# DO NOT DELETE THIS LINE -- make depend depends on it.
-nsjail.o: nsjail.h common.h caps.h cmdline.h log.h net.h subproc.h util.h
-caps.o: caps.h common.h log.h util.h
-cmdline.o: cmdline.h common.h caps.h config.h log.h mount.h user.h util.h
-contain.o: contain.h common.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
-contain.o: user.h util.h uts.h
-log.o: log.h common.h
-cgroup.o: cgroup.h common.h log.h util.h
-mount.o: mount.h common.h log.h subproc.h util.h
-net.o: net.h common.h log.h subproc.h
-pid.o: pid.h common.h log.h subproc.h
-sandbox.o: sandbox.h common.h kafel/include/kafel.h log.h
-subproc.o: subproc.h common.h cgroup.h contain.h log.h net.h sandbox.h user.h
-subproc.o: util.h
-user.o: user.h common.h log.h subproc.h util.h
-util.o: util.h common.h log.h
-uts.o: uts.h common.h log.h
-cpu.o: cpu.h common.h log.h util.h
-config.o: common.h caps.h cmdline.h config.h log.h mount.h user.h util.h
+nsjail.o: nsjail.h caps.h cmdline.h log.h net.h subproc.h common.h util.h
+caps.o: caps.h nsjail.h log.h util.h common.h
+cmdline.o: cmdline.h nsjail.h caps.h config.h common.h log.h mount.h user.h
+cmdline.o: util.h
+contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
+contain.o: user.h util.h common.h uts.h
+log.o: log.h nsjail.h
+cgroup.o: cgroup.h nsjail.h log.h util.h common.h
+mount.o: mount.h nsjail.h log.h subproc.h common.h util.h
+net.o: net.h nsjail.h log.h subproc.h common.h
+pid.o: pid.h nsjail.h log.h subproc.h common.h
+sandbox.o: sandbox.h nsjail.h common.h kafel/include/kafel.h log.h
+subproc.o: subproc.h common.h nsjail.h cgroup.h contain.h log.h net.h
+subproc.o: sandbox.h user.h util.h
+user.o: user.h nsjail.h log.h subproc.h common.h util.h
+util.o: util.h common.h log.h nsjail.h
+uts.o: uts.h nsjail.h log.h
+cpu.o: cpu.h nsjail.h log.h util.h common.h
+config.o: common.h caps.h nsjail.h cmdline.h config.h log.h mount.h user.h
+config.o: util.h
#ifndef NS_CAPS_H
#define NS_CAPS_H
-#include "common.h"
+#include <stdbool.h>
+#include <stdint.h>
+
+#include "nsjail.h"
int capsNameToVal(const char* name);
bool capsInitNs(struct nsjconf_t* nsjconf);
#include <errno.h>
#include <fcntl.h>
+#include <limits.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <stdbool.h>
#include <stddef.h>
-#include "common.h"
+#include "nsjail.h"
bool cgroupInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid);
bool cgroupInitNs(void);
#ifndef NS_CMDLINE_H
#define NS_CMDLINE_H
+#include <stdbool.h>
+#include <stdint.h>
#include <sys/resource.h>
#include <sys/time.h>
-#include "common.h"
+#include "nsjail.h"
__rlim64_t cmdlineParseRLimit(int res, const char* optarg, unsigned long mul);
void cmdlineLogParams(struct nsjconf_t* nsjconf);
/*
- nsjail - common structures
+ nsjail - common macros
-----------------------------------------
Copyright 2014 Google Inc. All Rights Reserved.
