{{"silent", no_argument, NULL, 0x0502}, "Redirect child's fd:0/1/2 to /dev/null"},
{{"skip_setsid", no_argument, NULL, 0x0504}, "Don't call setsid(), allows for terminal signal handling in the sandboxed process"},
{{"pass_fd", required_argument, NULL, 0x0505}, "Don't close this FD before executing child (can be specified multiple times), by default: 0/1/2 are kept open"},
- {{"pivot_root_only", no_argument, NULL, 0x0506}, "Only perform pivot_root, no chroot. This will enable nested namespaces"},
{{"disable_no_new_privs", no_argument, NULL, 0x0507}, "Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)"},
{{"rlimit_as", required_argument, NULL, 0x0201}, "RLIMIT_AS in MB, 'max' for RLIM_INFINITY, 'def' for the current value (default: 512)"},
{{"rlimit_core", required_argument, NULL, 0x0202}, "RLIMIT_CORE in MB, 'max' for RLIM_INFINITY, 'def' for the current value (default: 0)"},
"max_conns_per_ip:%u, time_limit:%ld, personality:%#lx, daemonize:%s, "
"clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, "
"clone_newipc:%s, clonew_newuts:%s, clone_newcgroup:%s, keep_caps:%s, "
- "tmpfs_size:%zu, disable_no_new_privs:%s, pivot_root_only:%s",
+ "tmpfs_size:%zu, disable_no_new_privs:%s",
nsjconf->hostname, nsjconf->chroot ? nsjconf->chroot : "[NULL]", nsjconf->argv[0],
nsjconf->bindhost, nsjconf->port, nsjconf->max_conns_per_ip, nsjconf->tlimit,
nsjconf->personality, logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
logYesNo(nsjconf->clone_newpid), logYesNo(nsjconf->clone_newipc),
logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->clone_newcgroup),
logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size,
- logYesNo(nsjconf->disable_no_new_privs), logYesNo(nsjconf->pivot_root_only));
+ logYesNo(nsjconf->disable_no_new_privs));
{
struct mounts_t *p;
.loglevel = INFO,
.daemonize = false,
.tlimit = 0,
- .pivot_root_only = false,
.keep_caps = false,
.disable_no_new_privs = false,
.rl_as = 512 * (1024 * 1024),
f->fd = (int)strtol(optarg, NULL, 0);
TAILQ_INSERT_HEAD(&nsjconf->open_fds, f, pointers);
} break;
- case 0x0506:
- nsjconf->pivot_root_only = true;
- break;
case 0x0507:
nsjconf->disable_no_new_privs = true;
break;
enum llevel_t loglevel;
bool daemonize;
time_t tlimit;
- bool pivot_root_only;
bool keep_env;
bool keep_caps;
bool disable_no_new_privs;
TAILQ_INSERT_HEAD(&nsjconf->open_fds, f, pointers);
}
- nsjconf->pivot_root_only = njc->pivot_root_only;
nsjconf->disable_no_new_privs = njc->disable_no_new_privs;
nsjconf->rl_as = njc->rlimit_as * 1024ULL * 1024ULL;
static const protobuf_c_boolean nsjail__ns_jail_config__keep_caps__default_value = 0;
static const protobuf_c_boolean nsjail__ns_jail_config__silent__default_value = 0;
static const protobuf_c_boolean nsjail__ns_jail_config__skip_setsid__default_value = 0;
-static const protobuf_c_boolean nsjail__ns_jail_config__pivot_root_only__default_value = 0;
static const protobuf_c_boolean nsjail__ns_jail_config__disable_no_new_privs__default_value = 0;
static const uint64_t nsjail__ns_jail_config__rlimit_as__default_value = 512ull;
static const uint64_t nsjail__ns_jail_config__rlimit_core__default_value = 0ull;
static const uint64_t nsjail__ns_jail_config__cgroup_mem_max__default_value = 0ull;
static const uint64_t nsjail__ns_jail_config__cgroup_pids_max__default_value = 0ull;
static const protobuf_c_boolean nsjail__ns_jail_config__iface_no_lo__default_value = 0;
-static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[59] = {
+static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[58] = {
{
"name",
1,
0, /* flags */
0, NULL, NULL /* reserved1,reserved2, etc */
},
- {
- "pivot_root_only",
- 23,
- PROTOBUF_C_LABEL_REQUIRED,
- PROTOBUF_C_TYPE_BOOL,
- 0, /* quantifier_offset */
- offsetof(Nsjail__NsJailConfig, pivot_root_only),
- NULL,
