cgroup.o: cgroup.h nsjail.h log.h util.h
cmdline.o: cmdline.h nsjail.h caps.h config.h log.h macros.h mnt.h sandbox.h
cmdline.o: user.h util.h
-config.o: caps.h nsjail.h cmdline.h config.h log.h macros.h mnt.h user.h
-config.o: util.h
+config.o: caps.h nsjail.h cmdline.h config.h config.pb.h log.h macros.h mnt.h
+config.o: user.h util.h
contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mnt.h net.h pid.h
contain.o: user.h uts.h
cpu.o: cpu.h nsjail.h log.h util.h
uts.o: uts.h nsjail.h log.h
user.o: user.h nsjail.h log.h macros.h subproc.h util.h
util.o: util.h nsjail.h log.h macros.h
+config.pb.o: config.pb.h
return true;
}
-bool initNs(struct nsjconf_t* nsjconf) {
+bool initNs(nsjconf_t* nsjconf) {
char dbgmsg[4096];
struct ints_t* p;
namespace caps {
int nameToVal(const char* name);
-bool initNs(struct nsjconf_t* nsjconf);
+bool initNs(nsjconf_t* nsjconf);
} // namespace caps
namespace cgroup {
-static bool initNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
+static bool initNsFromParentMem(nsjconf_t* nsjconf, pid_t pid) {
if (nsjconf->cgroup_mem_max == (size_t)0) {
return true;
}
return true;
}
-static bool initNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
+static bool initNsFromParentPids(nsjconf_t* nsjconf, pid_t pid) {
if (nsjconf->cgroup_pids_max == 0U) {
return true;
}
return true;
}
-static bool initNsFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
+static bool initNsFromParentNetCls(nsjconf_t* nsjconf, pid_t pid) {
if (nsjconf->cgroup_net_cls_classid == 0U) {
return true;
}
return true;
}
-static bool initNsFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
+static bool initNsFromParentCpu(nsjconf_t* nsjconf, pid_t pid) {
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
return true;
}
return true;
}
-bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
+bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid) {
if (!initNsFromParentMem(nsjconf, pid)) {
return false;
}
return true;
}
-void finishFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) {
+void finishFromParentMem(nsjconf_t* nsjconf, pid_t pid) {
if (nsjconf->cgroup_mem_max == (size_t)0) {
return;
}
return;
}
-void finishFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) {
+void finishFromParentPids(nsjconf_t* nsjconf, pid_t pid) {
if (nsjconf->cgroup_pids_max == 0U) {
return;
}
return;
}
-void finishFromParentCpu(struct nsjconf_t* nsjconf, pid_t pid) {
+void finishFromParentCpu(nsjconf_t* nsjconf, pid_t pid) {
if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
return;
}
return;
}
-void finishFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) {
+void finishFromParentNetCls(nsjconf_t* nsjconf, pid_t pid) {
if (nsjconf->cgroup_net_cls_classid == 0U) {
return;
}
return;
}
-void finishFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
+void finishFromParent(nsjconf_t* nsjconf, pid_t pid) {
finishFromParentMem(nsjconf, pid);
finishFromParentPids(nsjconf, pid);
finishFromParentNetCls(nsjconf, pid);
namespace cgroup {
-bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid);
+bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid);
bool initNs(void);
-void finishFromParent(struct nsjconf_t* nsjconf, pid_t pid);
+void finishFromParent(nsjconf_t* nsjconf, pid_t pid);
} // namespace cgroup
LOG_HELP_BOLD(" nsjail -Me --chroot / --disable_proc -- /bin/echo \"ABC\"");
}
-void logParams(struct nsjconf_t* nsjconf) {
+void logParams(nsjconf_t* nsjconf) {
switch (nsjconf->mode) {
case MODE_LISTEN_TCP:
LOG_I("Mode: LISTEN_TCP");
}
}
{
- struct idmap_t* p;
+ idmap_t* p;
for (const auto& uid : nsjconf->uids) {
LOG_I("Uid map: inside_uid:%lu outside_uid:%lu count:%zu newuidmap:%s",
(unsigned long)uid.inside_id, (unsigned long)uid.outside_id, uid.count,
}
}
-std::unique_ptr<struct nsjconf_t> parseArgs(int argc, char* argv[]) {
- std::unique_ptr<struct nsjconf_t> nsjconf = std::make_unique<struct nsjconf_t>();
