sandbox: convert kafel file/string as std::string

diff --git a/cmdline.cc b/cmdline.cc
index cc0c0a7..2924297 100644 (file)
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -229,44 +229,38 @@ void logParams(nsjconf_t* nsjconf) {
            "clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, "
            "clone_newipc:%s, clonew_newuts:%s, clone_newcgroup:%s, keep_caps:%s, "
            "tmpfs_size:%zu, disable_no_new_privs:%s, max_cpus:%zu",
-           nsjconf->hostname.c_str(), nsjconf->chroot.c_str(), nsjconf->argv[0], nsjconf->bindhost,
-           nsjconf->port, nsjconf->max_conns_per_ip, nsjconf->tlimit, nsjconf->personality,
-           logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
+           nsjconf->hostname.c_str(), nsjconf->chroot.c_str(), nsjconf->argv[0],
+           nsjconf->bindhost.c_str(), nsjconf->port, nsjconf->max_conns_per_ip, nsjconf->tlimit,
+           nsjconf->personality, logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
            logYesNo(nsjconf->clone_newuser), logYesNo(nsjconf->clone_newns),
            logYesNo(nsjconf->clone_newpid), logYesNo(nsjconf->clone_newipc),
            logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->clone_newcgroup),
            logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size,
            logYesNo(nsjconf->disable_no_new_privs), nsjconf->max_cpus);
 
-       {
-               for (const auto& p : nsjconf->mountpts) {
-                       LOG_I("%s: %s", p.isSymlink ? "Symlink" : "Mount point",
-                           mnt::describeMountPt(p));
-               }
+       for (const auto& p : nsjconf->mountpts) {
+               LOG_I("%s: %s", p.isSymlink ? "Symlink" : "Mount point", mnt::describeMountPt(p));
        }
-       {
-               idmap_t* p;
-               for (const auto& uid : nsjconf->uids) {
-                       LOG_I("Uid map: inside_uid:%lu outside_uid:%lu count:%zu newuidmap:%s",
-                           (unsigned long)uid.inside_id, (unsigned long)uid.outside_id, uid.count,
-                           uid.is_newidmap ? "true" : "false");
-                       if (uid.outside_id == 0 && nsjconf->clone_newuser) {
-                               LOG_W(
-                                   "Process will be UID/EUID=0 in the global user namespace, "
-                                   "and will have user "
-                                   "root-level access to files");
-                       }
+       for (const auto& uid : nsjconf->uids) {
+               LOG_I("Uid map: inside_uid:%lu outside_uid:%lu count:%zu newuidmap:%s",
+                   (unsigned long)uid.inside_id, (unsigned long)uid.outside_id, uid.count,
+                   uid.is_newidmap ? "true" : "false");
+               if (uid.outside_id == 0 && nsjconf->clone_newuser) {
+                       LOG_W(
+                           "Process will be UID/EUID=0 in the global user namespace, "
+                           "and will have user "
+                           "root-level access to files");
                }
-               for (const auto& gid : nsjconf->gids) {
-                       LOG_I("Gid map: inside_gid:%lu outside_gid:%lu count:%zu newgidmap:%s",
-                           (unsigned long)gid.inside_id, (unsigned long)gid.outside_id, gid.count,
-                           gid.is_newidmap ? "true" : "false");
-                       if (gid.outside_id == 0 && nsjconf->clone_newuser) {
-                               LOG_W(
-                                   "Process will be GID/EGID=0 in the global user namespace, "
-                                   "and will have group "
-                                   "root-level access to files");
-                       }
+       }
+       for (const auto& gid : nsjconf->gids) {
+               LOG_I("Gid map: inside_gid:%lu outside_gid:%lu count:%zu newgidmap:%s",
+                   (unsigned long)gid.inside_id, (unsigned long)gid.outside_id, gid.count,
+                   gid.is_newidmap ? "true" : "false");
+               if (gid.outside_id == 0 && nsjconf->clone_newuser) {
+                       LOG_W(
+                           "Process will be GID/EGID=0 in the global user namespace, "
+                           "and will have group "
+                           "root-level access to files");
                }
        }
 }
@@ -379,8 +373,6 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
        nsjconf->iface_vs_ip = "0.0.0.0";
        nsjconf->iface_vs_nm = "255.255.255.0";
        nsjconf->iface_vs_gw = "0.0.0.0";
-       nsjconf->kafel_file_path = NULL;
-       nsjconf->kafel_string = NULL;
        nsjconf->orig_uid = getuid();
        nsjconf->num_cpus = sysconf(_SC_NPROCESSORS_ONLN);
 