- &nsjail__ns_jail_config__pivot_root_only__default_value,
- 0, /* flags */
- 0, NULL, NULL /* reserved1,reserved2, etc */
- },
{
"disable_no_new_privs",
- 24,
+ 23,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"rlimit_as",
- 25,
+ 24,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_core",
- 26,
+ 25,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_cpu",
- 27,
+ 26,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_fsize",
- 28,
+ 27,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_nofile",
- 29,
+ 28,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_nproc",
- 30,
+ 29,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_UINT64,
offsetof(Nsjail__NsJailConfig, has_rlimit_nproc),
},
{
"rlimit_stack",
- 31,
+ 30,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_UINT64,
offsetof(Nsjail__NsJailConfig, has_rlimit_stack),
},
{
"persona_addr_compat_layout",
- 32,
+ 31,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"persona_mmap_page_zero",
- 33,
+ 32,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"persona_read_implies_exec",
- 34,
+ 33,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"persona_addr_limit_3gb",
- 35,
+ 34,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"persona_addr_no_randomize",
- 36,
+ 35,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newnet",
- 37,
+ 36,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newuser",
- 38,
+ 37,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newns",
- 39,
+ 38,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newpid",
- 40,
+ 39,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newipc",
- 41,
+ 40,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newuts",
- 42,
+ 41,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newcgroup",
- 43,
+ 42,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"uidmap",
- 44,
+ 43,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(Nsjail__NsJailConfig, n_uidmap),
},
{
"gidmap",
- 45,
+ 44,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(Nsjail__NsJailConfig, n_gidmap),
},
{
"mount_proc",
- 46,
+ 45,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"mount",
- 47,
+ 46,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(Nsjail__NsJailConfig, n_mount),
},
{
"seccomp_policy_file",
- 48,
+ 47,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"seccomp_string",
- 49,
+ 48,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"cgroup_mem_max",
- 50,
+ 49,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"cgroup_mem_mount",
- 51,
+ 50,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"cgroup_mem_parent",
- 52,
+ 51,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"cgroup_pids_max",
- 53,
+ 52,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"cgroup_pids_mount",
- 54,
+ 53,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"cgroup_pids_parent",
- 55,
+ 54,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"iface_no_lo",
- 56,
+ 55,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"macvlan_iface",
- 57,
+ 56,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"macvlan_vs_ip",
- 58,
+ 57,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"macvlan_vs_nm",
- 59,
+ 58,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"macvlan_vs_gw",
- 60,
+ 59,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"exec_bin",
- 61,
+ 60,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_MESSAGE,
0, /* quantifier_offset */
static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
8, /* field[8] = bindhost */
- 47, /* field[47] = cgroup_mem_max */
- 48, /* field[48] = cgroup_mem_mount */
- 49, /* field[49] = cgroup_mem_parent */
- 50, /* field[50] = cgroup_pids_max */
- 51, /* field[51] = cgroup_pids_mount */
- 52, /* field[52] = cgroup_pids_parent */
+ 46, /* field[46] = cgroup_mem_max */
