Robert Swiecki
50a741cf65
config: adjust identifiers, so they don't repeat config::config.. in method names
2023-10-01 12:57:40 +02:00
Andrew Haberlandt
12df56b9f1
Setup cgroup.subtree_control controllers when necessary in cgroupsv2
...
This commit adds extra setup when cgroupsv2 is enabled. In particular,
we make sure that the root namespace has setup cgroup.subtree_control
with the controllers we need.
If the necessary controller are not listed, we have to move all
processes out of the root namespace before we can change this
(the 'no internal processes' rule:
https://unix.stackexchange.com/a/713343 ). Currently we only
handle the case where the nsjail process is the only process in
the cgroup. It seems like this would be relatively rare, but since
nsjail is frequently the root process in a Docker container (e.g.
for hosting CTF challenges), I think this case is common enough to
make it worth implementing.
This also adds `--detect_cgroupv2`, which will attempt to detect
whether `--cgroupv2_mount` is a valid cgroupv2 mount, and if so
it will set `use_cgroupv2`. This is useful in containerized
environments where you may not know the kernel version ahead of time.
References:
https://github.com/redpwn/jail/blob/master/internal/cgroup/cgroup2.go
2022-11-17 17:09:40 -05:00
Robert Swiecki
9aee3dd831
Make logs more efficient by avoiding argument evaluation for LOG* if
...
it's not needed at the current level
2022-08-05 08:42:37 +02:00
Patrick Steinhardt
df21a972b6
nsjail: Optionally forward fatal signals
...
Currently, we always kill children by sending them a SIGKILL signal in
case we've got a fatal signal. This is rather inflexible and forbids
some usecases where e.g. child process listen for specific signals to
shut down gracefully.
Add a new command configuration `--forward_signals` that allows the user
to opt-in to forwarding fatal signals to the child process.
2022-06-05 19:38:32 +02:00
Robert Swiecki
6483728e24
config: better config parsing debugging
2022-03-15 00:44:33 +01:00
Michał Kowalczyk
16b4416d75
Add disable_tsc
option
...
Implemented via prctl(PR_SET_TSC, PR_TSC_SIGSEGV, ...).
2022-02-17 23:53:13 +01:00
Philip
bf93e8a25d
cgroup2: use cgroup_mem_swap_max and cgroup_mem_memsw_max
2021-11-01 10:28:41 +01:00
Johan Kartiwa
29a556068a
Add support for setting cgroup memory.memsw.limit_in_bytes
2021-10-11 15:46:36 +02:00
Wiktor Garbacz
95e112cf41
Fix formatting
2021-08-03 17:46:08 +02:00
Wiktor Garbacz
4136dd50d8
Merge branch 'use_switchroot'
2021-08-03 17:44:57 +02:00
Eli Zrihen
b83d6f7421
Renaming use_switchroot option with no_pivotroot
2021-07-20 15:45:58 +03:00
Eli Zrihen
9f4b4f41e7
Consistentency with RLIMIT_* constant name
2021-07-20 15:20:47 +03:00
Eli Zrihen
0f903ba9a0
Added rt, memlock & msgq limits
2021-07-19 17:21:34 +03:00
Eli Zrihen
dab1713ac9
Added use_switchroot option
2021-06-17 14:57:01 +03:00
Eli Zrihen
5c8b3835b7
MACVLAN modes support
2021-06-16 16:59:12 +03:00
Robert Swiecki
056809ed3b
Initial support for CLONE_NEWTIME
2021-05-11 14:48:45 +02:00
Philip Papurt
32f2287fbb
net: add support for max_conns
2021-02-09 17:13:35 -05:00
Robert Swiecki
a2d5b07c76
config: remove deprecated config options
2020-07-09 17:28:56 +02:00
Christian Blichmann
910fb5498c
Fix a few typos.
...
These were found by external tooling while preparing the Debian package.