#ifndef NS_COMMON_H
#define NS_COMMON_H
-#include <limits.h>
-#include <netinet/ip6.h>
-#include <signal.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <sys/queue.h>
-#include <sys/resource.h>
-#include <sys/types.h>
-
#define ARRAYSIZE(array) (sizeof(array) / sizeof(*array))
#define UNUSED __attribute__((unused))
x, #x \
}
-struct pids_t {
- pid_t pid;
- time_t start;
- char remote_txt[64];
- struct sockaddr_in6 remote_addr;
- int pid_syscall_fd;
- TAILQ_ENTRY(pids_t)
- pointers;
-};
-
-struct mounts_t {
- const char* src;
- const uint8_t* src_content;
- size_t src_content_len;
- const char* dst;
- const char* fs_type;
- const char* options;
- uintptr_t flags;
- bool isDir;
- bool isSymlink;
- bool mandatory;
- bool mounted;
- TAILQ_ENTRY(mounts_t)
- pointers;
-};
-
-struct idmap_t {
- uid_t inside_id;
- uid_t outside_id;
- size_t count;
- bool is_newidmap;
- TAILQ_ENTRY(idmap_t)
- pointers;
-};
-
-struct ints_t {
- int val;
- TAILQ_ENTRY(ints_t)
- pointers;
-};
-
-enum ns_mode_t {
- MODE_LISTEN_TCP = 0,
- MODE_STANDALONE_ONCE,
- MODE_STANDALONE_EXECVE,
- MODE_STANDALONE_RERUN
-};
-
-struct charptr_t {
- const char* val;
- TAILQ_ENTRY(charptr_t)
- pointers;
-};
-
-enum llevel_t {
- DEBUG = 0,
- INFO,
- WARNING,
- ERROR,
- FATAL,
- HELP,
- HELP_BOLD,
-};
-
-struct nsjconf_t {
- const char* exec_file;
- const char* hostname;
- const char* cwd;
- const char** argv;
- int port;
- const char* bindhost;
- int log_fd;
- const char* logfile;
- enum llevel_t loglevel;
- bool daemonize;
- time_t tlimit;
- size_t max_cpus;
- bool keep_env;
- bool keep_caps;
- bool disable_no_new_privs;
- __rlim64_t rl_as;
- __rlim64_t rl_core;
- __rlim64_t rl_cpu;
- __rlim64_t rl_fsize;
- __rlim64_t rl_nofile;
- __rlim64_t rl_nproc;
- __rlim64_t rl_stack;
- unsigned long personality;
- bool clone_newnet;
- bool clone_newuser;
- bool clone_newns;
- bool clone_newpid;
- bool clone_newipc;
- bool clone_newuts;
- bool clone_newcgroup;
- enum ns_mode_t mode;
- const char* chroot;
- bool is_root_rw;
- bool is_silent;
- bool skip_setsid;
- unsigned int max_conns_per_ip;
- size_t tmpfs_size;
- bool mount_proc;
- const char* proc_path;
- bool is_proc_rw;
- bool iface_no_lo;
- const char* iface_vs;
- const char* iface_vs_ip;
- const char* iface_vs_nm;
- const char* iface_vs_gw;
- const char* cgroup_mem_mount;
- const char* cgroup_mem_parent;
- size_t cgroup_mem_max;
- const char* cgroup_pids_mount;
- const char* cgroup_pids_parent;
- size_t cgroup_pids_max;
- FILE* kafel_file;
- char* kafel_string;
- uid_t orig_euid;
- long num_cpus;
- TAILQ_HEAD(udmaplist, idmap_t)
- uids;
- TAILQ_HEAD(gdmaplist, idmap_t)
- gids;
- TAILQ_HEAD(envlist, charptr_t)
- envs;
- TAILQ_HEAD(pidslist, pids_t)
- pids;
- TAILQ_HEAD(mountptslist, mounts_t)
- mountpts;
- TAILQ_HEAD(fdslistt, ints_t)
- open_fds;
- TAILQ_HEAD(capslistt, ints_t)
- caps;
-};
-
#endif /* NS_COMMON_H */
#include <stdbool.h>
-#include "common.h"
+#include "nsjail.h"
bool containSetupFD(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err);
bool containContain(struct nsjconf_t* nsjconf);
#define NS_CPU_H
#include <stdbool.h>
-#include <stddef.h>
-#include "common.h"
+#include "nsjail.h"
bool cpuInit(struct nsjconf_t* nsjconf);
limitations under the License.
*/
+
#include "log.h"
#include <errno.h>
#include <time.h>
#include <unistd.h>
+#include "nsjail.h"
+
static int log_fd = STDERR_FILENO;
static bool log_fd_isatty = true;
static enum llevel_t log_level = INFO;
#include <getopt.h>
#include <stdbool.h>
-#include "common.h"
+#include "nsjail.h"
#define LOG_HELP(...) logLog(HELP, __func__, __LINE__, false, __VA_ARGS__);
#define LOG_HELP_BOLD(...) logLog(HELP_BOLD, __func__, __LINE__, false, __VA_ARGS__);
#include <errno.h>
#include <fcntl.h>
+#include <limits.h>
#include <linux/sched.h>
#include <sched.h>
#include <stdio.h>
#define NS_MOUNT_H
#include <stdbool.h>
+#include <stdint.h>
-#include "common.h"
+#include "nsjail.h"
typedef enum {
NS_DIR_NO = 0,
#include <stdbool.h>