+ 47, /* field[47] = cgroup_mem_mount */
+ 48, /* field[48] = cgroup_mem_parent */
+ 49, /* field[49] = cgroup_pids_max */
+ 50, /* field[50] = cgroup_pids_mount */
+ 51, /* field[51] = cgroup_pids_parent */
3, /* field[3] = chroot_dir */
- 40, /* field[40] = clone_newcgroup */
- 38, /* field[38] = clone_newipc */
- 34, /* field[34] = clone_newnet */
- 36, /* field[36] = clone_newns */
- 37, /* field[37] = clone_newpid */
- 35, /* field[35] = clone_newuser */
- 39, /* field[39] = clone_newuts */
+ 39, /* field[39] = clone_newcgroup */
+ 37, /* field[37] = clone_newipc */
+ 33, /* field[33] = clone_newnet */
+ 35, /* field[35] = clone_newns */
+ 36, /* field[36] = clone_newpid */
+ 34, /* field[34] = clone_newuser */
+ 38, /* field[38] = clone_newuts */
6, /* field[6] = cwd */
11, /* field[11] = daemon */
1, /* field[1] = description */
- 21, /* field[21] = disable_no_new_privs */
+ 20, /* field[20] = disable_no_new_privs */
15, /* field[15] = envar */
- 58, /* field[58] = exec_bin */
- 42, /* field[42] = gidmap */
+ 57, /* field[57] = exec_bin */
+ 41, /* field[41] = gidmap */
5, /* field[5] = hostname */
- 53, /* field[53] = iface_no_lo */
+ 52, /* field[52] = iface_no_lo */
4, /* field[4] = is_root_rw */
16, /* field[16] = keep_caps */
14, /* field[14] = keep_env */
12, /* field[12] = log_file */
13, /* field[13] = log_level */
- 54, /* field[54] = macvlan_iface */
- 57, /* field[57] = macvlan_vs_gw */
- 55, /* field[55] = macvlan_vs_ip */
- 56, /* field[56] = macvlan_vs_nm */
+ 53, /* field[53] = macvlan_iface */
+ 56, /* field[56] = macvlan_vs_gw */
+ 54, /* field[54] = macvlan_vs_ip */
+ 55, /* field[55] = macvlan_vs_nm */
9, /* field[9] = max_conns_per_ip */
2, /* field[2] = mode */
- 44, /* field[44] = mount */
- 43, /* field[43] = mount_proc */
+ 43, /* field[43] = mount */
+ 42, /* field[42] = mount_proc */
0, /* field[0] = name */
19, /* field[19] = pass_fd */
- 29, /* field[29] = persona_addr_compat_layout */
- 32, /* field[32] = persona_addr_limit_3gb */
- 33, /* field[33] = persona_addr_no_randomize */
- 30, /* field[30] = persona_mmap_page_zero */
- 31, /* field[31] = persona_read_implies_exec */
- 20, /* field[20] = pivot_root_only */
+ 28, /* field[28] = persona_addr_compat_layout */
+ 31, /* field[31] = persona_addr_limit_3gb */
+ 32, /* field[32] = persona_addr_no_randomize */
+ 29, /* field[29] = persona_mmap_page_zero */
+ 30, /* field[30] = persona_read_implies_exec */
7, /* field[7] = port */
- 22, /* field[22] = rlimit_as */
- 23, /* field[23] = rlimit_core */
- 24, /* field[24] = rlimit_cpu */
- 25, /* field[25] = rlimit_fsize */
- 26, /* field[26] = rlimit_nofile */
- 27, /* field[27] = rlimit_nproc */
- 28, /* field[28] = rlimit_stack */
- 45, /* field[45] = seccomp_policy_file */
- 46, /* field[46] = seccomp_string */
+ 21, /* field[21] = rlimit_as */
+ 22, /* field[22] = rlimit_core */
+ 23, /* field[23] = rlimit_cpu */
+ 24, /* field[24] = rlimit_fsize */
+ 25, /* field[25] = rlimit_nofile */
+ 26, /* field[26] = rlimit_nproc */
+ 27, /* field[27] = rlimit_stack */
+ 44, /* field[44] = seccomp_policy_file */
+ 45, /* field[45] = seccomp_string */
17, /* field[17] = silent */
18, /* field[18] = skip_setsid */
10, /* field[10] = time_limit */
- 41, /* field[41] = uidmap */
+ 40, /* field[40] = uidmap */
};
static const ProtobufCIntRange nsjail__ns_jail_config__number_ranges[2 + 1] = {
{1, 0},
{8, 5},
- {0, 59}
+ {0, 58}
};
const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = {
"Nsjail__NsJailConfig",
"nsjail",
sizeof(Nsjail__NsJailConfig),
- 59,
+ 58,
nsjail__ns_jail_config__field_descriptors,
nsjail__ns_jail_config__field_indices_by_name,
2, nsjail__ns_jail_config__number_ranges,
*/
size_t n_pass_fd;
int32_t *pass_fd;
- /*
- * Should pivot_root be used instead of chroot?
