projects / platform / upstream / nsjail.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d36deb5)
Implement --skip_setsid
authorRobert Swiecki <swiecki@google.com>
Mon, 25 Jan 2016 17:09:32 +0000 (18:09 +0100)
committerRobert Swiecki <swiecki@google.com>
Mon, 25 Jan 2016 17:09:32 +0000 (18:09 +0100)
cmdline.c patch | blob | history
common.h patch | blob | history
contain.c patch | blob | history

diff --git a/cmdline.c b/cmdline.c
index e222ff32adb0c1ed9cfcbca6363d812ea247c70b..34fa954c33b1e8b951793dae4584c7d5556396c1 100644 (file)
--- a/cmdline.c
+++ b/cmdline.c
@@ -270,6 +270,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
                .mode = MODE_LISTEN_TCP,
                .is_root_rw = false,
                .is_silent = false,
+               .skip_setsid = false,
                .iface = NULL,
                .inside_uid = getuid(),
                .inside_gid = getgid(),
@@ -314,6 +315,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
                {{"keep_caps", no_argument, NULL, 0x0501}, "Don't drop capabilities (DANGEROUS) (default: false)"},
                {{"silent", no_argument, NULL, 0x0502}, "Redirect child's fd:0/1/2 to /dev/null (default: false)"},
                {{"disable_sandbox", no_argument, NULL, 0x0503}, "Don't enable the seccomp-bpf sandboxing (default: false)"},
+               {{"skip_setsid", no_argument, NULL, 0x0504}, "Don't call setsid(), allows for terminal signal handling in the sandboxed process (default: false)"},
                {{"rlimit_as", required_argument, NULL, 0x0201}, "RLIMIT_AS in MB, 'max' for RLIM_INFINITY, 'def' for the current value (default: 512)"},
                {{"rlimit_core", required_argument, NULL, 0x0202}, "RLIMIT_CORE in MB, 'max' for RLIM_INFINITY, 'def' for the current value (default: 0)"},
                {{"rlimit_cpu", required_argument, NULL, 0x0203}, "RLIMIT_CPU, 'max' for RLIM_INFINITY, 'def' for the current value (default: 600)"},
@@ -461,6 +463,9 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
                case 0x0503:
                        nsjconf->apply_sandbox = false;
                        break;
+               case 0x0504:
+                       nsjconf->skip_setsid = true;
+                       break;
                case 0x0601:
                        nsjconf->is_root_rw = true;
                        break;
diff --git a/common.h b/common.h
index 65bf184ab6f38372a20c5e2c64e2c07121379cce..4820d0618d8524e9f8fd1c9ba8daf84bd2e65bc4 100644 (file)
--- a/common.h
+++ b/common.h
@@ -84,6 +84,7 @@ struct nsjconf_t {
        const char *chroot;
        bool is_root_rw;
        bool is_silent;
+       bool skip_setsid;
        char *iface;
        uid_t outside_uid;
        gid_t outside_gid;
diff --git a/contain.c b/contain.c
index 38a3c7d8624540a500def5dbde91342f3cd0254c..778065facd7127df1540432e024fc11fe7293725 100644 (file)
--- a/contain.c
+++ b/contain.c
@@ -179,7 +179,9 @@ bool containPrepareEnv(struct nsjconf_t * nsjconf)
        if (setpriority(PRIO_PROCESS, 0, 19) == -1 && errno != 0) {
                PLOG_W("setpriority(19)");
        }
-       setsid();
+       if (nsjconf->skip_setsid == false) {
+               setsid();
+       }
        return true;
 }
 
Domain: System / System Framework;