BIN = nsjail
LIBS = kafel/libkafel.a
-SRCS_C = caps.c log.c cgroup.c mount.c net.c pid.c sandbox.c user.c util.c uts.c cpu.c
-SRCS_CXX = cmdline.cc config.cc contain.cc nsjail.cc subproc.cc
+SRCS_C = caps.c log.c cgroup.c mount.c net.c pid.c user.c util.c uts.c cpu.c
+SRCS_CXX = cmdline.cc config.cc contain.cc nsjail.cc sandbox.cc subproc.cc
SRCS_PROTO = config.proto
SRCS_PB_CXX = $(SRCS_PROTO:.proto=.pb.cc)
SRCS_PB_H = $(SRCS_PROTO:.proto=.pb.h)
mount.o: mount.h nsjail.h common.h log.h subproc.h util.h
net.o: net.h nsjail.h log.h subproc.h
pid.o: pid.h nsjail.h log.h subproc.h
-sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h
user.o: user.h nsjail.h common.h log.h subproc.h util.h
util.o: util.h nsjail.h common.h log.h
uts.o: uts.h nsjail.h log.h
cpu.o: cpu.h nsjail.h log.h util.h
-cmdline.o: cmdline.h nsjail.h caps.h common.h log.h mount.h sandbox.h user.h
-cmdline.o: util.h config.h
+cmdline.o: cmdline.h nsjail.h caps.h common.h log.h mount.h user.h util.h
+cmdline.o: config.h sandbox.h
config.o: common.h caps.h nsjail.h config.h log.h mount.h user.h util.h
config.o: cmdline.h
contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
contain.o: user.h uts.h
nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h util.h
-subproc.o: subproc.h nsjail.h contain.h cgroup.h common.h log.h net.h
-subproc.o: sandbox.h user.h util.h
+sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h
+subproc.o: subproc.h nsjail.h contain.h sandbox.h cgroup.h common.h log.h
+subproc.o: net.h user.h util.h
#include "common.h"
#include "log.h"
#include "mount.h"
-#include "sandbox.h"
#include "user.h"
#include "util.h"
}
#include "config.h"
+#include "sandbox.h"
namespace cmdline {
}
}
- if (!sandboxPrepare(nsjconf.get())) {
+ if (!sandbox::preparePolicy(nsjconf.get())) {
LOG_E("Couldn't prepare sandboxing setup");
return nullptr;
}
+++ /dev/null
-/*
-
- nsjail - seccomp-bpf sandboxing
- -----------------------------------------
-
- Copyright 2014 Google Inc. All Rights Reserved.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
-*/
-
-#include "sandbox.h"
-
-#include <linux/filter.h>
-#include <linux/seccomp.h>
-#include <stddef.h>
-#include <sys/prctl.h>
-
-#include "kafel.h"
-#include "log.h"
-
-#ifndef PR_SET_NO_NEW_PRIVS /* in prctl.h since Linux 3.5 */
-#define PR_SET_NO_NEW_PRIVS 38
-#endif /* PR_SET_NO_NEW_PRIVS */
-
-static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) {
- if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
- return true;
- }
-
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
- PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1) failed");
- return false;
- }
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &nsjconf->seccomp_fprog, 0, 0)) {
- PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
- return false;
- }
- return true;
-}
-
-bool sandboxApply(struct nsjconf_t* nsjconf) { return sandboxPrepareAndCommit(nsjconf); }
-
-bool sandboxPrepare(struct nsjconf_t* nsjconf) {
- if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
- return true;
- }
- FILE* f = NULL;
- if (nsjconf->kafel_file_path && !(f = fopen(nsjconf->kafel_file_path, "r"))) {
- PLOG_W(
- "Couldn't open the kafel seccomp policy file '%s'", nsjconf->kafel_file_path);
- return false;
- }
-
- kafel_ctxt_t ctxt = kafel_ctxt_create();
-
- if (f) {
- kafel_set_input_file(ctxt, f);
- } else if (nsjconf->kafel_string) {
- kafel_set_input_string(ctxt, nsjconf->kafel_string);
- } else {
- LOG_F(
- "No kafel seccomp-bpf config file available, nor policy as a string was "
- "defined");
- }
-
- if (kafel_compile(ctxt, &nsjconf->seccomp_fprog) != 0) {
- LOG_E("Could not compile policy: %s", kafel_error_msg(ctxt));
- kafel_ctxt_destroy(&ctxt);
- return false;
- }
- kafel_ctxt_destroy(&ctxt);
- return true;
-}
--- /dev/null
+/*
+
+ nsjail - seccomp-bpf sandboxing
+ -----------------------------------------
+
+ Copyright 2014 Google Inc. All Rights Reserved.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+#include "sandbox.h"
+
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <stddef.h>
+#include <sys/prctl.h>
+
+extern "C" {
+#include "kafel.h"
+#include "log.h"
+}
+
+namespace sandbox {
+
+#ifndef PR_SET_NO_NEW_PRIVS /* in prctl.h since Linux 3.5 */
+#define PR_SET_NO_NEW_PRIVS 38
+#endif /* PR_SET_NO_NEW_PRIVS */
+
+static bool prepareAndCommit(struct nsjconf_t* nsjconf) {
+ if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
+ return true;
+ }
+
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+ PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1) failed");
+ return false;
+ }
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &nsjconf->seccomp_fprog, 0, 0)) {
+ PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
+ return false;
+ }
+ return true;
+}
+
+bool applyPolicy(struct nsjconf_t* nsjconf) { return prepareAndCommit(nsjconf); }
+
+bool preparePolicy(struct nsjconf_t* nsjconf) {
+ if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
+ return true;
+ }
+ FILE* f = NULL;
+ if (nsjconf->kafel_file_path && !(f = fopen(nsjconf->kafel_file_path, "r"))) {
+ PLOG_W(
+ "Couldn't open the kafel seccomp policy file '%s'", nsjconf->kafel_file_path);
+ return false;
+ }
+
+ kafel_ctxt_t ctxt = kafel_ctxt_create();
+
+ if (f) {
+ kafel_set_input_file(ctxt, f);
+ } else if (nsjconf->kafel_string) {
+ kafel_set_input_string(ctxt, nsjconf->kafel_string);
+ } else {
+ LOG_F(
+ "No kafel seccomp-bpf config file available, nor policy as a string was "
+ "defined");
+ }
+
+ if (kafel_compile(ctxt, &nsjconf->seccomp_fprog) != 0) {
+ LOG_E("Could not compile policy: %s", kafel_error_msg(ctxt));
+ kafel_ctxt_destroy(&ctxt);
+ return false;
+ }
+ kafel_ctxt_destroy(&ctxt);
+ return true;
+}
+
+} // namespace sandbox
#include "nsjail.h"
-bool sandboxApply(struct nsjconf_t* nsjconf);
-bool sandboxPrepare(struct nsjconf_t* nsjconf);
+namespace sandbox {
+
+bool applyPolicy(struct nsjconf_t* nsjconf);
+bool preparePolicy(struct nsjconf_t* nsjconf);
+
+} // namespace sandbox
#endif /* NS_SANDBOX_H */
#include <unistd.h>
#include "contain.h"
+#include "sandbox.h"
extern "C" {
#include "cgroup.h"
#include "common.h"
#include "log.h"
#include "net.h"
-#include "sandbox.h"
#include "user.h"
#include "util.h"
}
/* Should be the last one in the sequence */
- if (sandboxApply(nsjconf) == false) {
+ if (sandbox::applyPolicy(nsjconf) == false) {
exit(0xff);
}
projects / platform / upstream / nsjail.git / commitdiff