- *Using pivot_root allows to have subnamespaces
- */
- protobuf_c_boolean pivot_root_only;
/*
* Setting it to true will allow to have set-uid binaries
*inside the jail
extern char nsjail__ns_jail_config__macvlan_vs_gw__default_value[];
#define NSJAIL__NS_JAIL_CONFIG__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__ns_jail_config__descriptor) \
- , nsjail__ns_jail_config__name__default_value, nsjail__ns_jail_config__description__default_value, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0, 0,NULL, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL }
+ , nsjail__ns_jail_config__name__default_value, nsjail__ns_jail_config__description__default_value, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0, 0,NULL, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0, 0,NULL, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL }
/* Nsjail__IdMap methods */
void nsjail__id_map__init(Nsjail__IdMap * message);
/* Which FDs should be passed to the newly executed process
By default only FD=0,1,2 are passed */
repeated int32 pass_fd = 22;
- /* Should pivot_root be used instead of chroot?
- Using pivot_root allows to have subnamespaces */
- required bool pivot_root_only = 23 [ default = false ];
/* Setting it to true will allow to have set-uid binaries
inside the jail */
- required bool disable_no_new_privs = 24 [ default = false ];
+ required bool disable_no_new_privs = 23 [ default = false ];
- required uint64 rlimit_as = 25 [ default = 512 ]; /* In MiB */
- required uint64 rlimit_core = 26 [ default = 0 ]; /* In MiB */
- required uint64 rlimit_cpu = 27 [ default = 600 ]; /* In seconds */
- required uint64 rlimit_fsize = 28 [ default = 1 ]; /* In MiB */
- required uint64 rlimit_nofile = 29 [ default = 32 ];
- optional uint64 rlimit_nproc = 30; /* This is system-wide: tricky to use */
- optional uint64 rlimit_stack = 31; /* In MiB */
+ required uint64 rlimit_as = 24 [ default = 512 ]; /* In MiB */
+ required uint64 rlimit_core = 25 [ default = 0 ]; /* In MiB */
+ required uint64 rlimit_cpu = 26 [ default = 600 ]; /* In seconds */
+ required uint64 rlimit_fsize = 27 [ default = 1 ]; /* In MiB */
+ required uint64 rlimit_nofile = 28 [ default = 32 ];
+ optional uint64 rlimit_nproc = 29; /* This is system-wide: tricky to use */
+ optional uint64 rlimit_stack = 30; /* In MiB */
/* See 'man personality' for more */
- required bool persona_addr_compat_layout = 32 [ default = false ];
- required bool persona_mmap_page_zero = 33 [ default = false ];
- required bool persona_read_implies_exec = 34 [ default = false ];
- required bool persona_addr_limit_3gb = 35 [ default = false ];
- required bool persona_addr_no_randomize = 36 [ default = false ];
+ required bool persona_addr_compat_layout = 31 [ default = false ];
+ required bool persona_mmap_page_zero = 32 [ default = false ];
+ required bool persona_read_implies_exec = 33 [ default = false ];
+ required bool persona_addr_limit_3gb = 34 [ default = false ];
+ required bool persona_addr_no_randomize = 35 [ default = false ];
/* Which name-spaces should be used? */
- required bool clone_newnet = 37 [ default = true ];
