Tizen will use nsjail as application container by using USER Namespeace.
If creating new user namespace, the new user can get admin(root) privilege in the namespace,
and can use several kernel resource by creating other namespaces.
However, the new user namesapce cannot access unprivilged resource in original namespace.
For that, Tizen nsjail service creates some resources (directories for cgroup, and bind mount tmp directories) for the new user namespace.
cf) Each Tizen App has each smack label.
Unfortunatly, nsjail does not consider such issue for bind mount.
For that, at this moment, we create new user's uid based folder name for each application.
In the future, the folder name should be created on basis of Tizen package name.
static std::unique_ptr<std::string> getDir(nsjconf_t* nsjconf, const char* name) {
std::unique_ptr<std::string> dir(new std::string);
- dir->assign("/run/user/").append(std::to_string(nsjconf->orig_uid)).append("/nsjail");
+ // TODO: In Tizen, each app has specific smack label. Thus, app name should be used as folder separator instead getuid or unique folder
+ dir->assign("/run/user/").append(std::to_string(nsjconf->orig_uid)).append("/nsjail/").append(std::to_string(getuid()));
if (mkdirAndTest(*dir)) {
dir->append("/").append(name);
if (mkdirAndTest(*dir)) {
--- /dev/null
+[Unit]
+Description=nsjail service
+After=ac.service wait-mount@opt-usr.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+SmackProcessLabel=System::Privileged
+ExecStart=/usr/bin/nsjail.sh start
+ExecStop=/usr/bin/nsjail.sh stop
+RemainAfterExit=yes
+
--- /dev/null
+#!/bin/sh
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+OWNER_ID=`id -u owner`
+
+if [ x$1 == "xstart" ]
+then
+ mkdir /sys/fs/cgroup/memory/NSJAIL
+ chown -R owner:users /sys/fs/cgroup/memory/NSJAIL
+
+ mkdir /sys/fs/cgroup/cpu/NSJAIL
+ chown -R owner:users /sys/fs/cgroup/cpu/NSJAIL
+
+ while [ ! -d /run/user/${OWNER_ID} ]; do sleep 1; done
+
+ mkdir /run/user/${OWNER_ID}/nsjail
+ chown owner:users /run/user/${OWNER_ID}/nsjail
+ chsmack -a "*" /run/user/${OWNER_ID}/nsjail
+else
+ rmdir /sys/fs/cgroup/memory/NSJAIL/NSJAIL*
+ rmdir /sys/fs/cgroup/memory/NSJAIL
+
+ rmdir /sys/fs/cgroup/cpu/NSJAIL/NSJAIL*
+ rmdir /sys/fs/cgroup/cpu/NSJAIL
+
+ rm -rf /run/user/${OWNER_ID}/nsjail
+fi
+
Source0: nsjail-%{version}.tar.gz
#Source1: kafel.tar.gz
Source1001: %{name}.manifest
+Source1002: %{name}.service
+Source1003: %{name}.sh
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: flex
%prep
%setup -q
cp %{SOURCE1001} .
+cp %{SOURCE1002} .
+cp %{SOURCE1003} .
%build
export CFLAGS="$CFLAGS -DTIZEN"
mkdir -p %{buildroot}/%{_bindir}/
mkdir -p %{buildroot}/%{_bindir}/nsjail_test/
mkdir -p %{buildroot}/usr/share/
+mkdir -p %{buildroot}/%{_unitdir}
+
+install -m 0755 nsjail %{buildroot}/%{_bindir}/
+install -m 0755 nsjail.sh %{buildroot}/%{_bindir}/
+install -m 0644 nsjail.service %{buildroot}/%{_unitdir}/
+%install_service multi-user.target.wants nsjail.service
-cp nsjail %{buildroot}/%{_bindir}/
cp -a test/*_test %{buildroot}/%{_bindir}/nsjail_test/
cp -a test/*.cfg %{buildroot}/usr/share/
-
%files
%manifest %{name}.manifest
%license LICENSE
-%{_bindir}/nsjail
+%{_bindir}/nsjail*
+%{_unitdir}/nsjail.service
+%{_unitdir}/multi-user.target.wants/nsjail.service
%files test
%manifest %{name}.manifest
cgroup_mem_max: 10000000
cgroup_cpu_ms_per_sec: 100
+log_file: "/tmp/nsjail.log"
pass_fd: 10
## Mount settings
projects / platform / upstream / nsjail.git / commitdiff