+std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
+ std::unique_ptr<nsjconf_t> nsjconf = std::make_unique<nsjconf_t>();
nsjconf->exec_file = NULL;
nsjconf->use_execveat = false;
}
if (nsjconf->uids.empty()) {
- struct idmap_t uid;
+ idmap_t uid;
uid.inside_id = getuid();
uid.outside_id = getuid();
uid.count = 1U;
nsjconf->uids.push_back(uid);
}
if (nsjconf->gids.empty()) {
- struct idmap_t gid;
+ idmap_t gid;
gid.inside_id = getgid();
gid.outside_id = getgid();
gid.count = 1U;
namespace cmdline {
uint64_t parseRLimit(int res, const char* optarg, unsigned long mul);
-void logParams(struct nsjconf_t* nsjconf);
-std::unique_ptr<struct nsjconf_t> parseArgs(int argc, char* argv[]);
+void logParams(nsjconf_t* nsjconf);
+std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]);
} // namespace cmdline
abort();
}
-static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailConfig& njc) {
+static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig& njc) {
switch (njc.mode()) {
case nsjail::Mode::LISTEN:
nsjconf->mode = MODE_LISTEN_TCP;
LOG_W("config.cc: '%s'", message.c_str());
}
-bool parseFile(struct nsjconf_t* nsjconf, const char* file) {
+bool parseFile(nsjconf_t* nsjconf, const char* file) {
LOG_I("Parsing configuration from '%s'", file);
int fd = open(file, O_RDONLY | O_CLOEXEC);
namespace config {
-bool parseFile(struct nsjconf_t* nsjconf, const char* file);
+bool parseFile(nsjconf_t* nsjconf, const char* file);
} // namespace config
namespace contain {
-static bool containUserNs(struct nsjconf_t* nsjconf) { return user::initNsFromChild(nsjconf); }
+static bool containUserNs(nsjconf_t* nsjconf) { return user::initNsFromChild(nsjconf); }
-static bool containInitPidNs(struct nsjconf_t* nsjconf) { return pid::initNs(nsjconf); }
+static bool containInitPidNs(nsjconf_t* nsjconf) { return pid::initNs(nsjconf); }
-static bool containInitNetNs(struct nsjconf_t* nsjconf) { return net::initNsFromChild(nsjconf); }
+static bool containInitNetNs(nsjconf_t* nsjconf) { return net::initNsFromChild(nsjconf); }
-static bool containInitUtsNs(struct nsjconf_t* nsjconf) { return uts::initNs(nsjconf); }
+static bool containInitUtsNs(nsjconf_t* nsjconf) { return uts::initNs(nsjconf); }
static bool containInitCgroupNs(void) { return cgroup::initNs(); }
-static bool containDropPrivs(struct nsjconf_t* nsjconf) {
+static bool containDropPrivs(nsjconf_t* nsjconf) {
#ifndef PR_SET_NO_NEW_PRIVS
#define PR_SET_NO_NEW_PRIVS 38
#endif
return true;
}
-static bool containPrepareEnv(struct nsjconf_t* nsjconf) {
+static bool containPrepareEnv(nsjconf_t* nsjconf) {
if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
PLOG_E("prctl(PR_SET_PDEATHSIG, SIGKILL)");
return false;
return true;
}
-static bool containInitMountNs(struct nsjconf_t* nsjconf) { return mnt::initNs(nsjconf); }
+static bool containInitMountNs(nsjconf_t* nsjconf) { return mnt::initNs(nsjconf); }
-static bool containCPU(struct nsjconf_t* nsjconf) { return cpu::initCpu(nsjconf); }
+static bool containCPU(nsjconf_t* nsjconf) { return cpu::initCpu(nsjconf); }
-static bool containSetLimits(struct nsjconf_t* nsjconf) {
+static bool containSetLimits(nsjconf_t* nsjconf) {
struct rlimit64 rl;
rl.rlim_cur = rl.rlim_max = nsjconf->rl_as;
if (setrlimit64(RLIMIT_AS, &rl) == -1) {
return true;
}
-static bool containPassFd(struct nsjconf_t* nsjconf, int fd) {
+static bool containPassFd(nsjconf_t* nsjconf, int fd) {
return (std::find(nsjconf->openfds.begin(), nsjconf->openfds.end(), fd) !=
nsjconf->openfds.end());
}
-static bool containMakeFdsCOENaive(struct nsjconf_t* nsjconf) {
+static bool containMakeFdsCOENaive(nsjconf_t* nsjconf) {
/*
* Don't use getrlimit(RLIMIT_NOFILE) here, as it can return an artifically small value
* (e.g. 32), which could be smaller than a maximum assigned number to file-descriptors
