#define CAP_AUDIT_READ 37
#endif /* !defined(CAP_AUDIT_READ) */
-// clang-format off
static struct {
- const int val;
- const char* const name;
+ const int val;
+ const char* const name;
} const capNames[] = {
- VALSTR_STRUCT(CAP_CHOWN),
- VALSTR_STRUCT(CAP_DAC_OVERRIDE),
- VALSTR_STRUCT(CAP_DAC_READ_SEARCH),
- VALSTR_STRUCT(CAP_FOWNER),
- VALSTR_STRUCT(CAP_FSETID),
- VALSTR_STRUCT(CAP_KILL),
- VALSTR_STRUCT(CAP_SETGID),
- VALSTR_STRUCT(CAP_SETUID),
- VALSTR_STRUCT(CAP_SETPCAP),
- VALSTR_STRUCT(CAP_LINUX_IMMUTABLE),
- VALSTR_STRUCT(CAP_NET_BIND_SERVICE),
- VALSTR_STRUCT(CAP_NET_BROADCAST),
- VALSTR_STRUCT(CAP_NET_ADMIN),
- VALSTR_STRUCT(CAP_NET_RAW),
- VALSTR_STRUCT(CAP_IPC_LOCK),
- VALSTR_STRUCT(CAP_IPC_OWNER),
- VALSTR_STRUCT(CAP_SYS_MODULE),
- VALSTR_STRUCT(CAP_SYS_RAWIO),
- VALSTR_STRUCT(CAP_SYS_CHROOT),
- VALSTR_STRUCT(CAP_SYS_PTRACE),
- VALSTR_STRUCT(CAP_SYS_PACCT),
- VALSTR_STRUCT(CAP_SYS_ADMIN),
- VALSTR_STRUCT(CAP_SYS_BOOT),
- VALSTR_STRUCT(CAP_SYS_NICE),
- VALSTR_STRUCT(CAP_SYS_RESOURCE),
- VALSTR_STRUCT(CAP_SYS_TIME),
- VALSTR_STRUCT(CAP_SYS_TTY_CONFIG),
- VALSTR_STRUCT(CAP_MKNOD),
- VALSTR_STRUCT(CAP_LEASE),
- VALSTR_STRUCT(CAP_AUDIT_WRITE),
- VALSTR_STRUCT(CAP_AUDIT_CONTROL),
- VALSTR_STRUCT(CAP_SETFCAP),
- VALSTR_STRUCT(CAP_MAC_OVERRIDE),
- VALSTR_STRUCT(CAP_MAC_ADMIN),
- VALSTR_STRUCT(CAP_SYSLOG),
- VALSTR_STRUCT(CAP_WAKE_ALARM),
- VALSTR_STRUCT(CAP_BLOCK_SUSPEND),
- VALSTR_STRUCT(CAP_AUDIT_READ),
+ VALSTR_STRUCT(CAP_CHOWN),
+ VALSTR_STRUCT(CAP_DAC_OVERRIDE),
+ VALSTR_STRUCT(CAP_DAC_READ_SEARCH),
+ VALSTR_STRUCT(CAP_FOWNER),
+ VALSTR_STRUCT(CAP_FSETID),
+ VALSTR_STRUCT(CAP_KILL),
+ VALSTR_STRUCT(CAP_SETGID),
+ VALSTR_STRUCT(CAP_SETUID),
+ VALSTR_STRUCT(CAP_SETPCAP),
+ VALSTR_STRUCT(CAP_LINUX_IMMUTABLE),
+ VALSTR_STRUCT(CAP_NET_BIND_SERVICE),
+ VALSTR_STRUCT(CAP_NET_BROADCAST),
+ VALSTR_STRUCT(CAP_NET_ADMIN),
+ VALSTR_STRUCT(CAP_NET_RAW),
+ VALSTR_STRUCT(CAP_IPC_LOCK),
+ VALSTR_STRUCT(CAP_IPC_OWNER),
+ VALSTR_STRUCT(CAP_SYS_MODULE),
+ VALSTR_STRUCT(CAP_SYS_RAWIO),
+ VALSTR_STRUCT(CAP_SYS_CHROOT),
+ VALSTR_STRUCT(CAP_SYS_PTRACE),
+ VALSTR_STRUCT(CAP_SYS_PACCT),
