Andrew Haberlandt
12df56b9f1
Setup cgroup.subtree_control controllers when necessary in cgroupsv2
...
This commit adds extra setup when cgroupsv2 is enabled. In particular,
we make sure that the root namespace has setup cgroup.subtree_control
with the controllers we need.
If the necessary controller are not listed, we have to move all
processes out of the root namespace before we can change this
(the 'no internal processes' rule:
https://unix.stackexchange.com/a/713343 ). Currently we only
handle the case where the nsjail process is the only process in
the cgroup. It seems like this would be relatively rare, but since
nsjail is frequently the root process in a Docker container (e.g.
for hosting CTF challenges), I think this case is common enough to
make it worth implementing.
This also adds `--detect_cgroupv2`, which will attempt to detect
whether `--cgroupv2_mount` is a valid cgroupv2 mount, and if so
it will set `use_cgroupv2`. This is useful in containerized
environments where you may not know the kernel version ahead of time.
References:
https://github.com/redpwn/jail/blob/master/internal/cgroup/cgroup2.go
2022-11-17 17:09:40 -05:00
Robert Swiecki
856cb0f2ec
When setting CPU affinity, take into consideration the current CPU
...
affinity set. Use only CPU numbers, which exist in the current affinity
set. Maybe fixes https://github.com/google/nsjail/issues/200
2022-08-04 19:22:33 +02:00
Patrick Steinhardt
df21a972b6
nsjail: Optionally forward fatal signals
...
Currently, we always kill children by sending them a SIGKILL signal in
case we've got a fatal signal. This is rather inflexible and forbids
some usecases where e.g. child process listen for specific signals to
shut down gracefully.
Add a new command configuration `--forward_signals` that allows the user
to opt-in to forwarding fatal signals to the child process.
2022-06-05 19:38:32 +02:00
Michał Kowalczyk
16b4416d75
Add disable_tsc
option
...
Implemented via prctl(PR_SET_TSC, PR_TSC_SIGSEGV, ...).
2022-02-17 23:53:13 +01:00
Philip
bf93e8a25d
cgroup2: use cgroup_mem_swap_max and cgroup_mem_memsw_max
2021-11-01 10:28:41 +01:00
Johan Kartiwa
29a556068a
Add support for setting cgroup memory.memsw.limit_in_bytes
2021-10-11 15:46:36 +02:00
Wiktor Garbacz
4136dd50d8
Merge branch 'use_switchroot'
2021-08-03 17:44:57 +02:00
Eli Zrihen
b83d6f7421
Renaming use_switchroot option with no_pivotroot
2021-07-20 15:45:58 +03:00
Eli Zrihen
0f903ba9a0
Added rt, memlock & msgq limits
2021-07-19 17:21:34 +03:00
Eli Zrihen
dab1713ac9
Added use_switchroot option
2021-06-17 14:57:01 +03:00
Eli Zrihen
5c8b3835b7
MACVLAN modes support
2021-06-16 16:59:12 +03:00
Robert Swiecki
056809ed3b
Initial support for CLONE_NEWTIME
2021-05-11 14:48:45 +02:00
Philip Papurt
32f2287fbb
net: add support for max_conns
2021-02-09 17:13:35 -05:00
Robert Swiecki
608618ea7b
subproc: kill a process once in the -Ml mode once the TCP connection has ended
2020-08-30 22:02:08 +02:00
Wiktor Garbacz
a47123b8a7
fix POLLNVAL in pipeTraffic
2020-02-17 15:57:13 +01:00
Robert Swiecki
2cf562160d
nsjail/pid/subproc: a). keep childrens' PIDs in a map indexed by pid b). correctly fetch remote IPv6 address text
2020-02-16 22:34:19 +01:00
Wiktor Garbacz
273ce6bc84
pipe socket traffic in and out of sandboxee
2020-02-14 17:07:14 +01:00
Jay Lees
86293b052e
Add flag to disable rlimits
2019-08-05 03:25:22 -07:00
Jay Lees
08f62b6f76
[cgroup-v2] support cgroup v2 for mem, cpu and pids
2019-07-26 07:02:17 -07:00
Robert Swiecki
494a5f63cd
Add nice_level to cmd-line/config options
2019-06-30 21:50:56 +02:00
Robert Swiecki
a2dacef5d7
allow to use nsjail w/o namespaces
2019-03-29 21:38:14 +01:00
Wiktor Garbacz
7fe87b41c7
code formatting
2018-10-24 10:31:14 +02:00
Micky Del Favero
233a7296fe
Added --macvlan_vs_ma switch to be able to set macvlan's mac-address.
