allow to use nsjail w/o namespaces

diff --git a/cmdline.cc b/cmdline.cc
index 4d273e6..ecc0419 100644 (file)
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -432,6 +432,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
        nsjconf->iface_vs_gw = "0.0.0.0";
        nsjconf->iface_vs_ma = "";
        nsjconf->orig_uid = getuid();
+       nsjconf->orig_euid = geteuid();
        nsjconf->num_cpus = sysconf(_SC_NPROCESSORS_ONLN);
        nsjconf->seccomp_fprog.filter = NULL;
        nsjconf->seccomp_fprog.len = 0;

diff --git a/mnt.cc b/mnt.cc
index 8b1c9b2..26bd5a8 100644 (file)
--- a/mnt.cc
+++ b/mnt.cc
@@ -344,10 +344,7 @@ static bool initNsInternal(nsjconf_t* nsjconf) {
         */
        if (!nsjconf->clone_newns) {
                if (nsjconf->chroot.empty()) {
-                       PLOG_E(
-                           "--chroot was not specified, and it's required when not using "
-                           "CLONE_NEWNS");
-                       return false;
+                       return true;
                }
                if (chroot(nsjconf->chroot.c_str()) == -1) {
                        PLOG_E("chroot('%s')", nsjconf->chroot.c_str());

diff --git a/nsjail.h b/nsjail.h
index f91b8fd..9f1a19c 100644 (file)
--- a/nsjail.h
+++ b/nsjail.h
@@ -144,6 +144,7 @@ struct nsjconf_t {
        bool seccomp_log;
        long num_cpus;
        uid_t orig_uid;
+       uid_t orig_euid;
        std::vector<mount_t> mountpts;
        std::vector<pids_t> pids;
        std::vector<idmap_t> uids;

diff --git a/user.cc b/user.cc
index a395f05..04d9723 100644 (file)
--- a/user.cc
+++ b/user.cc
@@ -77,12 +77,12 @@ static bool setResUid(uid_t uid) {
        return true;
 }
 
-static bool setGroups(pid_t pid) {
+static bool setGroups(nsjconf_t* nsjconf, pid_t pid) {
        /*
         * No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to
         * uid_map/gid_map will succeed anyway
         */
-       if (geteuid() == 0) {
+       if (!nsjconf->clone_newuser || nsjconf->orig_euid == 0) {
                return true;
        }
 
@@ -214,7 +214,7 @@ static bool uidGidMap(nsjconf_t* nsjconf, pid_t pid) {
 }
 
 bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid) {
-       if (!setGroups(pid)) {
+       if (!setGroups(nsjconf, pid)) {
                return false;
        }
        if (!nsjconf->clone_newuser) {
@@ -227,13 +227,8 @@ bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid) {
 }
 
 bool initNsFromChild(nsjconf_t* nsjconf) {
-       /*
-        * Best effort because of /proc/self/setgroups
-        */
-       LOG_D("setgroups(0, NULL)");
-       const gid_t* group_list = NULL;
-       if (setgroups(0, group_list) == -1) {
-               PLOG_D("setgroups(NULL) failed");
+       if (!nsjconf->clone_newuser && nsjconf->orig_euid != 0) {
+               return true;
        }
 
        /*
@@ -246,6 +241,15 @@ bool initNsFromChild(nsjconf_t* nsjconf) {
                return false;
        }
 
+       /*
+        * Best effort because of /proc/self/setgroups
+        */
+       LOG_D("setgroups(0, NULL)");
+       const gid_t* group_list = NULL;
+       if (setgroups(0, group_list) == -1) {
+               PLOG_D("setgroups(NULL) failed");
+       }
+
        if (!setResGid(nsjconf->gids[0].inside_id)) {
                PLOG_E("setresgid(%u)", nsjconf->gids[0].inside_id);
                return false;