+ VALSTR_STRUCT(CAP_SYS_ADMIN),
+ VALSTR_STRUCT(CAP_SYS_BOOT),
+ VALSTR_STRUCT(CAP_SYS_NICE),
+ VALSTR_STRUCT(CAP_SYS_RESOURCE),
+ VALSTR_STRUCT(CAP_SYS_TIME),
+ VALSTR_STRUCT(CAP_SYS_TTY_CONFIG),
+ VALSTR_STRUCT(CAP_MKNOD),
+ VALSTR_STRUCT(CAP_LEASE),
+ VALSTR_STRUCT(CAP_AUDIT_WRITE),
+ VALSTR_STRUCT(CAP_AUDIT_CONTROL),
+ VALSTR_STRUCT(CAP_SETFCAP),
+ VALSTR_STRUCT(CAP_MAC_OVERRIDE),
+ VALSTR_STRUCT(CAP_MAC_ADMIN),
+ VALSTR_STRUCT(CAP_SYSLOG),
+ VALSTR_STRUCT(CAP_WAKE_ALARM),
+ VALSTR_STRUCT(CAP_BLOCK_SUSPEND),
+ VALSTR_STRUCT(CAP_AUDIT_READ),
};
-// clang-format on
int capsNameToVal(const char* name)
{
bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
{
- // clang-format off
- (*nsjconf) = (const struct nsjconf_t){
- .exec_file = NULL,
- .hostname = "NSJAIL",
- .cwd = "/",
- .chroot = NULL,
- .argv = NULL,
- .port = 0,
- .bindhost = "::",
- .log_fd = STDERR_FILENO,
- .logfile = NULL,
- .loglevel = INFO,
- .daemonize = false,
- .tlimit = 0,
- .max_cpus = 0,
- .keep_caps = false,
- .disable_no_new_privs = false,
- .rl_as = 512 * (1024 * 1024),
- .rl_core = 0,
- .rl_cpu = 600,
- .rl_fsize = 1 * (1024 * 1024),
- .rl_nofile = 32,
- .rl_nproc = cmdlineParseRLimit(RLIMIT_NPROC, "soft", 1),
- .rl_stack = cmdlineParseRLimit(RLIMIT_STACK, "soft", 1),
- .personality = 0,
- .clone_newnet = true,
- .clone_newuser = true,
- .clone_newns = true,
- .clone_newpid = true,
- .clone_newipc = true,
- .clone_newuts = true,
- .clone_newcgroup = false,
- .mode = MODE_STANDALONE_ONCE,
- .is_root_rw = false,
- .is_silent = false,
- .skip_setsid = false,
- .max_conns_per_ip = 0,
- .tmpfs_size = 4 * (1024 * 1024),
- .mount_proc = true,
- .cgroup_mem_mount = "/sys/fs/cgroup/memory",
- .cgroup_mem_parent = "NSJAIL",
- .cgroup_mem_max = (size_t)0,
- .cgroup_pids_mount = "/sys/fs/cgroup/pids",
- .cgroup_pids_parent = "NSJAIL",
- .cgroup_pids_max = (size_t)0,
- .iface_no_lo = false,
- .iface_vs = NULL,
- .iface_vs_ip = "0.0.0.0",
- .iface_vs_nm = "255.255.255.0",
- .iface_vs_gw = "0.0.0.0",
- .kafel_file = NULL,
- .kafel_string = NULL,
- .num_cpus = sysconf(_SC_NPROCESSORS_ONLN),
- };
- // clang-format on
