Robert Swiecki
238df2ed87
Missing USE_KAFEL defines
2016-10-17 18:09:05 +02:00
Robert Swiecki
d0a3edd67f
log: don't print function name with INFO logs
2016-10-17 15:49:20 +02:00
Robert Swiecki
b1ca8dd1b5
subproc: comments
2016-10-17 15:47:50 +02:00
Robert Swiecki
c3462e2529
Typo: subproccloneFunc -> subprocCloneFunc
2016-10-15 02:58:42 +02:00
Robert Swiecki
2a8faeba7a
Make use of subprocClone, plus remove use of syscall(__NR_getpid)
2016-10-15 02:42:01 +02:00
Robert Swiecki
950c91e4dd
Allow to use kafel_string
2016-10-12 03:52:08 +02:00
Robert Swiecki
df38185c6f
Slight rework of kafel use
2016-10-12 03:15:33 +02:00
Robert Swiecki
fe7fe8591f
Use common subprocSystem for executing commands
2016-10-12 02:01:12 +02:00
Robert Swiecki
a30e2f107c
Make indent
2016-10-12 00:59:10 +02:00
robertswiecki
047c94e2d9
Merge pull request #10 from sroettger/pivot_root_only
...
Option to skip chroot (for nested user namespaces)
2016-09-30 16:41:25 +02:00
Stephen Röttger
cf4f197684
Don't mount over / if pivot_root_only is enabled
...
The intention behind pivot_root_only is to support nested user
namespaces. However, if we bind mount over /, which happens by default,
the kernel will deny CLONE_NEWUSER.
2016-09-30 16:30:59 +02:00
Stephen Röttger
c647ebb74f
remove /old_root on --pivot_root_only
2016-09-30 16:30:59 +02:00
Stephen Röttger
f4d43e3336
New option pivot_root_only to support nested namespaces
...
If pivot_root_only is setthe chroot in the job setup will be skipped.
2016-09-30 16:30:59 +02:00
robertswiecki
f995ff9475
Merge pull request #9 from sroettger/newuidmap
...
Support more complex uid and gid mappings
2016-09-30 16:03:33 +02:00
Stephen Röttger
1c950391a1
Support more complex uid and gid mappings
...
Introduces the new options uid_mapping and gid_mapping that specify
arbitrary custom mappings. If these options are used, nsjail will
use newuidmap/newgidmap to write the map files.
2016-09-30 15:30:15 +02:00
robertswiecki
8a63a24981
Merge pull request #8 from sroettger/no_no_new_privs
...
new flag to skip no_new_privs: --disable_no_new_privs
2016-09-30 15:27:07 +02:00
robertswiecki
484ae304e5
Merge pull request #7 from sroettger/proc_fd_2_fix
...
Don't try to open /proc/self/fd/2 as we might not have permission
2016-09-30 15:26:24 +02:00
Stephen Röttger
6501357f98
new flag to skip no_new_privs: --disable_no_new_privs
2016-09-30 15:23:04 +02:00
Jagger
06e353a8e1
seccomp_policy cmdline
2016-09-30 11:57:11 +02:00
robertswiecki
fd74e03ef6
Merge pull request #6 from happyCoder92/master
...
Kafel support
2016-09-29 18:13:06 +02:00
Wiktor Garbacz
551ed4ca05
Kafel support
2016-09-29 16:22:09 +02:00
Stephen Röttger
115c297958
Don't try to open /proc/self/fd/2 as we might not have permission
...
The terminal behind fd 2 might be owned by root and can't be opened by the user.
This happens e.g. if you ssh to a server as root and su to the user.
2016-09-24 12:04:40 +02:00
Jagger
ee7de33531
Use O_CLOEXEC when possible to avoid leaking FDs
2016-09-10 03:20:32 +02:00
Jagger
1d9b33b06b
Make MODE_STANDALONE_ONCE the default mode
2016-08-18 21:31:07 +02:00
Jagger
0763611ad8
The dir must start with '/'
2016-08-18 21:04:25 +02:00
Robert Swiecki
d96f730631
Recursive dir creation
2016-08-18 18:59:06 +02:00
Jagger
a00f5a6424
Dont mount /proc as RO
2016-08-16 22:42:15 +02:00
Jagger
88ce7d240a
Default chroot is empty now
2016-08-16 22:07:44 +02:00
Jagger
dba13a2aae
Use old NULL mount semantics
2016-08-16 21:12:23 +02:00
Robert Swiecki
26e539884a
Names in mount:
2016-08-16 19:59:51 +02:00
Robert Swiecki
4be7646379
Different way of mounting things
2016-08-16 19:54:50 +02:00
Robert Swiecki
1aa24fbeeb
Remove -fblocks from Makefile
2016-07-29 15:49:35 +02:00
Robert Swiecki
1dc33c7bcf
Remove defer{} calls
2016-07-29 15:38:22 +02:00
Robert Swiecki
f3b70cc314
Remove -lBlocksRuntime
2016-07-27 14:04:03 +02:00
Jagger
71ab2f563d
Conflicting rlim types
2016-07-22 02:37:24 +02:00
Robert Swiecki
432c82bb34
Make it a bit more standards friendly
2016-07-21 15:48:47 +02:00
Robert Swiecki
8a501f4ad6
Conflicting enum types
2016-07-21 15:34:46 +02:00
Robert Swiecki
8a32eba177
Don't restart accept
2016-06-22 14:07:40 +02:00
Jagger
4bc5632af4
Report failure of setting fcntl(FD_CLOEXEC) as error
2016-06-20 22:59:29 +02:00
robertswiecki
e801dbb908
Merge pull request #5 from sandersdan/cgroup_doc_fixes
...
Minor cgroup documentation fixes
2016-06-20 22:47:10 +02:00
Dan Sanders
9f518957cf
Minor cgroup documentation fixes.
2016-06-20 13:37:34 -07:00
Jagger
0fbbb95666
README
2016-06-19 19:43:10 +02:00
Jagger
1b940a6152
README
2016-06-19 19:41:11 +02:00
Jagger
e981cbc730
Init cgroups with -Me
2016-06-19 19:36:56 +02:00
Jagger
1a9de4ef91
cmdline help
2016-06-19 19:21:45 +02:00
Jagger
8907d06693
Enable OOM-killer for cgroups
2016-06-19 18:40:16 +02:00
Jagger
3e91d44145
Use cgroups_mem_max to enable memory limits
2016-06-19 18:12:15 +02:00
Jagger
1798b0de21
Use fname in cgroups
2016-06-19 16:41:26 +02:00
Jagger
51797dd270
Disable oom_killer
2016-06-19 16:39:41 +02:00
Jagger
ac06ff56c9
Remove cgroup before reporting process being finished
2016-06-19 16:02:00 +02:00