}
LOG_I
- ("Jail parameters: hostname:'%s', chroot:'%s', process:'%s', port:%d, "
+ ("Jail parameters: hostname:'%s', chroot:'%s', process:'%s', bind:[%s]:%d, "
"max_conns_per_ip:%u, uid:(ns:%u, global:%u), gid:(ns:%u, global:%u), time_limit:%ld, personality:%#lx, daemonize:%s, "
"clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, "
"clone_newipc:%s, clonew_newuts:%s, apply_sandbox:%s, keep_caps:%s, "
"tmpfs_size:%zu",
- nsjconf->hostname, nsjconf->chroot, nsjconf->argv[0], nsjconf->port,
+ nsjconf->hostname, nsjconf->chroot, nsjconf->argv[0], nsjconf->bindhost, nsjconf->port,
nsjconf->max_conns_per_ip, nsjconf->inside_uid, nsjconf->outside_uid,
nsjconf->inside_gid, nsjconf->outside_gid, nsjconf->tlimit, nsjconf->personality,
logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
.chroot = "/",
.argv = NULL,
.port = 31337,
+ .bindhost = "::",
.daemonize = false,
.tlimit = 0,
.apply_sandbox = true,
"\tr: Immediately launch a single process on a console, keep doing it forever [MODE_STANDALONE_RERUN]"},
{{"cmd", no_argument, NULL, 0x500}, "Equivalent of -Mo (MODE_STANDALONE_ONCE), run command on a local console, once"},
{{"chroot", required_argument, NULL, 'c'}, "Directory containing / of the jail (default: \"/\")"},
- {{"rw", no_argument, NULL, 0x0601}, "Mount / as RW (default: RO)"},
+ {{"rw", no_argument, NULL, 0x601}, "Mount / as RW (default: RO)"},
{{"user", required_argument, NULL, 'u'}, "Username/uid of processess inside the jail (default: 'nobody')"},
{{"group", required_argument, NULL, 'g'}, "Groupname/gid of processess inside the jail (default: 'nogroup')"},
{{"hostname", required_argument, NULL, 'H'}, "UTS name (hostname) of the jail (default: 'NSJAIL')"},
{{"cwd", required_argument, NULL, 'D'}, "Directory in the namespace the process will run (default: '/')"},
{{"port", required_argument, NULL, 'p'}, "TCP port to bind to (only in [MODE_LISTEN_TCP]) (default: 31337)"},
+ {{"bindhost", required_argument, NULL, 0x604}, "IP address port to bind to (only in [MODE_LISTEN_TCP]) (default: '::')"},
{{"max_conns_per_ip", required_argument, NULL, 'i'}, "Maximum number of connections per one IP (default: 0 (unlimited))"},
{{"log", required_argument, NULL, 'l'}, "Log file (default: /proc/self/fd/2)"},
{{"time_limit", required_argument, NULL, 't'}, "Maximum time that a jail can exist, in seconds (default: 600)"},
case 'p':
nsjconf->port = strtoul(optarg, NULL, 0);
break;
+ case 0x604:
+ nsjconf->bindhost = optarg;
+ break;
case 'i':
nsjconf->max_conns_per_ip = strtoul(optarg, NULL, 0);
break;
return true;
}
-int netGetRecvSocket(int port)
+int netGetRecvSocket(const char *bindhost, int port)
{
if (port < 1 || port > 65535) {
LOG_F("TCP port %d out of bounds (0 <= port <= 65535)", port);
}
+ struct in6_addr in6a;
+ if (inet_pton(AF_INET6, bindhost, &in6a) != 1) {
+ PLOG_E("Couldn't convert '%s' into AF_INET6 address", bindhost);
+ return -1;
+ }
+
int sockfd = socket(AF_INET6, SOCK_STREAM, 0);
if (sockfd == -1) {
PLOG_E("socket(AF_INET6)");
.sin6_family = AF_INET6,
.sin6_port = htons(port),
.sin6_flowinfo = 0,
- .sin6_addr = in6addr_any,
+ .sin6_addr = in6a,
.sin6_scope_id = 0,
};
if (bind(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
- PLOG_E("bind(port:%d)", port);
+ PLOG_E("bind(host:[%s], port:%d)", bindhost, port);
return -1;
}
if (listen(sockfd, SOMAXCONN) == -1) {
snprintf(buf, s, "[unknown]:%hu", ntohs(addr.sin6_port));
return;
}
- snprintf(buf, s, "%s:%hu", tmp, ntohs(addr.sin6_port));
+ snprintf(buf, s, "[%s]:%hu", tmp, ntohs(addr.sin6_port));
return;
}
projects / platform / upstream / nsjail.git / commitdiff