+ (*nsjconf) = (const struct nsjconf_t){
+ .exec_file = NULL,
+ .hostname = "NSJAIL",
+ .cwd = "/",
+ .chroot = NULL,
+ .argv = NULL,
+ .port = 0,
+ .bindhost = "::",
+ .log_fd = STDERR_FILENO,
+ .logfile = NULL,
+ .loglevel = INFO,
+ .daemonize = false,
+ .tlimit = 0,
+ .max_cpus = 0,
+ .keep_caps = false,
+ .disable_no_new_privs = false,
+ .rl_as = 512 * (1024 * 1024),
+ .rl_core = 0,
+ .rl_cpu = 600,
+ .rl_fsize = 1 * (1024 * 1024),
+ .rl_nofile = 32,
+ .rl_nproc = cmdlineParseRLimit(RLIMIT_NPROC, "soft", 1),
+ .rl_stack = cmdlineParseRLimit(RLIMIT_STACK, "soft", 1),
+ .personality = 0,
+ .clone_newnet = true,
+ .clone_newuser = true,
+ .clone_newns = true,
+ .clone_newpid = true,
+ .clone_newipc = true,
+ .clone_newuts = true,
+ .clone_newcgroup = false,
+ .mode = MODE_STANDALONE_ONCE,
+ .is_root_rw = false,
+ .is_silent = false,
+ .skip_setsid = false,
+ .max_conns_per_ip = 0,
+ .tmpfs_size = 4 * (1024 * 1024),
+ .mount_proc = true,
+ .cgroup_mem_mount = "/sys/fs/cgroup/memory",
+ .cgroup_mem_parent = "NSJAIL",
+ .cgroup_mem_max = (size_t)0,
+ .cgroup_pids_mount = "/sys/fs/cgroup/pids",
+ .cgroup_pids_parent = "NSJAIL",
+ .cgroup_pids_max = (size_t)0,
+ .iface_no_lo = false,
+ .iface_vs = NULL,
+ .iface_vs_ip = "0.0.0.0",
+ .iface_vs_nm = "255.255.255.0",
+ .iface_vs_gw = "0.0.0.0",
+ .kafel_file = NULL,
+ .kafel_string = NULL,
+ .num_cpus = sysconf(_SC_NPROCESSORS_ONLN),
+ };
TAILQ_INIT(&nsjconf->pids);
TAILQ_INIT(&nsjconf->mountpts);
static __thread char mountFlagsStr[1024];
mountFlagsStr[0] = '\0';
- // clang-format off
- static struct {
- const uintptr_t flag;
- const char* const name;
- } const mountFlags[] = {
- VALSTR_STRUCT(MS_RDONLY),
- VALSTR_STRUCT(MS_NOSUID),
- VALSTR_STRUCT(MS_NODEV),
- VALSTR_STRUCT(MS_NOEXEC),
- VALSTR_STRUCT(MS_SYNCHRONOUS),
- VALSTR_STRUCT(MS_REMOUNT),
- VALSTR_STRUCT(MS_MANDLOCK),
- VALSTR_STRUCT(MS_DIRSYNC),
- VALSTR_STRUCT(MS_NOATIME),
- VALSTR_STRUCT(MS_NODIRATIME),
- VALSTR_STRUCT(MS_BIND),
- VALSTR_STRUCT(MS_MOVE),
- VALSTR_STRUCT(MS_REC),
- VALSTR_STRUCT(MS_SILENT),
- VALSTR_STRUCT(MS_POSIXACL),
- VALSTR_STRUCT(MS_UNBINDABLE),
- VALSTR_STRUCT(MS_PRIVATE),