@@ -726,13 +718,8 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
                        break;
                case 'P':
                        nsjconf->kafel_file_path = optarg;
-                       if (access(nsjconf->kafel_file_path, R_OK) == -1) {
-                               PLOG_E("kafel config file '%s' cannot be opened for reading",
-                                   nsjconf->kafel_file_path);
-                               return nullptr;
-                       }
                        break;
-               case 0x0901:
+               case 0x901:
                        nsjconf->kafel_string = optarg;
                        break;
                default:

diff --git a/config.cc b/config.cc
index 1b565db..3e136b2 100644 (file)
--- a/config.cc
+++ b/config.cc
@@ -242,20 +242,11 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
        }
 
        if (njc.has_seccomp_policy_file()) {
-               nsjconf->kafel_file_path = njc.seccomp_policy_file().c_str();
-               if (access(nsjconf->kafel_file_path, R_OK) == -1) {
-                       PLOG_W("Couldn't open file with seccomp policy '%s'",
-                           nsjconf->kafel_file_path);
-                       return false;
-               }
+               nsjconf->kafel_file_path = njc.seccomp_policy_file();
        }
-
-       std::string kafel_string;
        for (ssize_t i = 0; i < njc.seccomp_string().size(); i++) {
-               kafel_string += njc.seccomp_string(i);
+               nsjconf->kafel_string += njc.seccomp_string(i);
        }
-       nsjconf->kafel_string =
-           njc.seccomp_string().size() > 0 ? util::strDup(kafel_string.c_str()) : NULL;
 
        nsjconf->cgroup_mem_max = njc.cgroup_mem_max();
        nsjconf->cgroup_mem_mount = njc.cgroup_mem_mount().c_str();

diff --git a/nsjail.cc b/nsjail.cc
index c97c31a..9dd6f23 100644 (file)
--- a/nsjail.cc
+++ b/nsjail.cc
@@ -105,7 +105,7 @@ static bool nsjailSetTimer(nsjconf_t* nsjconf) {
 }
 
 static void nsjailListenMode(nsjconf_t* nsjconf) {
-       int listenfd = net::getRecvSocket(nsjconf->bindhost, nsjconf->port);
+       int listenfd = net::getRecvSocket(nsjconf->bindhost.c_str(), nsjconf->port);
        if (listenfd == -1) {
                return;
        }

diff --git a/nsjail.h b/nsjail.h
index cc40153..dee46ba 100644 (file)
--- a/nsjail.h
+++ b/nsjail.h
@@ -90,7 +90,7 @@ struct nsjconf_t {
        std::string cwd;
        std::string chroot;
        int port;
-       const char* bindhost;
+       std::string bindhost;
        std::string logfile;
        logs::llevel_t loglevel;
        bool daemonize;
@@ -139,8 +139,8 @@ struct nsjconf_t {
        const char* cgroup_cpu_mount;
        const char* cgroup_cpu_parent;
        unsigned int cgroup_cpu_ms_per_sec;
-       const char* kafel_file_path;
-       const char* kafel_string;
+       std::string kafel_file_path;
+       std::string kafel_string;
        struct sock_fprog seccomp_fprog;
        long num_cpus;
        uid_t orig_uid;

diff --git a/sandbox.cc b/sandbox.cc
index 02e3cb9..a051918 100644 (file)
--- a/sandbox.cc
+++ b/sandbox.cc
@@ -38,7 +38,7 @@ namespace sandbox {
 #endif /* PR_SET_NO_NEW_PRIVS */
 
 static bool prepareAndCommit(nsjconf_t* nsjconf) {
-       if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
+       if (nsjconf->kafel_file_path.empty() && nsjconf->kafel_string.empty()) {
                return true;
        }
 
@@ -58,13 +58,14 @@ bool applyPolicy(nsjconf_t* nsjconf) {
 }
 
 bool preparePolicy(nsjconf_t* nsjconf) {
-       if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
+       if (nsjconf->kafel_file_path.empty() && nsjconf->kafel_string.empty()) {
                return true;
        }
        FILE* f = NULL;
-       if (nsjconf->kafel_file_path && !(f = fopen(nsjconf->kafel_file_path, "r"))) {
-               PLOG_W(
-                   "Couldn't open the kafel seccomp policy file '%s'", nsjconf->kafel_file_path);
+       if (!nsjconf->kafel_file_path.empty() &&
+           !(f = fopen(nsjconf->kafel_file_path.c_str(), "r"))) {
+               PLOG_W("Couldn't open the kafel seccomp policy file '%s'",
+                   nsjconf->kafel_file_path.c_str());
                return false;
        }
 
@@ -72,8 +73,8 @@ bool preparePolicy(nsjconf_t* nsjconf) {
 
        if (f) {
                kafel_set_input_file(ctxt, f);
-       } else if (nsjconf->kafel_string) {
-               kafel_set_input_string(ctxt, nsjconf->kafel_string);
+       } else if (!nsjconf->kafel_string.empty()) {
+               kafel_set_input_string(ctxt, nsjconf->kafel_string.c_str());
        } else {
                LOG_F(
                    "No kafel seccomp-bpf config file available, nor policy as a string was "