#include <stddef.h>
-#include "common.h"
+#include "nsjail.h"
bool netLimitConns(struct nsjconf_t* nsjconf, int connsock);
int netGetRecvSocket(const char* bindhost, int port);
#ifndef NS_NSJAIL_H
#define NS_NSJAIL_H
+#include <netinet/ip6.h>
#include <signal.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <sys/queue.h>
+#include <time.h>
static const int nssigs[] = {
SIGINT,
SIGTERM,
};
+struct pids_t {
+ pid_t pid;
+ time_t start;
+ char remote_txt[64];
+ struct sockaddr_in6 remote_addr;
+ int pid_syscall_fd;
+ TAILQ_ENTRY(pids_t)
+ pointers;
+};
+
+struct mounts_t {
+ const char* src;
+ const uint8_t* src_content;
+ size_t src_content_len;
+ const char* dst;
+ const char* fs_type;
+ const char* options;
+ uintptr_t flags;
+ bool isDir;
+ bool isSymlink;
+ bool mandatory;
+ bool mounted;
+ TAILQ_ENTRY(mounts_t)
+ pointers;
+};
+
+struct idmap_t {
+ uid_t inside_id;
+ uid_t outside_id;
+ size_t count;
+ bool is_newidmap;
+ TAILQ_ENTRY(idmap_t)
+ pointers;
+};
+
+struct ints_t {
+ int val;
+ TAILQ_ENTRY(ints_t)
+ pointers;
+};
+
+enum ns_mode_t {
+ MODE_LISTEN_TCP = 0,
+ MODE_STANDALONE_ONCE,
+ MODE_STANDALONE_EXECVE,
+ MODE_STANDALONE_RERUN
+};
+
+struct charptr_t {
+ const char* val;
+ TAILQ_ENTRY(charptr_t)
+ pointers;
+};
+
+enum llevel_t {
+ DEBUG = 0,
+ INFO,
+ WARNING,
+ ERROR,
+ FATAL,
+ HELP,
+ HELP_BOLD,
+};
+
+struct nsjconf_t {
+ const char* exec_file;
+ const char* hostname;
+ const char* cwd;
+ const char** argv;
+ int port;
+ const char* bindhost;
+ int log_fd;
+ const char* logfile;
+ enum llevel_t loglevel;
+ bool daemonize;
+ time_t tlimit;
+ size_t max_cpus;
+ bool keep_env;
+ bool keep_caps;
+ bool disable_no_new_privs;
+ __rlim64_t rl_as;
+ __rlim64_t rl_core;
+ __rlim64_t rl_cpu;
+ __rlim64_t rl_fsize;
+ __rlim64_t rl_nofile;
+ __rlim64_t rl_nproc;
+ __rlim64_t rl_stack;
+ unsigned long personality;
+ bool clone_newnet;
+ bool clone_newuser;
+ bool clone_newns;
+ bool clone_newpid;
+ bool clone_newipc;
+ bool clone_newuts;
+ bool clone_newcgroup;
+ enum ns_mode_t mode;
+ const char* chroot;
+ bool is_root_rw;
+ bool is_silent;
+ bool skip_setsid;
+ unsigned int max_conns_per_ip;
+ size_t tmpfs_size;
+ bool mount_proc;
+ const char* proc_path;
+ bool is_proc_rw;
+ bool iface_no_lo;
+ const char* iface_vs;
+ const char* iface_vs_ip;
+ const char* iface_vs_nm;
+ const char* iface_vs_gw;
+ const char* cgroup_mem_mount;
+ const char* cgroup_mem_parent;
+ size_t cgroup_mem_max;
+ const char* cgroup_pids_mount;
+ const char* cgroup_pids_parent;
+ size_t cgroup_pids_max;
+ FILE* kafel_file;
+ char* kafel_string;
+ uid_t orig_euid;
+ long num_cpus;
+ TAILQ_HEAD(udmaplist, idmap_t)
+ uids;
+ TAILQ_HEAD(gdmaplist, idmap_t)
+ gids;
+ TAILQ_HEAD(envlist, charptr_t)
+ envs;
+ TAILQ_HEAD(pidslist, pids_t)
+ pids;
+ TAILQ_HEAD(mountptslist, mounts_t)
+ mountpts;
+ TAILQ_HEAD(fdslistt, ints_t)
+ open_fds;
+ TAILQ_HEAD(capslistt, ints_t)
+ caps;
+};
+
#endif /* _NSJAIL_H */
#include <stdbool.h>
-#include "common.h"
+#include "nsjail.h"
bool pidInitNs(struct nsjconf_t* nsjconf);
#include <stdbool.h>
-#include "common.h"
+#include "nsjail.h"
bool sandboxApply(struct nsjconf_t* nsjconf);
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
+#include <limits.h>
#include <linux/sched.h>
#include <netinet/in.h>
#include <sched.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
+#include <limits.h>
#include <linux/securebits.h>
#include <pwd.h>
#include <stdbool.h>
#include <stdbool.h>
-#include "common.h"
+#include "nsjail.h"
bool userInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid);
bool userInitNsFromChild(struct nsjconf_t* nsjconf);
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
+#include <limits.h>
#include <pthread.h>
#include <signal.h>
#include <stdarg.h>
#define NS_UTS_H
#include <stdbool.h>
-#include <stddef.h>
-#include "common.h"
+#include "nsjail.h"
bool utsInitNs(struct nsjconf_t* nsjconf);
projects / platform / upstream / nsjail.git / commitdiff