- VALSTR_STRUCT(MS_SLAVE),
- VALSTR_STRUCT(MS_SHARED),
- VALSTR_STRUCT(MS_RELATIME),
- VALSTR_STRUCT(MS_KERNMOUNT),
- VALSTR_STRUCT(MS_I_VERSION),
- VALSTR_STRUCT(MS_STRICTATIME),
- VALSTR_STRUCT(MS_LAZYTIME),
- };
- // clang-format on
+ static struct {
+ const uintptr_t flag;
+ const char* const name;
+ } const mountFlags[] = {
+ VALSTR_STRUCT(MS_RDONLY),
+ VALSTR_STRUCT(MS_NOSUID),
+ VALSTR_STRUCT(MS_NODEV),
+ VALSTR_STRUCT(MS_NOEXEC),
+ VALSTR_STRUCT(MS_SYNCHRONOUS),
+ VALSTR_STRUCT(MS_REMOUNT),
+ VALSTR_STRUCT(MS_MANDLOCK),
+ VALSTR_STRUCT(MS_DIRSYNC),
+ VALSTR_STRUCT(MS_NOATIME),
+ VALSTR_STRUCT(MS_NODIRATIME),
+ VALSTR_STRUCT(MS_BIND),
+ VALSTR_STRUCT(MS_MOVE),
+ VALSTR_STRUCT(MS_REC),
+ VALSTR_STRUCT(MS_SILENT),
+ VALSTR_STRUCT(MS_POSIXACL),
+ VALSTR_STRUCT(MS_UNBINDABLE),
+ VALSTR_STRUCT(MS_PRIVATE),
+ VALSTR_STRUCT(MS_SLAVE),
+ VALSTR_STRUCT(MS_SHARED),
+ VALSTR_STRUCT(MS_RELATIME),
+ VALSTR_STRUCT(MS_KERNMOUNT),
+ VALSTR_STRUCT(MS_I_VERSION),
+ VALSTR_STRUCT(MS_STRICTATIME),
+ VALSTR_STRUCT(MS_LAZYTIME),
+ };
for (size_t i = 0; i < ARRAYSIZE(mountFlags); i++) {
if (flags & mountFlags[i].flag) {
static __thread char cloneFlagName[1024];
cloneFlagName[0] = '\0';
- // clang-format off
- static struct {
- const uintptr_t flag;
- const char* const name;
- } const cloneFlags[] = {
- VALSTR_STRUCT(CLONE_VM),
- VALSTR_STRUCT(CLONE_FS),
- VALSTR_STRUCT(CLONE_FILES),
- VALSTR_STRUCT(CLONE_SIGHAND),
- VALSTR_STRUCT(CLONE_PTRACE),
- VALSTR_STRUCT(CLONE_VFORK),
- VALSTR_STRUCT(CLONE_PARENT),
- VALSTR_STRUCT(CLONE_THREAD),
- VALSTR_STRUCT(CLONE_NEWNS),
- VALSTR_STRUCT(CLONE_SYSVSEM),
- VALSTR_STRUCT(CLONE_SETTLS),
- VALSTR_STRUCT(CLONE_PARENT_SETTID),
- VALSTR_STRUCT(CLONE_CHILD_CLEARTID),
- VALSTR_STRUCT(CLONE_DETACHED),
- VALSTR_STRUCT(CLONE_UNTRACED),
- VALSTR_STRUCT(CLONE_CHILD_SETTID),
- VALSTR_STRUCT(CLONE_NEWCGROUP),
- VALSTR_STRUCT(CLONE_NEWUTS),
- VALSTR_STRUCT(CLONE_NEWIPC),
- VALSTR_STRUCT(CLONE_NEWUSER),
- VALSTR_STRUCT(CLONE_NEWPID),
- VALSTR_STRUCT(CLONE_NEWNET),
- VALSTR_STRUCT(CLONE_IO),
- };
- // clang-format on
+ static struct {
+ const uintptr_t flag;
+ const char* const name;