return true;
}
-static bool containMakeFdsCOEProc(struct nsjconf_t* nsjconf) {
+static bool containMakeFdsCOEProc(nsjconf_t* nsjconf) {
int dirfd = open("/proc/self/fd", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (dirfd == -1) {
PLOG_D("open('/proc/self/fd', O_DIRECTORY|O_RDONLY|O_CLOEXEC)");
return true;
}
-static bool containMakeFdsCOE(struct nsjconf_t* nsjconf) {
+static bool containMakeFdsCOE(nsjconf_t* nsjconf) {
if (containMakeFdsCOEProc(nsjconf)) {
return true;
}
return false;
}
-bool setupFD(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
+bool setupFD(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
if (nsjconf->mode != MODE_LISTEN_TCP) {
if (nsjconf->is_silent == false) {
return true;
return true;
}
-bool containProc(struct nsjconf_t* nsjconf) {
+bool containProc(nsjconf_t* nsjconf) {
if (containUserNs(nsjconf) == false) {
return false;
}
namespace contain {
-bool setupFD(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err);
-bool containProc(struct nsjconf_t* nsjconf);
+bool setupFD(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err);
+bool containProc(nsjconf_t* nsjconf);
} // namespace contain
}
}
-bool initCpu(struct nsjconf_t* nsjconf) {
+bool initCpu(nsjconf_t* nsjconf) {
if (nsjconf->num_cpus < 0) {
PLOG_W("sysconf(_SC_NPROCESSORS_ONLN) returned %ld", nsjconf->num_cpus);
return false;
namespace cpu {
-bool initCpu(struct nsjconf_t* nsjconf);
+bool initCpu(nsjconf_t* nsjconf);
} // namespace cpu
* Log to stderr by default. Use a dup()d fd, because in the future we'll associate the
* connection socket with fd (0, 1, 2).
*/
-bool initLogFile(struct nsjconf_t* nsjconf) {
+bool initLogFile(nsjconf_t* nsjconf) {
/* Close previous log_fd */
if (log_fd > STDERR_FILENO) {
close(log_fd);
namespace log {
-bool initLogFile(struct nsjconf_t* nsjconf);
+bool initLogFile(nsjconf_t* nsjconf);
void logMsg(enum llevel_t ll, const char* fn, int ln, bool perr, const char* fmt, ...)
__attribute__((format(printf, 5, 6)));
void logStop(int sig);
return false;
}
-static bool mountPt(struct mount_t* mpt, const char* newroot, const char* tmpdir) {
+static bool mountPt(mount_t* mpt, const char* newroot, const char* tmpdir) {
char dst[PATH_MAX];
snprintf(dst, sizeof(dst), "%s/%s", newroot, mpt->dst.c_str());
return true;
}
-static bool remountRO(const struct mount_t& mpt) {
+static bool remountRO(const mount_t& mpt) {
if (!mpt.mounted) {
return true;
}
return true;
}
-static bool getDir(struct nsjconf_t* nsjconf, char* dir, const char* name) {
+static bool getDir(nsjconf_t* nsjconf, char* dir, const char* name) {
snprintf(dir, PATH_MAX, "/run/user/%u/nsjail.%s", nsjconf->orig_uid, name);
if (mkdirAndTest(dir)) {
return true;
return false;
}
-static bool initNsInternal(struct nsjconf_t* nsjconf) {
+static bool initNsInternal(nsjconf_t* nsjconf) {
/*
* If CLONE_NEWNS is not used, we would be changing the global mount namespace, so simply
* use --chroot in this case
* With mode MODE_STANDALONE_EXECVE it's required to mount /proc inside a new process,
* as the current process is still in the original PID namespace (man pid_namespaces)
*/
-bool initNs(struct nsjconf_t* nsjconf) {
+bool initNs(nsjconf_t* nsjconf) {
if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
return initNsInternal(nsjconf);
}
return false;
}
-static bool addMountPt(struct mount_t* mnt, const char* src, const char* dst, const char* fstype,
+static bool addMountPt(mount_t* mnt, const char* src, const char* dst, const char* fstype,
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) {
if (src_env) {
return true;
}
-bool addMountPtHead(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
+bool addMountPtHead(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) {
- struct mount_t mnt;
+ mount_t mnt;
if (!addMountPt(&mnt, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env,
