projects / platform / upstream / nsjail.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 21413c4)
Add nice_level to cmd-line/config options
authorRobert Swiecki <robert@swiecki.net>
Sun, 30 Jun 2019 19:50:56 +0000 (21:50 +0200)
committerRobert Swiecki <robert@swiecki.net>
Sun, 30 Jun 2019 19:50:56 +0000 (21:50 +0200)
cmdline.cc patch | blob | history
config.cc patch | blob | history
config.proto patch | blob | history
contain.cc patch | blob | history
nsjail.h patch | blob | history

diff --git a/cmdline.cc b/cmdline.cc
index 43f0796596cdaccd332e2754082339ec563abcae..1ddd6ce069cb33e13a9b9d6e41fc213bddae3fdd 100644 (file)
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -133,6 +133,7 @@ struct custom_option custom_opts[] = {
     { { "seccomp_policy", required_argument, NULL, 'P' }, "Path to file containing seccomp-bpf policy (see kafel/)" },
     { { "seccomp_string", required_argument, NULL, 0x0901 }, "String with kafel seccomp-bpf policy (see kafel/)" },
     { { "seccomp_log", no_argument, NULL, 0x0902 }, "Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14" },
+    { { "nice_level", required_argument, NULL, 0x0903 }, "Set jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19" },
     { { "cgroup_mem_max", required_argument, NULL, 0x0801 }, "Maximum number of bytes to use in the group (default: '0' - disabled)" },
     { { "cgroup_mem_mount", required_argument, NULL, 0x0802 }, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')" },
     { { "cgroup_mem_parent", required_argument, NULL, 0x0803 }, "Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')" },
@@ -444,6 +445,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
        nsjconf->seccomp_fprog.filter = NULL;
        nsjconf->seccomp_fprog.len = 0;
        nsjconf->seccomp_log = false;
+       nsjconf->nice_level = 19;
 
        nsjconf->openfds.push_back(STDIN_FILENO);
        nsjconf->openfds.push_back(STDOUT_FILENO);
@@ -830,6 +832,13 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
                case 0x902:
                        nsjconf->seccomp_log = true;
                        break;
+               case 0x903:
+                       nsjconf->nice_level = (int)strtol(optarg, NULL, 0);
+                       if ((nsjconf->nice_level < -20) || (nsjconf->nice_level > -20)) {
+                               LOG_W("Incorrect niceness setting!");
+                               nsjconf->nice_level = 19;
+                       }
+                       break;
                default:
                        cmdlineUsage(argv[0]);
                        return nullptr;
diff --git a/config.cc b/config.cc
index 7b69e083dc010e9d953e17e4b78c5ecb12186c55..e3941ea95b4c1bdd811586a6ef1fbd63ad77cd1f 100644 (file)
--- a/config.cc
+++ b/config.cc
@@ -239,6 +239,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
                nsjconf->kafel_string += '\n';
        }
        nsjconf->seccomp_log = njc.seccomp_log();
+       nsjconf->nice_level = njc.nice_level();
 
        nsjconf->cgroup_mem_max = njc.cgroup_mem_max();
        nsjconf->cgroup_mem_mount = njc.cgroup_mem_mount();
diff --git a/config.proto b/config.proto
index 836670469827548b4657bde018b31bc145679baa..6618b64d969e9190283c295fa797103f5b52329a 100644 (file)
--- a/config.proto
+++ b/config.proto
@@ -237,7 +237,10 @@ message NsJailConfig {
     optional string macvlan_vs_gw = 78 [default = "192.168.0.1"];
     optional string macvlan_vs_ma = 79 [default = ""];
 
+    /* Niceness level of the jailed process */
+    optional int32 nice_level = 80 [default = 19];
+
     /* Binary path (with arguments) to be executed. If not specified here, it
        can be specified with cmd-line as "-- /path/to/command arg1 arg2" */
-    optional Exe exec_bin = 80;
+    optional Exe exec_bin = 81;
 }
diff --git a/contain.cc b/contain.cc
index 675b2d3130506e22ddbca75f0ca9952efd048611..5e9ee8800bcbb464cef787a02a21fe8225282cfd 100644 (file)
--- a/contain.cc
+++ b/contain.cc
@@ -101,8 +101,8 @@ static bool containPrepareEnv(nsjconf_t* nsjconf) {
                return false;
        }
        errno = 0;
-       if (setpriority(PRIO_PROCESS, 0, 19) == -1 && errno != 0) {
-               PLOG_W("setpriority(19)");
+       if (setpriority(PRIO_PROCESS, 0, nsjconf->nice_level) == -1 && errno != 0) {
+               PLOG_W("setpriority(%" PRId32 ")", nsjconf->nice_level);
        }
        if (!nsjconf->skip_setsid) {
                setsid();
diff --git a/nsjail.h b/nsjail.h
index 9f1a19cd8f159e2979ac45affd002f3927ce8f63..de9fc5a657e46f46dbe8f85f49b2323f2e8a8e9c 100644 (file)
--- a/nsjail.h
+++ b/nsjail.h
@@ -142,6 +142,7 @@ struct nsjconf_t {
        std::string kafel_string;
        struct sock_fprog seccomp_fprog;
        bool seccomp_log;
+       int nice_level;
        long num_cpus;
        uid_t orig_uid;
        uid_t orig_euid;
Domain: System / System Framework;