- required bool clone_newuser = 38 [ default = true ];
- required bool clone_newns = 39 [ default = true ];
- required bool clone_newpid = 40 [ default = true ];
- required bool clone_newipc = 41 [ default = true ];
- required bool clone_newuts = 42 [ default = true ];
+ required bool clone_newnet = 36 [ default = true ];
+ required bool clone_newuser = 37 [ default = true ];
+ required bool clone_newns = 38 [ default = true ];
+ required bool clone_newpid = 39 [ default = true ];
+ required bool clone_newipc = 40 [ default = true ];
+ required bool clone_newuts = 41 [ default = true ];
/* It's only supported in newer kernels, hence disabled by default */
- required bool clone_newcgroup = 43 [ default = false ];
+ required bool clone_newcgroup = 42 [ default = false ];
/* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
for more */
- repeated IdMap uidmap = 44;
- repeated IdMap gidmap = 45;
+ repeated IdMap uidmap = 43;
+ repeated IdMap gidmap = 44;
/* Should /proc be mounted (R/O)? This can also be added in the 'mount'
section below */
- required bool mount_proc = 46 [ default = false ];
+ required bool mount_proc = 45 [ default = false ];
/* Mount points inside the jail. See the description for 'msg MountPt'
for more */
- repeated MountPt mount = 47;
+ repeated MountPt mount = 46;
/* Kafel seccomp-bpf policy file or a string:
Homepage of the project: https://github.com/google/kafel */
- optional string seccomp_policy_file = 48;
- optional string seccomp_string = 49;
+ optional string seccomp_policy_file = 47;
+ optional string seccomp_string = 48;
/* If > 0, maximum cumulative size of RAM used inside any jail */
- required uint64 cgroup_mem_max = 50 [ default = 0 ]; /* In MiB */
+ required uint64 cgroup_mem_max = 49 [ default = 0 ]; /* In MiB */
/* Mount point for cgroups-memory in your system */
- required string cgroup_mem_mount = 51 [ default = "/sys/fs/cgroup/memory" ];
+ required string cgroup_mem_mount = 50 [ default = "/sys/fs/cgroup/memory" ];
/* Writeable directory (for the nsjail user) under cgroup_mem_mount */
- required string cgroup_mem_parent = 52 [ default = "NSJAIL" ];
+ required string cgroup_mem_parent = 51 [ default = "NSJAIL" ];
/* If > 0, maximum number of PIDs (threads/processes) inside jail */
- required uint64 cgroup_pids_max = 53 [ default = 0 ];
+ required uint64 cgroup_pids_max = 52 [ default = 0 ];
/* Mount point for cgroups-pids in your system */
- required string cgroup_pids_mount = 54 [ default = "/sys/fs/cgroup/pids" ];
+ required string cgroup_pids_mount = 53 [ default = "/sys/fs/cgroup/pids" ];
/* Writeable directory (for the nsjail user) under cgroup_pids_mount */
- required string cgroup_pids_parent = 55 [ default = "NSJAIL" ];
+ required string cgroup_pids_parent = 54 [ default = "NSJAIL" ];
/* Should the 'lo' interface be brought up (active) inside this jail? */
- required bool iface_no_lo = 56 [ default = false ];
+ required bool iface_no_lo = 55 [ default = false ];
/* Parameters for the cloned MACVLAN interface inside jail */
- optional string macvlan_iface = 57; /* Interface to be cloned, eg 'eth0' */
- required string macvlan_vs_ip = 58 [ default = "192.168.0.2" ];