...
Signed-off-by: Micky Del Favero <micky@BeeCloudy.net>
2018-10-23 15:05:50 +02:00
Robert Swiecki
5bf23a0e58
cmdline: more stderr_to_null closer to is_silent
2018-06-25 04:10:42 +02:00
Robert Swiecki
272a85477a
config: Implement --stderr_to_null
2018-06-25 03:12:27 +02:00
Robert Swiecki
04627982d0
logs: use log file/level immediately
2018-06-07 16:51:50 +02:00
Robert Swiecki
7d57fc81be
cmdline: add iface_own to take ownership of one of the global interfaces
2018-05-30 15:26:09 +02:00
Robert Swiecki
b8798fc9a7
use strtoimax when needed
2018-05-26 13:54:17 +02:00
Robert Swiecki
4394fa725e
sandbox: add support for SECCOMP_FILTER_FLAG_LOG
2018-05-23 15:32:45 +02:00
Robert Swiecki
864b7fc718
cmdline: remove tmpfs_size from nsjconf_t
2018-02-18 02:47:46 +01:00
Robert Swiecki
dc5e6676a7
nsjail: ignore SIGTTIN/SIGTTOU
2018-02-15 01:33:33 +01:00
Robert Swiecki
8a22a4abb6
convert exec file and argv to string/vector
2018-02-12 16:52:05 +01:00
Robert Swiecki
5a35f00e28
mnt: move mnt_t to std::string
2018-02-11 23:44:43 +01:00
Robert Swiecki
7b9178f5d7
make indent depend
2018-02-11 04:02:43 +01:00
Robert Swiecki
d875f23ae0
cgroup: switch const char* to std::string
2018-02-11 03:39:07 +01:00
Robert Swiecki
55e8e09c4a
net: convert net::connToText to std::string
2018-02-11 00:17:44 +01:00
Robert Swiecki
7a55ffb3a6
sandbox: convert kafel file/string as std::string
2018-02-10 23:46:15 +01:00
Robert Swiecki
de3f1371f0
convert proc_path to std::string
2018-02-10 20:16:17 +01:00
Robert Swiecki
b691b8796c
nsjail: iface_no_lo -> iface_lo
2018-02-10 18:22:51 +01:00
Robert Swiecki
7bddb40d87
net: move all iface_vs* options from char* to std::string
2018-02-10 18:18:40 +01:00
Robert Swiecki
97278f191b
log: rename log to logs due to clash with glibc's log
2018-02-10 17:49:15 +01:00
Robert Swiecki
ecd4c32d9a
mnt: replace sys/queue with std::vector
2018-02-10 14:38:01 +01:00
Robert Swiecki
1761ed4fdc
move common.h to macros.h
2018-02-10 05:25:55 +01:00
Robert Swiecki
381e6a1af7
nsjail: move pids queue to a vector
2018-02-10 05:13:25 +01:00
Robert Swiecki
c34b52ab78
nsjail: convert a couple of struct fields to std::string
2018-02-10 04:10:18 +01:00
Robert Swiecki
93005ef03d
nsjail: convert gids/uids to vector of structs
2018-02-10 00:37:23 +01:00
Robert Swiecki
9399373ee7
nsjail: envs to vector of strings
2018-02-09 23:04:57 +01:00
Robert Swiecki
63eb13ecde
nsjail: move openfd from queue to vector
2018-02-09 22:47:00 +01:00
Robert Swiecki
d1d310e70f
nsjail: convert caps from queue to vector
2018-02-09 22:35:33 +01:00
Robert Swiecki
7f72cbd497
all: move to C++
2018-02-09 18:55:42 +01:00