BIN = nsjail
LIBS = kafel/libkafel.a
-SRCS_C = log.c cgroup.c mount.c pid.c user.c util.c uts.c
-SRCS_CXX = caps.cc cmdline.cc config.cc contain.cc cpu.cc net.cc nsjail.cc sandbox.cc subproc.cc
+SRCS_C = log.c cgroup.c mount.c user.c util.c uts.c
+SRCS_CXX = caps.cc cmdline.cc config.cc contain.cc cpu.cc net.cc nsjail.cc pid.cc sandbox.cc subproc.cc
SRCS_PROTO = config.proto
SRCS_PB_CXX = $(SRCS_PROTO:.proto=.pb.cc)
SRCS_PB_H = $(SRCS_PROTO:.proto=.pb.h)
log.o: log.h nsjail.h
cgroup.o: cgroup.h nsjail.h log.h util.h
mount.o: mount.h nsjail.h common.h log.h subproc.h util.h
-pid.o: pid.h nsjail.h log.h subproc.h
user.o: user.h nsjail.h common.h log.h subproc.h util.h
util.o: util.h nsjail.h common.h log.h
uts.o: uts.h nsjail.h log.h
cmdline.o: config.h sandbox.h
config.o: common.h config.h nsjail.h log.h mount.h user.h util.h caps.h
config.o: cmdline.h
-contain.o: contain.h nsjail.h cgroup.h log.h mount.h pid.h user.h uts.h
-contain.o: caps.h cpu.h net.h
+contain.o: contain.h nsjail.h cgroup.h log.h mount.h user.h uts.h caps.h
+contain.o: cpu.h net.h pid.h
cpu.o: cpu.h nsjail.h log.h util.h
net.o: net.h nsjail.h log.h subproc.h
nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h util.h
+pid.o: pid.h nsjail.h log.h subproc.h
sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h
subproc.o: subproc.h nsjail.h contain.h net.h sandbox.h cgroup.h common.h
subproc.o: log.h user.h util.h
#include "cgroup.h"
#include "log.h"
#include "mount.h"
-#include "pid.h"
#include "user.h"
#include "uts.h"
}
#include "caps.h"
#include "cpu.h"
#include "net.h"
+#include "pid.h"
namespace contain {
static bool containUserNs(struct nsjconf_t* nsjconf) { return userInitNsFromChild(nsjconf); }
-static bool containInitPidNs(struct nsjconf_t* nsjconf) { return pidInitNs(nsjconf); }
+static bool containInitPidNs(struct nsjconf_t* nsjconf) { return pid::initNs(nsjconf); }
static bool containInitNetNs(struct nsjconf_t* nsjconf) { return net::initNsFromChild(nsjconf); }
+++ /dev/null
-/*
-
- nsjail - CLONE_PID routines
- -----------------------------------------
-
- Copyright 2014 Google Inc. All Rights Reserved.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
-*/
-
-#include "pid.h"
-
-#include <linux/sched.h>
-#include <sched.h>
-#include <signal.h>
-#include <stddef.h>
-#include <sys/prctl.h>
-#include <unistd.h>
-
-#include "log.h"
-#include "subproc.h"
-
-bool pidInitNs(struct nsjconf_t* nsjconf) {
- if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
- return true;
- }
- if (!nsjconf->clone_newpid) {
- return true;
- }
-
- LOG_D("Creating a dummy 'init' process");
-
- /*
- * If -Me is used then we need to create permanent init inside PID ns, otherwise only the
- * first clone/fork will work, and the rest will fail with ENOMEM (see 'man pid_namespaces'
- * for details on this behavior)
- */
- pid_t pid = subprocClone(CLONE_FS);
- if (pid == -1) {
- PLOG_E("Couldn't create a dummy init process");
- return false;
- }
- if (pid > 0) {
- return true;
- }
-
- if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0UL, 0UL, 0UL) == -1) {
- PLOG_W("(prctl(PR_SET_PDEATHSIG, SIGKILL) failed");
- }
- if (prctl(PR_SET_NAME, "ns-init", 0UL, 0UL, 0UL) == -1) {
- PLOG_W("(prctl(PR_SET_NAME, 'init') failed");
- }
- if (prctl(PR_SET_DUMPABLE, 0UL, 0UL, 0UL, 0UL) == -1) {
- PLOG_W("(prctl(PR_SET_DUMPABLE, 0) failed");
- }
-
- /* Act sort-a like a init by reaping zombie processes */
- struct sigaction sa = {
- .sa_handler = SIG_DFL,
- .sa_flags = SA_NOCLDWAIT | SA_NOCLDSTOP,
- .sa_restorer = NULL,
- };
- sigemptyset(&sa.sa_mask);
- if (sigaction(SIGCHLD, &sa, NULL) == -1) {
- PLOG_W("Couldn't set sighandler for SIGCHLD");
- }
-
- for (;;) {
- pause();
- }
-}
--- /dev/null
+/*
+
+ nsjail - CLONE_PID routines
+ -----------------------------------------
+
+ Copyright 2014 Google Inc. All Rights Reserved.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+#include "pid.h"
+
+#include <linux/sched.h>
+#include <sched.h>
+#include <signal.h>
+#include <stddef.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+
+extern "C" {
+#include "log.h"
+}
+
+#include "subproc.h"
+
+namespace pid {
+
+bool initNs(struct nsjconf_t* nsjconf) {
+ if (nsjconf->mode != MODE_STANDALONE_EXECVE) {
+ return true;
+ }
+ if (!nsjconf->clone_newpid) {
+ return true;
+ }
+
+ LOG_D("Creating a dummy 'init' process");
+
+ /*
+ * If -Me is used then we need to create permanent init inside PID ns, otherwise only the
+ * first clone/fork will work, and the rest will fail with ENOMEM (see 'man pid_namespaces'
+ * for details on this behavior)
+ */
+ pid_t pid = subprocClone(CLONE_FS);
+ if (pid == -1) {
+ PLOG_E("Couldn't create a dummy init process");
+ return false;
+ }
+ if (pid > 0) {
+ return true;
+ }
+
+ if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0UL, 0UL, 0UL) == -1) {
+ PLOG_W("(prctl(PR_SET_PDEATHSIG, SIGKILL) failed");
+ }
+ if (prctl(PR_SET_NAME, "ns-init", 0UL, 0UL, 0UL) == -1) {
+ PLOG_W("(prctl(PR_SET_NAME, 'init') failed");
+ }
+ if (prctl(PR_SET_DUMPABLE, 0UL, 0UL, 0UL, 0UL) == -1) {
+ PLOG_W("(prctl(PR_SET_DUMPABLE, 0) failed");
+ }
+
+ /* Act sort-a like a init by reaping zombie processes */
+ struct sigaction sa;
+ sa.sa_handler = SIG_DFL;
+ sa.sa_flags = SA_NOCLDWAIT | SA_NOCLDSTOP;
+ sa.sa_restorer = NULL;
+ sigemptyset(&sa.sa_mask);
+
+ if (sigaction(SIGCHLD, &sa, NULL) == -1) {
+ PLOG_W("Couldn't set sighandler for SIGCHLD");
+ }
+
+ for (;;) {
+ pause();
+ }
+}
+
+} // namespace pid
#include "nsjail.h"
-bool pidInitNs(struct nsjconf_t* nsjconf);
+namespace pid {
+
+bool initNs(struct nsjconf_t* nsjconf);
+
+} // namespace pid
#endif /* NS_PID_H */
projects / platform / upstream / nsjail.git / commitdiff