src_content, src_content_len, is_symlink)) {
return false;
return true;
}
-bool addMountPtTail(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
+bool addMountPtTail(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) {
- struct mount_t mnt;
+ mount_t mnt;
if (!addMountPt(&mnt, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env,
src_content, src_content_len, is_symlink)) {
return false;
return true;
}
-const char* describeMountPt(const struct mount_t& mpt) {
+const char* describeMountPt(const mount_t& mpt) {
static __thread char mount_pt_descr[4096];
snprintf(mount_pt_descr, sizeof(mount_pt_descr),
} isDir_t;
const char* flagsToStr(uintptr_t flags);
-bool initNs(struct nsjconf_t* nsjconf);
-bool addMountPtHead(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
+bool initNs(nsjconf_t* nsjconf);
+bool addMountPtHead(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink);
-bool addMountPtTail(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
+bool addMountPtTail(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype,
const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env,
const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink);
-const char* describeMountPt(const struct mount_t& mpt);
+const char* describeMountPt(const mount_t& mpt);
} // namespace mnt
#if defined(NSJAIL_NL3_WITH_MACVLAN)
#include <netlink/route/link.h>
#include <netlink/route/link/macvlan.h>
-bool initNsFromParent(struct nsjconf_t* nsjconf, int pid) {
+bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
if (nsjconf->clone_newnet == false) {
return true;
}
}
#else // defined(NSJAIL_NL3_WITH_MACVLAN)
-bool initNsFromParent(struct nsjconf_t* nsjconf, int pid) {
+bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
if (nsjconf->clone_newnet == false) {
return true;
}
return true;
}
-bool limitConns(struct nsjconf_t* nsjconf, int connsock) {
+bool limitConns(nsjconf_t* nsjconf, int connsock) {
/* 0 means 'unlimited' */
if (nsjconf->max_conns_per_ip == 0) {
return true;
return true;
}
-static bool netConfigureVs(struct nsjconf_t* nsjconf) {
+static bool netConfigureVs(nsjconf_t* nsjconf) {
struct ifreq ifr = {};
snprintf(ifr.ifr_name, IF_NAMESIZE, "%s", IFACE_NAME);
struct in_addr addr;
return true;
}
-bool initNsFromChild(struct nsjconf_t* nsjconf) {
+bool initNsFromChild(nsjconf_t* nsjconf) {
if (nsjconf->clone_newnet == false) {
return true;
}
namespace net {
-bool limitConns(struct nsjconf_t* nsjconf, int connsock);
+bool limitConns(nsjconf_t* nsjconf, int connsock);
int getRecvSocket(const char* bindhost, int port);
int acceptConn(int listenfd);
void connToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null);
-bool initNsFromParent(struct nsjconf_t* nsjconf, int pid);
-bool initNsFromChild(struct nsjconf_t* nsjconf);
+bool initNsFromParent(nsjconf_t* nsjconf, int pid);
+bool initNsFromChild(nsjconf_t* nsjconf);
} // namespace net
return true;
}
-static bool nsjailSetTimer(struct nsjconf_t* nsjconf) {
+static bool nsjailSetTimer(nsjconf_t* nsjconf) {
if (nsjconf->mode == MODE_STANDALONE_EXECVE) {
return true;
}
return true;
}
-static void nsjailListenMode(struct nsjconf_t* nsjconf) {
+static void nsjailListenMode(nsjconf_t* nsjconf) {
int listenfd = net::getRecvSocket(nsjconf->bindhost, nsjconf->port);
if (listenfd == -1) {
return;
}
}
-static int nsjailStandaloneMode(struct nsjconf_t* nsjconf) {
+static int nsjailStandaloneMode(nsjconf_t* nsjconf) {
subproc::runChild(nsjconf, STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO);
for (;;) {
int child_status = subproc::reapProc(nsjconf);
}
int main(int argc, char* argv[]) {
- std::unique_ptr<struct nsjconf_t> nsjconf = cmdline::parseArgs(argc, argv);
+ std::unique_ptr<nsjconf_t> nsjconf = cmdline::parseArgs(argc, argv);
if (!nsjconf) {
LOG_F("Couldn't parse cmdline options");
}
namespace pid {
-bool initNs(struct nsjconf_t* nsjconf) {
