LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -Wl,-z,noexecstack
-SRCS = nsjail.c cmdline.c contain.c log.c mount.c net.c sandbox.c subproc.c user.c util.c uts.c seccomp/bpf-helper.c
+SRCS = nsjail.c cmdline.c contain.c log.c mount.c net.c pid.c sandbox.c subproc.c user.c util.c uts.c seccomp/bpf-helper.c
OBJS = $(SRCS:.c=.o)
BIN = nsjail
#include "log.h"
#include "mount.h"
#include "net.h"
+#include "pid.h"
#include "util.h"
#include "uts.h"
+static bool containInitPidNs(struct nsjconf_t *nsjconf)
+{
+ return pidInitNs(nsjconf);
+}
+
static bool containInitNetNs(struct nsjconf_t *nsjconf)
{
return netInitNsFromChild(nsjconf);
bool containContain(struct nsjconf_t * nsjconf)
{
+ if (containInitPidNs(nsjconf) == false) {
+ return false;
+ }
if (containInitMountNs(nsjconf) == false) {
return false;
}
--- /dev/null
+/*
+
+ nsjail - CLONE_PID routines
+ -----------------------------------------
+
+ Copyright 2014 Google Inc. All Rights Reserved.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+#include "pid.h"
+
+#include <signal.h>
+#include <sched.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+#include "log.h"
+
+bool pidInitNs(struct nsjconf_t * nsjconf)
+{
+ if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
+ return true;
+ }
+
+ pid_t pid = syscall(__NR_clone, (uintptr_t) CLONE_FS, NULL, NULL, NULL, (uintptr_t) 0);
+ if (pid == -1) {
+ LOG_E("Couldn't create a dummy init process");
+ return false;
+ }
+ if (pid > 0) {
+ return true;
+ }
+ if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
+ LOG_W("(prctl(PR_SET_PDEATHSIG, SIGKILL) failed");
+ }
+ for (;;) {
+ pause();
+ }
+}
--- /dev/null
+/*
+
+ nsjail - CLONE_PID routines
+ -----------------------------------------
+
+ Copyright 2014 Google Inc. All Rights Reserved.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+#ifndef NS_PID_H
+#define NS_PID_H
+
+#include <stdbool.h>
+
+#include "common.h"
+
+bool pidInitNs(struct nsjconf_t *nsjconf);
+
+#endif /* NS_PID_H */
return true;
}
-void subprocDummyInit()
-{
- pid_t pid = syscall(__NR_clone, (uintptr_t) CLONE_FS, NULL, NULL, NULL, (uintptr_t) 0);
- if (pid == -1) {
- LOG_F("Couldn't create a dummy init process");
- }
- if (pid > 0) {
- return;
- }
- if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
- LOG_W("(prctl(PR_SET_PDEATHSIG, SIGKILL) failed");
- }
- for (;;) {
- pause();
- }
-}
-
void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err)
{
if (netLimitConns(nsjconf, fd_in) == false) {
PLOG_E("unshare(%#lx)", flags);
_exit(EXIT_FAILURE);
}
- if (nsjconf->clone_newpid) {
- LOG_D
- ("CLONE_NEWPID requested. We must create a dummy init process, to avoid ENOMEM with clone/fork/vfork");
- subprocDummyInit();
- }
subprocNewProc(nsjconf, fd_in, fd_out, fd_err, -1);
}
projects / platform / upstream / nsjail.git / commitdiff