("Jail parameters: hostname:'%s', chroot:'%s', process:'%s', bind:[%s]:%d, "
"max_conns_per_ip:%u, uid:(ns:%u, global:%u), gid:(ns:%u, global:%u), time_limit:%ld, personality:%#lx, daemonize:%s, "
"clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, "
- "clone_newipc:%s, clonew_newuts:%s, apply_sandbox:%s, keep_caps:%s, "
+ "clone_newipc:%s, clonew_newuts:%s, clone_newcgroup:%s, apply_sandbox:%s, keep_caps:%s, "
"tmpfs_size:%zu",
nsjconf->hostname, nsjconf->chroot, nsjconf->argv[0], nsjconf->bindhost, nsjconf->port,
nsjconf->max_conns_per_ip, nsjconf->inside_uid, nsjconf->outside_uid,
logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
logYesNo(nsjconf->clone_newuser), logYesNo(nsjconf->clone_newns),
logYesNo(nsjconf->clone_newpid), logYesNo(nsjconf->clone_newipc),
- logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->apply_sandbox),
- logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size);
+ logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->clone_newcgroup),
+ logYesNo(nsjconf->apply_sandbox), logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size);
struct mounts_t *p;
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
.clone_newpid = true,
.clone_newipc = true,
.clone_newuts = true,
+ .clone_newcgroup = false,
.mode = MODE_LISTEN_TCP,
.is_root_rw = false,
.is_silent = false,
{{"disable_clone_newpid", no_argument, NULL, 0x0404}, "Don't use CLONE_NEWPID"},
{{"disable_clone_newipc", no_argument, NULL, 0x0405}, "Don't use CLONE_NEWIPC"},
{{"disable_clone_newuts", no_argument, NULL, 0x0406}, "Don't use CLONE_NEWUTS"},
+ {{"enable_clone_newcgroup", no_argument, NULL, 0x0407}, "Use CLONE_NEWCGROUP"},
{{"bindmount_ro", required_argument, NULL, 'R'}, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"},
{{"bindmount", required_argument, NULL, 'B'}, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"},
{{"tmpfsmount", required_argument, NULL, 'T'}, "List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax"},
case 0x0406:
nsjconf->clone_newuts = false;
break;
+ case 0x0407:
+ nsjconf->clone_newcgroup = true;
+ break;
case 0x0500:
nsjconf->mode = MODE_STANDALONE_ONCE;
break;
static bool mountMount(struct nsjconf_t *nsjconf, struct mounts_t *mpt, const char *dst)
{
- LOG_D("Mounting '%s' on '%s' (type:'%s', flags:0x%tx)", mpt->src, dst, mpt->fs_type,
- mpt->flags);
+ LOG_D("Mounting '%s' on '%s' (type:'%s', flags:0x%tx, options:'%s')", mpt->src, dst,
+ mpt->fs_type, mpt->flags, mpt->options);
if (mountIsDir(mpt->src) == true) {
if (mkdir(dst, 0711) == -1 && errno != EEXIST) {
if (netLimitConns(nsjconf, fd_in) == false) {
return;
}
-
+#ifndef CLONE_NEWCGROUP
+#define CLONE_NEWCGROUP 0x02000000
+#endif
unsigned long flags = 0UL;
flags |= (nsjconf->clone_newnet ? CLONE_NEWNET : 0);
flags |= (nsjconf->clone_newuser ? CLONE_NEWUSER : 0);
flags |= (nsjconf->clone_newpid ? CLONE_NEWPID : 0);
flags |= (nsjconf->clone_newipc ? CLONE_NEWIPC : 0);
flags |= (nsjconf->clone_newuts ? CLONE_NEWUTS : 0);
+ flags |= (nsjconf->clone_newcgroup ? CLONE_NEWCGROUP : 0);
if (nsjconf->mode == MODE_STANDALONE_EXECVE) {
LOG_D("Entering namespace with flags: %#lx", flags);
projects / platform / upstream / nsjail.git / commitdiff