+bool initNs(nsjconf_t* nsjconf) {
if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
return true;
}
namespace pid {
-bool initNs(struct nsjconf_t* nsjconf);
+bool initNs(nsjconf_t* nsjconf);
} // namespace pid
#define PR_SET_NO_NEW_PRIVS 38
#endif /* PR_SET_NO_NEW_PRIVS */
-static bool prepareAndCommit(struct nsjconf_t* nsjconf) {
+static bool prepareAndCommit(nsjconf_t* nsjconf) {
if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
return true;
}
return true;
}
-bool applyPolicy(struct nsjconf_t* nsjconf) { return prepareAndCommit(nsjconf); }
+bool applyPolicy(nsjconf_t* nsjconf) { return prepareAndCommit(nsjconf); }
-bool preparePolicy(struct nsjconf_t* nsjconf) {
+bool preparePolicy(nsjconf_t* nsjconf) {
if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
return true;
}
namespace sandbox {
-bool applyPolicy(struct nsjconf_t* nsjconf);
-bool preparePolicy(struct nsjconf_t* nsjconf);
+bool applyPolicy(nsjconf_t* nsjconf);
+bool preparePolicy(nsjconf_t* nsjconf);
} // namespace sandbox
static const char kSubprocDoneChar = 'D';
-static int subprocNewProc(
- struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd) {
+static int subprocNewProc(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd) {
if (contain::setupFD(nsjconf, fd_in, fd_out, fd_err) == false) {
_exit(0xff);
}
_exit(0xff);
}
-static void addProc(struct nsjconf_t* nsjconf, pid_t pid, int sock) {
- struct pids_t p;
+static void addProc(nsjconf_t* nsjconf, pid_t pid, int sock) {
+ pids_t p;
p.pid = pid;
p.start = time(NULL);
(unsigned int)p.start, p.remote_txt);
}
-static void removeProc(struct nsjconf_t* nsjconf, pid_t pid) {
+static void removeProc(nsjconf_t* nsjconf, pid_t pid) {
for (auto p = nsjconf->pids.begin(); p != nsjconf->pids.end(); ++p) {
if (p->pid == pid) {
LOG_D("Removing pid '%d' from the queue (IP:'%s', start time:'%s')", p->pid,
LOG_W("PID: %d not found (?)", pid);
}
-int countProc(struct nsjconf_t* nsjconf) { return nsjconf->pids.size(); }
+int countProc(nsjconf_t* nsjconf) { return nsjconf->pids.size(); }
-void displayProc(struct nsjconf_t* nsjconf) {
+void displayProc(nsjconf_t* nsjconf) {
LOG_I("Total number of spawned namespaces: %d", countProc(nsjconf));
time_t now = time(NULL);
for (const auto& pid : nsjconf->pids) {
}
}
-static const struct pids_t* getPidElem(struct nsjconf_t* nsjconf, pid_t pid) {
+static const pids_t* getPidElem(nsjconf_t* nsjconf, pid_t pid) {
for (const auto& p : nsjconf->pids) {
if (p.pid == pid) {
return &p;
return NULL;
}
-static void seccompViolation(struct nsjconf_t* nsjconf, siginfo_t* si) {
+static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
LOG_W("PID: %d commited a syscall/seccomp violation and exited with SIGSYS", si->si_pid);
- const struct pids_t* p = getPidElem(nsjconf, si->si_pid);
+ const pids_t* p = getPidElem(nsjconf, si->si_pid);
if (p == NULL) {
LOG_W("PID:%d SiSyscall: %d, SiCode: %d, SiErrno: %d", (int)si->si_pid,
si->si_syscall, si->si_code, si->si_errno);
}
}
-int reapProc(struct nsjconf_t* nsjconf) {
+int reapProc(nsjconf_t* nsjconf) {
int status;
int rv = 0;
siginfo_t si;
cgroup::finishFromParent(nsjconf, si.si_pid);
const char* remote_txt = "[UNKNOWN]";
- const struct pids_t* elem = getPidElem(nsjconf, si.si_pid);
+ const pids_t* elem = getPidElem(nsjconf, si.si_pid);
if (elem) {
remote_txt = elem->remote_txt;
}
return rv;
}
-void killAll(struct nsjconf_t* nsjconf) {
+void killAll(nsjconf_t* nsjconf) {
for (const auto& p : nsjconf->pids) {
kill(p.pid, SIGKILL);
}
}
-static bool initParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) {
+static bool initParent(nsjconf_t* nsjconf, pid_t pid, int pipefd) {
if (net::initNsFromParent(nsjconf, pid) == false) {
LOG_E("Couldn't create and put MACVTAP interface into NS of PID '%d'", pid);
return false;
return true;
}
-void runChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
