move sandboxing setup from cmdline to nsjail

diff --git a/Makefile b/Makefile
index 3fa6f02..05084c0 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -92,8 +92,8 @@ indent:
 
 caps.o: caps.h nsjail.h logs.h macros.h util.h
 cgroup.o: cgroup.h nsjail.h logs.h util.h
-cmdline.o: cmdline.h nsjail.h logs.h caps.h config.h macros.h mnt.h sandbox.h
-cmdline.o: user.h util.h
+cmdline.o: cmdline.h nsjail.h logs.h caps.h config.h macros.h mnt.h user.h
+cmdline.o: util.h
 config.o: caps.h nsjail.h logs.h cmdline.h config.h config.pb.h macros.h
 config.o: mnt.h user.h util.h
 contain.o: contain.h nsjail.h logs.h caps.h cgroup.h cpu.h mnt.h net.h pid.h
@@ -102,7 +102,7 @@ cpu.o: cpu.h nsjail.h logs.h util.h
 logs.o: logs.h nsjail.h
 mnt.o: mnt.h nsjail.h logs.h macros.h subproc.h util.h
 net.o: net.h nsjail.h logs.h subproc.h
-nsjail.o: nsjail.h logs.h cmdline.h macros.h net.h subproc.h util.h
+nsjail.o: nsjail.h logs.h cmdline.h macros.h net.h sandbox.h subproc.h util.h
 pid.o: pid.h nsjail.h logs.h subproc.h
 sandbox.o: sandbox.h nsjail.h logs.h kafel/include/kafel.h
 subproc.o: subproc.h nsjail.h logs.h cgroup.h contain.h macros.h net.h

diff --git a/cmdline.cc b/cmdline.cc
index 33179bd..2096c2f 100644 (file)
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -51,7 +51,6 @@
 #include "logs.h"
 #include "macros.h"
 #include "mnt.h"
-#include "sandbox.h"
 #include "user.h"
 #include "util.h"
 
@@ -433,12 +432,15 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
                        break;
                case 'v':
                        nsjconf->loglevel = logs::DEBUG;
+                       logs::logLevel(nsjconf->loglevel);
                        break;
                case 'q':
                        nsjconf->loglevel = logs::WARNING;
+                       logs::logLevel(nsjconf->loglevel);
                        break;
                case 'Q':
                        nsjconf->loglevel = logs::FATAL;
+                       logs::logLevel(nsjconf->loglevel);
                        break;
                case 'e':
                        nsjconf->keep_env = true;
@@ -816,11 +818,6 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
                }
        }
 
-       if (!sandbox::preparePolicy(nsjconf.get())) {
-               LOG_E("Couldn't prepare sandboxing setup");
-               return nullptr;
-       }
-
        return nsjconf;
 }
 

diff --git a/config.cc b/config.cc
index d60686f..1bd733a 100644 (file)
--- a/config.cc
+++ b/config.cc
@@ -121,6 +121,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
                        LOG_E("Unknown log_level: %d", njc.log_level());
                        return false;
                }
+               logs::logLevel(nsjconf->loglevel);
        }
 
        nsjconf->keep_env = njc.keep_env();

diff --git a/logs.cc b/logs.cc
index d7404a6..591dd15 100644 (file)
--- a/logs.cc
+++ b/logs.cc
@@ -141,4 +141,8 @@ void logStop(int sig) {
        LOG_I("Server stops due to fatal signal (%d) caught. Exiting", sig);
 }
 
+void logLevel(enum llevel_t ll) {
+       _log_level = ll;
+}
+
 }  // namespace logs

diff --git a/logs.h b/logs.h
index d17413e..8d5a1fe 100644 (file)
--- a/logs.h
+++ b/logs.h
@@ -59,6 +59,7 @@ bool initLog(const std::string& logfile, llevel_t loglevel);
 void logMsg(enum llevel_t ll, const char* fn, int ln, bool perr, const char* fmt, ...)
     __attribute__((format(printf, 5, 6)));
 void logStop(int sig);
+void logLevel(enum llevel_t ll);
 
 }  // namespace logs
 

diff --git a/nsjail.cc b/nsjail.cc
index 9dd6f23..270d0c3 100644 (file)
--- a/nsjail.cc
+++ b/nsjail.cc
@@ -33,6 +33,7 @@
 #include "logs.h"
 #include "macros.h"
 #include "net.h"
+#include "sandbox.h"
 #include "subproc.h"
 #include "util.h"
 
@@ -174,6 +175,9 @@ int main(int argc, char* argv[]) {
        if (nsjailSetTimer(nsjconf.get()) == false) {
                LOG_F("nsjailSetTimer() failed");
        }
+       if (!sandbox::preparePolicy(nsjconf.get())) {
+               LOG_F("Couldn't prepare sandboxing policy");
+       }
 
        if (nsjconf->mode == MODE_LISTEN_TCP) {
                nsjailListenMode(nsjconf.get());