpid) 2016-10-15 02:42:01 +02:00
Robert Swiecki
950c91e4dd Allow to use kafel_string 2016-10-12 03:52:08 +02:00
Robert Swiecki
df38185c6f Slight rework of kafel use 2016-10-12 03:15:33 +02:00
Robert Swiecki
fe7fe8591f Use common subprocSystem for executing commands 2016-10-12 02:01:12 +02:00
Robert Swiecki
a30e2f107c Make indent 2016-10-12 00:59:10 +02:00
robertswiecki
047c94e2d9 Merge pull request #10 from sroettger/pivot_root_only 
Option to skip chroot (for nested user namespaces)
 2016-09-30 16:41:25 +02:00
Stephen Röttger
cf4f197684 Don't mount over / if pivot_root_only is enabled 
The intention behind pivot_root_only is to support nested user
namespaces. However, if we bind mount over /, which happens by default,
the kernel will deny CLONE_NEWUSER.
 2016-09-30 16:30:59 +02:00
Stephen Röttger
c647ebb74f remove /old_root on --pivot_root_only 2016-09-30 16:30:59 +02:00
Stephen Röttger
f4d43e3336 New option pivot_root_only to support nested namespaces 
If pivot_root_only is setthe chroot in the job setup will be skipped.
 2016-09-30 16:30:59 +02:00
robertswiecki
f995ff9475 Merge pull request #9 from sroettger/newuidmap 
Support more complex uid and gid mappings
 2016-09-30 16:03:33 +02:00
Stephen Röttger
1c950391a1 Support more complex uid and gid mappings 
Introduces the new options uid_mapping and gid_mapping that specify
arbitrary custom mappings. If these options are used, nsjail will
use newuidmap/newgidmap to write the map files.
 2016-09-30 15:30:15 +02:00
robertswiecki
8a63a24981 Merge pull request #8 from sroettger/no_no_new_privs 
new flag to skip no_new_privs: --disable_no_new_privs
 2016-09-30 15:27:07 +02:00
robertswiecki
484ae304e5 Merge pull request #7 from sroettger/proc_fd_2_fix 
Don't try to open /proc/self/fd/2 as we might not have permission
 2016-09-30 15:26:24 +02:00
Stephen Röttger
6501357f98 new flag to skip no_new_privs: --disable_no_new_privs 2016-09-30 15:23:04 +02:00
Jagger
06e353a8e1 seccomp_policy cmdline 2016-09-30 11:57:11 +02:00
robertswiecki
fd74e03ef6 Merge pull request #6 from happyCoder92/master 
Kafel support
 2016-09-29 18:13:06 +02:00
Wiktor Garbacz
551ed4ca05 Kafel support 2016-09-29 16:22:09 +02:00
Stephen Röttger
115c297958 Don't try to open /proc/self/fd/2 as we might not have permission 
The terminal behind fd 2 might be owned by root and can't be opened by the user.
This happens e.g. if you ssh to a server as root and su to the user.
 2016-09-24 12:04:40 +02:00
Jagger
ee7de33531 Use O_CLOEXEC when possible to avoid leaking FDs 2016-09-10 03:20:32 +02:00
Jagger
1d9b33b06b Make MODE_STANDALONE_ONCE the default mode 2016-08-18 21:31:07 +02:00
Jagger
0763611ad8 The dir must start with '/' 2016-08-18 21:04:25 +02:00
Robert Swiecki
d96f730631 Recursive dir creation 2016-08-18 18:59:06 +02:00
Jagger
a00f5a6424 Dont mount /proc as RO 2016-08-16 22:42:15 +02:00
Jagger
88ce7d240a Default chroot is empty now 2016-08-16 22:07:44 +02:00
Jagger
dba13a2aae Use old NULL mount semantics 2016-08-16 21:12:23 +02:00
Robert Swiecki
26e539884a Names in mount: 2016-08-16 19:59:51 +02:00
Robert Swiecki
4be7646379 Different way of mounting things 2016-08-16 19:54:50 +02:00
Robert Swiecki
1aa24fbeeb Remove -fblocks from Makefile 2016-07-29 15:49:35 +02:00
Robert Swiecki
1dc33c7bcf Remove defer{} calls 2016-07-29 15:38:22 +02:00
Robert Swiecki
f3b70cc314 Remove -lBlocksRuntime 2016-07-27 14:04:03 +02:00
Jagger
71ab2f563d Conflicting rlim types 2016-07-22 02:37:24 +02:00
Robert Swiecki
432c82bb34 Make it a bit more standards friendly 2016-07-21 15:48:47 +02:00
Robert Swiecki
8a501f4ad6 Conflicting enum types 2016-07-21 15:34:46 +02:00
Robert Swiecki
8a32eba177 Don't restart accept 2016-06-22 14:07:40 +02:00
Jagger
4bc5632af4 Report failure of setting fcntl(FD_CLOEXEC) as error 2016-06-20 22:59:29 +02:00
robertswiecki
e801dbb908 Merge pull request #5 from sandersdan/cgroup_doc_fixes 
Minor cgroup documentation fixes
 2016-06-20 22:47:10 +02:00
Dan Sanders
9f518957cf Minor cgroup documentation fixes. 2016-06-20 13:37:34 -07:00
Jagger
0fbbb95666 README 2016-06-19 19:43:10 +02:00
Jagger
1b940a6152 README 2016-06-19 19:41:11 +02:00
Jagger
e981cbc730 Init cgroups with -Me 2016-06-19 19:36:56 +02:00
Jagger
1a9de4ef91 cmdline help 2016-06-19 19:21:45 +02:00