Rudimentary cgroup support

diff --git a/Makefile b/Makefile
index b49d29d947742adef8cfda50ffd9c67fc708562c..ae5482880ea23164d9c2f488339ab9e453416e91 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -26,7 +26,7 @@ CFLAGS += -O2 -c -std=gnu11 \
 
 LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -Wl,-z,noexecstack
 
-SRCS = nsjail.c cmdline.c contain.c log.c mount.c net.c pid.c sandbox.c subproc.c user.c util.c uts.c seccomp/bpf-helper.c
+SRCS = nsjail.c cmdline.c contain.c log.c cgroup.c mount.c net.c pid.c sandbox.c subproc.c user.c util.c uts.c seccomp/bpf-helper.c
 OBJS = $(SRCS:.c=.o)
 BIN = nsjail
 
@@ -66,8 +66,9 @@ indent:
 
 nsjail.o: nsjail.h common.h cmdline.h log.h net.h subproc.h
 cmdline.o: cmdline.h common.h log.h util.h
-contain.o: contain.h common.h log.h mount.h net.h pid.h util.h uts.h
+contain.o: contain.h common.h cgroup.h log.h mount.h net.h pid.h util.h uts.h
 log.o: log.h common.h
+cgroup.o: cgroup.h common.h
 mount.o: mount.h common.h log.h
 net.o: net.h common.h log.h
 pid.o: pid.h common.h log.h

diff --git a/cgroup.c b/cgroup.c
new file mode 100644 (file)
index 0000000..c6323d5
--- /dev/null
+++ b/cgroup.c
@@ -0,0 +1,30 @@
+/*
+
+   nsjail - cgroup namespacing
+   -----------------------------------------
+
+   Copyright 2014 Google Inc. All Rights Reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+*/
+
+#include "cgroup.h"
+
+bool cgroupInitNs(struct nsjconf_t *nsjconf)
+{
+       if (nsjconf == NULL) {
+               return false;
+       }
+       return true;
+}

diff --git a/cgroup.h b/cgroup.h
new file mode 100644 (file)
index 0000000..ea224cc
--- /dev/null
+++ b/cgroup.h
@@ -0,0 +1,32 @@
+/*
+
+   nsjail - cgroup namespacing
+   -----------------------------------------
+
+   Copyright 2014 Google Inc. All Rights Reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+*/
+
+#ifndef NS_CGROUP_H
+#define NS_CGROUP_H
+
+#include <stdbool.h>
+#include <stddef.h>
+
+#include "common.h"
+
+bool cgroupInitNs(struct nsjconf_t * nsjconf);
+
+#endif                         /* _CGROUP_H */

diff --git a/contain.c b/contain.c
index 5614fc824fad628a1891a5bdd89a72306e0f2f40..6029d83f32525a0bcbdc0b74e204882be035ecdd 100644 (file)
--- a/contain.c
+++ b/contain.c
@@ -42,6 +42,7 @@
 #include <sys/time.h>
 #include <unistd.h>
 
+#include "cgroup.h"
 #include "log.h"
 #include "mount.h"
 #include "net.h"
@@ -64,6 +65,11 @@ static bool containInitUtsNs(struct nsjconf_t *nsjconf)
        return utsInitNs(nsjconf);
 }
 
+static bool containInitCgroupNs(struct nsjconf_t *nsjconf)
+{
+       return cgroupInitNs(nsjconf);
+}
+
 static bool containDropPrivs(struct nsjconf_t *nsjconf)
 {
        /*
@@ -318,6 +324,9 @@ bool containContain(struct nsjconf_t * nsjconf)
        if (containInitUtsNs(nsjconf) == false) {
                return false;
        }
+       if (containInitCgroupNs(nsjconf) == false) {
+               return false;
+       }
        if (containDropPrivs(nsjconf) == false) {
                return false;
        }