review.tizen.org Git - platform/upstream/nsjail.git/commit

author	Kunhoon Baik <knhoon.baik@samsung.com>
	Mon, 19 Jul 2021 03:14:39 +0000 (12:14 +0900)
committer	Kunhoon Baik <knhoon.baik@samsung.com>
	Mon, 19 Jul 2021 03:14:39 +0000 (12:14 +0900)
commit	b7c4d7c4b9fd377c6a0c26fea6b1c9570b3ab744
tree	400baee778e38c248ad321b21eeedcedcc4265ea	tree \| snapshot
parent	2eeecce371854c75da0b13a7c51a3f83199c28f2	commit \| diff

Add nsjail service for Tizen distribution

Tizen will use nsjail as application container by using USER Namespeace.

If creating new user namespace, the new user can get admin(root) privilege in the namespace,
and can use several kernel resource by creating other namespaces.

However, the new user namesapce cannot access unprivilged resource in original namespace.
For that, Tizen nsjail service creates some resources (directories for cgroup, and bind mount tmp directories) for the new user namespace.

cf) Each Tizen App has each smack label.
    Unfortunatly, nsjail does not consider such issue for bind mount.
    For that, at this moment, we create new user's uid based folder name for each application.
    In the future, the folder name should be created on basis of Tizen package name.

mnt.cc		diff \| blob \| history
packaging/nsjail.service	[new file with mode: 0644]	blob
packaging/nsjail.sh	[new file with mode: 0644]	blob
packaging/nsjail.spec		diff \| blob \| history
test/runner-sandbox.cfg		diff \| blob \| history