Robert Swiecki
bbf743791f
Remove bpf-helper as it's not needed since kafel/
2017-01-09 12:49:30 +01:00
Robert Swiecki
4b988e4f21
cmdline: usage
2016-12-10 20:47:20 +01:00
Robert Swiecki
049eab950e
cmdline: usage
2016-12-10 17:17:01 +01:00
Robert Swiecki
8bd093df2f
cmdline: use of --chroot
2016-12-10 17:11:55 +01:00
Robert Swiecki
ae9c1bad9a
subproc: logging
2016-11-20 23:55:44 +01:00
Robert Swiecki
abe290431e
net: log msg
2016-11-20 23:41:05 +01:00
Robert Swiecki
364273afd7
Makefile: Make it possible to disable kafel and libnl3 from envvar
2016-11-20 23:37:38 +01:00
Robert Swiecki
78ccfa863a
setjmp/longjmp: don't use stack-based jmp_buf, use TLS one
2016-11-03 03:53:52 +01:00
Robert Swiecki
9a3c53e9a9
Print time with INFO
2016-10-21 16:49:50 +02:00
Robert Swiecki
cf71ab14f6
Make it compile w/o libnl3
2016-10-18 13:54:27 +02:00
Robert Swiecki
4dd5c38f91
Use subprocClone instead of syscall(__NR_clone)
2016-10-18 09:47:15 +02:00
Robert Swiecki
37a5d15fa8
Comment type + make indent
2016-10-17 22:53:31 +02:00
Robert Swiecki
c9847562dd
Less use of USE_KAFEL
2016-10-17 18:17:08 +02:00
Robert Swiecki
238df2ed87
Missing USE_KAFEL defines
2016-10-17 18:09:05 +02:00
Robert Swiecki
d0a3edd67f
log: don't print function name with INFO logs
2016-10-17 15:49:20 +02:00
Robert Swiecki
b1ca8dd1b5
subproc: comments
2016-10-17 15:47:50 +02:00
Robert Swiecki
c3462e2529
Typo: subproccloneFunc -> subprocCloneFunc
2016-10-15 02:58:42 +02:00
Robert Swiecki
2a8faeba7a
Make use of subprocClone, plus remove use of syscall(__NR_getpid)
2016-10-15 02:42:01 +02:00
Robert Swiecki
950c91e4dd
Allow to use kafel_string
2016-10-12 03:52:08 +02:00
Robert Swiecki
df38185c6f
Slight rework of kafel use
2016-10-12 03:15:33 +02:00
Robert Swiecki
fe7fe8591f
Use common subprocSystem for executing commands
2016-10-12 02:01:12 +02:00
Robert Swiecki
a30e2f107c
Make indent
2016-10-12 00:59:10 +02:00
robertswiecki
047c94e2d9
Merge pull request #10 from sroettger/pivot_root_only
...
Option to skip chroot (for nested user namespaces)
2016-09-30 16:41:25 +02:00
Stephen Röttger
cf4f197684
Don't mount over / if pivot_root_only is enabled
...
The intention behind pivot_root_only is to support nested user
namespaces. However, if we bind mount over /, which happens by default,
the kernel will deny CLONE_NEWUSER.
2016-09-30 16:30:59 +02:00
Stephen Röttger
c647ebb74f
remove /old_root on --pivot_root_only
2016-09-30 16:30:59 +02:00
Stephen Röttger
f4d43e3336
New option pivot_root_only to support nested namespaces
...
If pivot_root_only is setthe chroot in the job setup will be skipped.
2016-09-30 16:30:59 +02:00
robertswiecki
f995ff9475
Merge pull request #9 from sroettger/newuidmap
...
Support more complex uid and gid mappings
2016-09-30 16:03:33 +02:00
Stephen Röttger
1c950391a1
Support more complex uid and gid mappings
...
Introduces the new options uid_mapping and gid_mapping that specify
arbitrary custom mappings. If these options are used, nsjail will
use newuidmap/newgidmap to write the map files.
2016-09-30 15:30:15 +02:00
robertswiecki
8a63a24981
Merge pull request #8 from sroettger/no_no_new_privs
...
new flag to skip no_new_privs: --disable_no_new_privs
2016-09-30 15:27:07 +02:00
robertswiecki
484ae304e5
Merge pull request #7 from sroettger/proc_fd_2_fix
...
Don't try to open /proc/self/fd/2 as we might not have permission
2016-09-30 15:26:24 +02:00
Stephen Röttger
6501357f98
new flag to skip no_new_privs: --disable_no_new_privs
2016-09-30 15:23:04 +02:00
Jagger
06e353a8e1
seccomp_policy cmdline
2016-09-30 11:57:11 +02:00
robertswiecki
fd74e03ef6
Merge pull request #6 from happyCoder92/master
...
Kafel support
2016-09-29 18:13:06 +02:00
Wiktor Garbacz
551ed4ca05
Kafel support
2016-09-29 16:22:09 +02:00
Stephen Röttger
115c297958
Don't try to open /proc/self/fd/2 as we might not have permission
...
The terminal behind fd 2 might be owned by root and can't be opened by the user.
This happens e.g. if you ssh to a server as root and su to the user.
2016-09-24 12:04:40 +02:00
Jagger
ee7de33531
Use O_CLOEXEC when possible to avoid leaking FDs
2016-09-10 03:20:32 +02:00
Jagger
1d9b33b06b
Make MODE_STANDALONE_ONCE the default mode
2016-08-18 21:31:07 +02:00
Jagger
0763611ad8
The dir must start with '/'
2016-08-18 21:04:25 +02:00
Robert Swiecki
d96f730631
Recursive dir creation
2016-08-18 18:59:06 +02:00
Jagger
a00f5a6424
Dont mount /proc as RO
2016-08-16 22:42:15 +02:00
Jagger
88ce7d240a
Default chroot is empty now
2016-08-16 22:07:44 +02:00
Jagger
dba13a2aae
Use old NULL mount semantics
2016-08-16 21:12:23 +02:00
Robert Swiecki
26e539884a
Names in mount:
2016-08-16 19:59:51 +02:00
Robert Swiecki
4be7646379
Different way of mounting things
2016-08-16 19:54:50 +02:00
Robert Swiecki
1aa24fbeeb
Remove -fblocks from Makefile
2016-07-29 15:49:35 +02:00
Robert Swiecki
1dc33c7bcf
Remove defer{} calls
2016-07-29 15:38:22 +02:00
Robert Swiecki
f3b70cc314
Remove -lBlocksRuntime
2016-07-27 14:04:03 +02:00
Jagger
71ab2f563d
Conflicting rlim types
2016-07-22 02:37:24 +02:00
Robert Swiecki
432c82bb34
Make it a bit more standards friendly
2016-07-21 15:48:47 +02:00
Robert Swiecki
8a501f4ad6
Conflicting enum types
2016-07-21 15:34:46 +02:00