+void runChild(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
if (net::limitConns(nsjconf, fd_in) == false) {
return;
}
namespace subproc {
-void runChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err);
-int countProc(struct nsjconf_t* nsjconf);
-void displayProc(struct nsjconf_t* nsjconf);
-void killAll(struct nsjconf_t* nsjconf);
+void runChild(nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err);
+int countProc(nsjconf_t* nsjconf);
+void displayProc(nsjconf_t* nsjconf);
+void killAll(nsjconf_t* nsjconf);
/* Returns the exit code of the first failing subprocess, or 0 if none fail */
-int reapProc(struct nsjconf_t* nsjconf);
+int reapProc(nsjconf_t* nsjconf);
int systemExe(const char** argv, char** env);
pid_t cloneProc(uintptr_t flags);
return true;
}
-static bool uidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) {
+static bool uidMapSelf(nsjconf_t* nsjconf, pid_t pid) {
char fname[PATH_MAX];
snprintf(fname, sizeof(fname), "/proc/%d/uid_map", pid);
char map[4096] = {[0] = '\0'};
- struct idmap_t* p;
+ idmap_t* p;
for (const auto& uid : nsjconf->uids) {
if (uid.is_newidmap) {
continue;
return true;
}
-static bool gidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) {
+static bool gidMapSelf(nsjconf_t* nsjconf, pid_t pid) {
char fname[PATH_MAX];
snprintf(fname, sizeof(fname), "/proc/%d/gid_map", pid);
char map[4096] = {[0] = '\0'};
- struct idmap_t* p;
+ idmap_t* p;
for (const auto& gid : nsjconf->gids) {
if (gid.is_newidmap) {
continue;
}
/* Use /usr/bin/newgidmap for writing the gid map */
-static bool gidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) {
+static bool gidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
size_t idx = 0;
const char* argv[1024];
argv[idx] = parms[idx];
idx++;
- struct idmap_t* p;
+ idmap_t* p;
bool use = false;
for (const auto& gid : nsjconf->gids) {
if (gid.is_newidmap == false) {
}
/* Use /usr/bin/newuidmap for writing the uid map */
-static bool uidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) {
+static bool uidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
size_t idx = 0;
const char* argv[1024];
idx++;
bool use = false;
- struct idmap_t* p;
+ idmap_t* p;
for (const auto& uid : nsjconf->uids) {
if (uid.is_newidmap == false) {
continue;
return true;
}
-static bool uidGidMap(struct nsjconf_t* nsjconf, pid_t pid) {
+static bool uidGidMap(nsjconf_t* nsjconf, pid_t pid) {
if (!gidMapSelf(nsjconf, pid)) {
return false;
}
return true;
}
-bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) {
+bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid) {
if (setGroups(pid) == false) {
return false;
}
return true;
}
-bool initNsFromChild(struct nsjconf_t* nsjconf) {
+bool initNsFromChild(nsjconf_t* nsjconf) {
/*
* Best effort because of /proc/self/setgroups
*/
return (gid_t)-1;
}
-bool parseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid,
+bool parseId(nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid,
bool is_newidmap) {
uid_t inside_id;
uid_t outside_id;
}
}
- struct idmap_t id;
+ idmap_t id;
id.inside_id = inside_id;
id.outside_id = outside_id;
id.count = cnt;
namespace user {
-bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid);
-bool initNsFromChild(struct nsjconf_t* nsjconf);
+bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid);
+bool initNsFromChild(nsjconf_t* nsjconf);
-bool parseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid,
+bool parseId(nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid,
bool is_newidmap);
} // namespace user
namespace uts {
-bool initNs(struct nsjconf_t* nsjconf) {
+bool initNs(nsjconf_t* nsjconf) {
if (nsjconf->clone_newuts == false) {
return true;
}
namespace uts {
-bool initNs(struct nsjconf_t* nsjconf);
+bool initNs(nsjconf_t* nsjconf);
} // namespace uts
projects / platform / upstream / nsjail.git / commitdiff