woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
338 Commits 2 Branches 0 Tags 1.5 MiB
c1165cf120
Commit Graph

338 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stephen Röttger
cf4f197684 Don't mount over / if pivot_root_only is enabled 
The intention behind pivot_root_only is to support nested user
namespaces. However, if we bind mount over /, which happens by default,
the kernel will deny CLONE_NEWUSER.
 2016-09-30 16:30:59 +02:00
Stephen Röttger
c647ebb74f remove /old_root on --pivot_root_only 2016-09-30 16:30:59 +02:00
Stephen Röttger
f4d43e3336 New option pivot_root_only to support nested namespaces 
If pivot_root_only is setthe chroot in the job setup will be skipped.
 2016-09-30 16:30:59 +02:00
robertswiecki
f995ff9475 Merge pull request #9 from sroettger/newuidmap 
Support more complex uid and gid mappings
 2016-09-30 16:03:33 +02:00
Stephen Röttger
1c950391a1 Support more complex uid and gid mappings 
Introduces the new options uid_mapping and gid_mapping that specify
arbitrary custom mappings. If these options are used, nsjail will
use newuidmap/newgidmap to write the map files.
 2016-09-30 15:30:15 +02:00
robertswiecki
8a63a24981 Merge pull request #8 from sroettger/no_no_new_privs 
new flag to skip no_new_privs: --disable_no_new_privs
 2016-09-30 15:27:07 +02:00
robertswiecki
484ae304e5 Merge pull request #7 from sroettger/proc_fd_2_fix 
Don't try to open /proc/self/fd/2 as we might not have permission
 2016-09-30 15:26:24 +02:00
Stephen Röttger
6501357f98 new flag to skip no_new_privs: --disable_no_new_privs 2016-09-30 15:23:04 +02:00
Jagger
06e353a8e1 seccomp_policy cmdline 2016-09-30 11:57:11 +02:00
robertswiecki
fd74e03ef6 Merge pull request #6 from happyCoder92/master 
Kafel support
 2016-09-29 18:13:06 +02:00
Wiktor Garbacz
551ed4ca05 Kafel support 2016-09-29 16:22:09 +02:00
Stephen Röttger
115c297958 Don't try to open /proc/self/fd/2 as we might not have permission 
The terminal behind fd 2 might be owned by root and can't be opened by the user.
This happens e.g. if you ssh to a server as root and su to the user.
 2016-09-24 12:04:40 +02:00
Jagger
ee7de33531 Use O_CLOEXEC when possible to avoid leaking FDs 2016-09-10 03:20:32 +02:00
Jagger
1d9b33b06b Make MODE_STANDALONE_ONCE the default mode 2016-08-18 21:31:07 +02:00
Jagger
0763611ad8 The dir must start with '/' 2016-08-18 21:04:25 +02:00
Robert Swiecki
d96f730631 Recursive dir creation 2016-08-18 18:59:06 +02:00
Jagger
a00f5a6424 Dont mount /proc as RO 2016-08-16 22:42:15 +02:00
Jagger
88ce7d240a Default chroot is empty now 2016-08-16 22:07:44 +02:00
Jagger
dba13a2aae Use old NULL mount semantics 2016-08-16 21:12:23 +02:00
Robert Swiecki
26e539884a Names in mount: 2016-08-16 19:59:51 +02:00
Robert Swiecki
4be7646379 Different way of mounting things 2016-08-16 19:54:50 +02:00
Robert Swiecki
1aa24fbeeb Remove -fblocks from Makefile 2016-07-29 15:49:35 +02:00
Robert Swiecki
1dc33c7bcf Remove defer{} calls 2016-07-29 15:38:22 +02:00
Robert Swiecki
f3b70cc314 Remove -lBlocksRuntime 2016-07-27 14:04:03 +02:00
Jagger
71ab2f563d Conflicting rlim types 2016-07-22 02:37:24 +02:00
Robert Swiecki
432c82bb34 Make it a bit more standards friendly 2016-07-21 15:48:47 +02:00
Robert Swiecki
8a501f4ad6 Conflicting enum types 2016-07-21 15:34:46 +02:00
Robert Swiecki
8a32eba177 Don't restart accept 2016-06-22 14:07:40 +02:00
Jagger
4bc5632af4 Report failure of setting fcntl(FD_CLOEXEC) as error 2016-06-20 22:59:29 +02:00
robertswiecki
e801dbb908 Merge pull request #5 from sandersdan/cgroup_doc_fixes 
Minor cgroup documentation fixes
 2016-06-20 22:47:10 +02:00
Dan Sanders
9f518957cf Minor cgroup documentation fixes. 2016-06-20 13:37:34 -07:00
Jagger
0fbbb95666 README 2016-06-19 19:43:10 +02:00
Jagger
1b940a6152 README 2016-06-19 19:41:11 +02:00
Jagger
e981cbc730 Init cgroups with -Me 2016-06-19 19:36:56 +02:00
Jagger
1a9de4ef91 cmdline help 2016-06-19 19:21:45 +02:00
Jagger
8907d06693 Enable OOM-killer for cgroups 2016-06-19 18:40:16 +02:00
Jagger
3e91d44145 Use cgroups_mem_max to enable memory limits 2016-06-19 18:12:15 +02:00
Jagger
1798b0de21 Use fname in cgroups 2016-06-19 16:41:26 +02:00
Jagger
51797dd270 Disable oom_killer 2016-06-19 16:39:41 +02:00
Jagger
ac06ff56c9 Remove cgroup before reporting process being finished 2016-06-19 16:02:00 +02:00
Jagger
827e1a4e7d Init cgroups from parent 2016-06-19 15:50:25 +02:00
Jagger
c93d926189 Create sub-cgroups instead of using the parent one 2016-06-19 14:58:18 +02:00
Jagger
640ae23a71 More use examples 2016-06-19 14:32:27 +02:00
Jagger
0498920fce Unmount cgroup FS after use 2016-06-19 14:25:41 +02:00
Jagger
edab0fe9e4 More debug for cgroups 2016-06-19 14:05:19 +02:00
Jagger
e3a351b335 More memory cgroup controls 2016-06-19 13:54:36 +02:00
Jagger
6223ccebf1 Rudimentary cgroup support 2016-06-19 12:47:28 +02:00
Jagger
a1f0ec7925 Support for CLONE_NEWCGROUP 2016-06-19 11:55:55 +02:00
Jagger
df97c0fe74 Use NULL as src for mounting proc and tmpfs 2016-06-19 01:35:06 +02:00
Jagger
2e523ae4b8 /proc is ro by defauly 2016-06-19 01:05:31 +02:00