{ { "disable_clone_newipc", no_argument, NULL, 0x0405 }, "Don't use CLONE_NEWIPC" },
{ { "disable_clone_newuts", no_argument, NULL, 0x0406 }, "Don't use CLONE_NEWUTS" },
{ { "disable_clone_newcgroup", no_argument, NULL, 0x0407 }, "Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6" },
+ { { "enable_clone_newtime", no_argument, NULL, 0x0408 }, "Use CLONE_NEWTIME. Supported with kernel versions >= 5.3" },
{ { "uid_mapping", required_argument, NULL, 'U' }, "Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present" },
{ { "gid_mapping", required_argument, NULL, 'G' }, "Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present" },
{ { "bindmount_ro", required_argument, NULL, 'R' }, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" },
"max_conns:%u, max_conns_per_ip:%u, time_limit:%" PRId64
", personality:%#lx, daemonize:%s, clone_newnet:%s, "
"clone_newuser:%s, clone_newns:%s, clone_newpid:%s, clone_newipc:%s, clone_newuts:%s, "
- "clone_newcgroup:%s, keep_caps:%s, disable_no_new_privs:%s, max_cpus:%zu",
+ "clone_newcgroup:%s, clone_newtime:%s, keep_caps:%s, disable_no_new_privs:%s, max_cpus:%zu",
nsjconf->hostname.c_str(), nsjconf->chroot.c_str(),
nsjconf->exec_file.empty() ? nsjconf->argv[0].c_str() : nsjconf->exec_file.c_str(),
nsjconf->bindhost.c_str(), nsjconf->port, nsjconf->max_conns, nsjconf->max_conns_per_ip,
logYesNo(nsjconf->clone_newnet), logYesNo(nsjconf->clone_newuser),
logYesNo(nsjconf->clone_newns), logYesNo(nsjconf->clone_newpid),
logYesNo(nsjconf->clone_newipc), logYesNo(nsjconf->clone_newuts),
- logYesNo(nsjconf->clone_newcgroup), logYesNo(nsjconf->keep_caps),
+ logYesNo(nsjconf->clone_newcgroup), logYesNo(nsjconf->clone_newtime), logYesNo(nsjconf->keep_caps),
logYesNo(nsjconf->disable_no_new_privs), nsjconf->max_cpus);
for (const auto& p : nsjconf->mountpts) {
nsjconf->clone_newipc = true;
nsjconf->clone_newuts = true;
nsjconf->clone_newcgroup = true;
+ nsjconf->clone_newcgroup = false;
nsjconf->mode = MODE_STANDALONE_ONCE;
nsjconf->is_root_rw = false;
nsjconf->is_silent = false;
nsjconf->clone_newcgroup = false;
break;
case 0x0408:
- nsjconf->clone_newcgroup = true;
+ nsjconf->clone_newtime = true;
break;
case 0x0501:
nsjconf->keep_caps = true;
#if !defined(CLONE_NEWCGROUP)
#define CLONE_NEWCGROUP 0x02000000
#endif /* !defined(CLONE_NEWCGROUP) */
+#if !defined(CLONE_NEWTIME)
+#define #define CLONE_NEWTIME 0x00000080
+#endif /* !defined(CLONE_NEWTIME) */
static const std::string cloneFlagsToStr(uintptr_t flags) {
std::string res;
const uintptr_t flag;
const char* const name;
} static const cloneFlags[] = {
+ NS_VALSTR_STRUCT(CLONE_NEWTIME),
NS_VALSTR_STRUCT(CLONE_VM),
NS_VALSTR_STRUCT(CLONE_FS),
NS_VALSTR_STRUCT(CLONE_FILES),
flags |= (nsjconf->clone_newipc ? CLONE_NEWIPC : 0);
flags |= (nsjconf->clone_newuts ? CLONE_NEWUTS : 0);
flags |= (nsjconf->clone_newcgroup ? CLONE_NEWCGROUP : 0);
+ flags |= (nsjconf->clone_newtime ? CLONE_NEWTIME : 0);
if (nsjconf->mode == MODE_STANDALONE_EXECVE) {
if (unshare(flags) == -1) {
projects / platform / upstream / nsjail.git / commitdiff