* Uknown -> Unknown
* Writting -> Writing
* commited -> committed
* processess -> processes
Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-07-07 14:07:22 +02:00
Robert Swiecki
b3d544d155
config: simplify log/logfd setting
2019-10-02 19:43:58 +02:00
Jay Lees
86293b052e
Add flag to disable rlimits
2019-08-05 03:25:22 -07:00
Jay Lees
08f62b6f76
[cgroup-v2] support cgroup v2 for mem, cpu and pids
2019-07-26 07:02:17 -07:00
Robert Swiecki
494a5f63cd
Add nice_level to cmd-line/config options
2019-06-30 21:50:56 +02:00
Robert Swiecki
317555b687
user: don't fail on setgroup() if not groups were specified
2019-06-28 13:31:43 +02:00
Robert Swiecki
83a28cd0d3
use TEMP_FAILURE_RETRY with some restartable funcs
2019-04-17 23:10:18 +02:00
Robert Swiecki
2b1bad6b5b
cmdline: allow to override config cmdline with cmdline cmdline
2019-03-30 16:10:14 +01:00
Robert Swiecki
c7dd18c612
cmdline: add ability to passthrough current envvars
2018-10-28 17:15:55 +01:00
Micky Del Favero
233a7296fe
Added --macvlan_vs_ma switch to be able to set macvlan's mac-address.
...
Signed-off-by: Micky Del Favero <micky@BeeCloudy.net>
2018-10-23 15:05:50 +02:00
Robert Swiecki
ef94c3cc6b
config: correct way of setting pass_fd
2018-07-31 22:52:03 +02:00
Wiktor Garbacz
ba14675185
mnt: added nosuid/nodev/noexec flags to config
...
Closes #70
2018-07-27 11:29:15 +02:00
Wiktor Garbacz
1923d6af04
conifg: parse cgroup_cpu settings
...
Fixes #87
2018-07-24 15:20:44 +02:00
Robert Swiecki
272a85477a
config: Implement --stderr_to_null
2018-06-25 03:12:27 +02:00
Robert Swiecki
e8e6c1b906
make indent depend
2018-06-07 18:37:17 +02:00
Robert Swiecki
04627982d0
logs: use log file/level immediately
2018-06-07 16:51:50 +02:00
Robert Swiecki
111481532b
config: add --iface_own to the proto config
2018-06-03 03:19:40 +02:00
Robert Swiecki
48e8634ba5
config: add support for seccomp_log
2018-05-23 15:38:45 +02:00
Robert Swiecki
8a22a4abb6
convert exec file and argv to string/vector
2018-02-12 16:52:05 +01:00
Robert Swiecki
810394cf16
switc all == false cmps to !
2018-02-12 15:17:33 +01:00
Robert Swiecki
f77a177340
config: remove unnecessary c_str()
2018-02-12 04:21:35 +01:00
Robert Swiecki
1f24e3a900
move sandboxing setup from cmdline to nsjail
2018-02-12 03:11:58 +01:00
Robert Swiecki
5a35f00e28
mnt: move mnt_t to std::string
2018-02-11 23:44:43 +01:00
Robert Swiecki
f1a6b08962
cmdline: simplify string splitting
2018-02-11 14:56:30 +01:00
Robert Swiecki
b7f0acb021
util: remove unused functions
2018-02-10 23:54:36 +01:00
Robert Swiecki
7a55ffb3a6
sandbox: convert kafel file/string as std::string
2018-02-10 23:46:15 +01:00
Robert Swiecki
de3f1371f0
convert proc_path to std::string
2018-02-10 20:16:17 +01:00
Robert Swiecki
c9e4e9d0c2
config: rename macro
2018-02-10 18:27:24 +01:00
Robert Swiecki
b691b8796c
nsjail: iface_no_lo -> iface_lo
2018-02-10 18:22:51 +01:00
Robert Swiecki
97278f191b
log: rename log to logs due to clash with glibc's log
2018-02-10 17:49:15 +01:00
Robert Swiecki
4494deffa7
omit keyword 'struct'
2018-02-10 15:50:12 +01:00
Robert Swiecki
1761ed4fdc
move common.h to macros.h
2018-02-10 05:25:55 +01:00