- required string macvlan_vs_nm = 59 [ default = "255.255.255.0" ];
- required string macvlan_vs_gw = 60 [ default = "192.168.0.1" ];
+ optional string macvlan_iface = 56; /* Interface to be cloned, eg 'eth0' */
+ required string macvlan_vs_ip = 57 [ default = "192.168.0.2" ];
+ required string macvlan_vs_nm = 58 [ default = "255.255.255.0" ];
+ required string macvlan_vs_gw = 59 [ default = "192.168.0.1" ];
/* Binary path (with arguments) to be executed. If not specified here, it
can be specified with cmd-line as "-- /path/to/command arg1 arg2" */
- optional Exe exec_bin = 61;
+ optional Exe exec_bin = 60;
}
skip_setsid: true
pass_fd: 100
pass_fd: 3
-pivot_root_only: false
disable_no_new_privs: false
rlimit_as: 128
return true;
}
- const char *const destdir = "/tmp";
- if (mount(NULL, destdir, "tmpfs", 0, NULL) == -1) {
- PLOG_E("mount('%s', 'tmpfs')", destdir);
- return false;
- }
- char oldrootdir[PATH_MAX];
- snprintf(oldrootdir, sizeof(oldrootdir), "%s/old_root", destdir);
- if (mkdir(oldrootdir, 0755) == -1) {
- PLOG_E("mkdir('%s')", oldrootdir);
- return false;
- }
- if (syscall(__NR_pivot_root, destdir, oldrootdir) == -1) {
- PLOG_E("pivot_root('%s', '%s')", destdir, oldrootdir);
- return false;
- }
if (chdir("/") == -1) {
PLOG_E("chdir('/')");
return false;
}
- const char *newrootdir;
- if (nsjconf->pivot_root_only == false) {
- newrootdir = "/new_root";
- if (mkdir(newrootdir, 0755) == -1) {
- PLOG_E("mkdir('%s')", newrootdir);
- return false;
- }
- } else {
- newrootdir = "/";
+ char destdir[PATH_MAX];
+ snprintf(destdir, sizeof(destdir), "/tmp/nsjail.%d", (int)getuid());
+ if (mkdir(destdir, 0755) == -1 && errno != EEXIST) {
+ PLOG_E("Couldn't create '%s' directory. Maybe remove it?", destdir);
+ }
+ if (mount(NULL, destdir, "tmpfs", 0, NULL) == -1) {
+ PLOG_E("mount('%s', 'tmpfs')", destdir);
+ return false;
}
struct mounts_t *p;
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
- /*
- * The intention behind pivot_root_only is to allow creating
- * nested usernamespaces. If we bind mount over /, the kernel
- * will see the process as chrooted and deny CLONE_NEWUSER.
- */
- if (nsjconf->pivot_root_only && strcmp(p->dst, "/") == 0) {
- continue;
- }
char dst[PATH_MAX];
- snprintf(dst, sizeof(dst), "%s/%s", newrootdir, p->dst);
- if (mountMount(p, "/old_root", dst) == false) {
+ snprintf(dst, sizeof(dst), "%s/%s", destdir, p->dst);
+ if (mountMount(p, "/", dst) == false) {
return false;
}
}
- if (umount2("/old_root", MNT_DETACH) == -1) {
- PLOG_E("umount2('/old_root', MNT_DETACH)");
+ if (syscall(__NR_pivot_root, destdir, destdir) == -1) {
+ PLOG_E("pivot_root('%s', '%s')", destdir, destdir);
return false;
}
- if (nsjconf->pivot_root_only == false) {
- if (chroot(newrootdir) == -1) {
- PLOG_E("chroot('%s')", newrootdir);
- return false;
- }
- } else {
- if (rmdir("/old_root") == -1) {
- PLOG_E("rmdir('/old_root')");
- return false;
- }
- }
+ if (umount2("/", MNT_DETACH) == -1) {
+ PLOG_E("umount2('/', MNT_DETACH)");
+ return false;
+ }
if (chdir(nsjconf->cwd) == -1) {
PLOG_E("chdir('%s')", nsjconf->cwd);
return false;
projects / platform / upstream / nsjail.git / commitdiff