+ } const cloneFlags[] = {
+ VALSTR_STRUCT(CLONE_VM),
+ VALSTR_STRUCT(CLONE_FS),
+ VALSTR_STRUCT(CLONE_FILES),
+ VALSTR_STRUCT(CLONE_SIGHAND),
+ VALSTR_STRUCT(CLONE_PTRACE),
+ VALSTR_STRUCT(CLONE_VFORK),
+ VALSTR_STRUCT(CLONE_PARENT),
+ VALSTR_STRUCT(CLONE_THREAD),
+ VALSTR_STRUCT(CLONE_NEWNS),
+ VALSTR_STRUCT(CLONE_SYSVSEM),
+ VALSTR_STRUCT(CLONE_SETTLS),
+ VALSTR_STRUCT(CLONE_PARENT_SETTID),
+ VALSTR_STRUCT(CLONE_CHILD_CLEARTID),
+ VALSTR_STRUCT(CLONE_DETACHED),
+ VALSTR_STRUCT(CLONE_UNTRACED),
+ VALSTR_STRUCT(CLONE_CHILD_SETTID),
+ VALSTR_STRUCT(CLONE_NEWCGROUP),
+ VALSTR_STRUCT(CLONE_NEWUTS),
+ VALSTR_STRUCT(CLONE_NEWIPC),
+ VALSTR_STRUCT(CLONE_NEWUSER),
+ VALSTR_STRUCT(CLONE_NEWPID),
+ VALSTR_STRUCT(CLONE_NEWNET),
+ VALSTR_STRUCT(CLONE_IO),
+ };
for (size_t i = 0; i < ARRAYSIZE(cloneFlags); i++) {
if (flags & cloneFlags[i].flag) {
int ret = sscanf(buf, "%td %tx %tx %tx %tx %tx %tx %tx %tx", &sc, &arg1, &arg2, &arg3, &arg4,
&arg5, &arg6, &sp, &pc);
if (ret == 9) {
- LOG_W("PID: %d, Syscall number: %td, Arguments: %#tx, %#tx, %#tx, %#tx, %#tx, %#tx, SP: %#tx, PC: %#tx, si_syscall: %d, si_errno: %#x",
+ LOG_W("PID: %d, Syscall number: %td, Arguments: %#tx, %#tx, %#tx, %#tx, %#tx, %#tx, "
+ "SP: %#tx, PC: %#tx, si_syscall: %d, si_errno: %#x",
(int)si->si_pid, sc, arg1, arg2, arg3, arg4, arg5, arg6, sp, pc,
si->si_syscall, si->si_errno);
} else if (ret == 3) {
static __thread char sigstr[32];
sigstr[0] = '\0';
- // clang-format off
- static struct {
- const int signo;
- const char* const name;
- } const sigNames[] = {
- VALSTR_STRUCT(SIGINT),
- VALSTR_STRUCT(SIGILL),
- VALSTR_STRUCT(SIGABRT),
- VALSTR_STRUCT(SIGFPE),
- VALSTR_STRUCT(SIGSEGV),
- VALSTR_STRUCT(SIGTERM),
- VALSTR_STRUCT(SIGHUP),
- VALSTR_STRUCT(SIGQUIT),
- VALSTR_STRUCT(SIGTRAP),
- VALSTR_STRUCT(SIGKILL),
- VALSTR_STRUCT(SIGBUS),
- VALSTR_STRUCT(SIGSYS),
- VALSTR_STRUCT(SIGPIPE),
- VALSTR_STRUCT(SIGALRM),
- VALSTR_STRUCT(SIGURG),
- VALSTR_STRUCT(SIGSTOP),
- VALSTR_STRUCT(SIGTSTP),
- VALSTR_STRUCT(SIGCONT),
- VALSTR_STRUCT(SIGCHLD),
- VALSTR_STRUCT(SIGTTIN),
- VALSTR_STRUCT(SIGTTOU),
- VALSTR_STRUCT(SIGPOLL),
- VALSTR_STRUCT(SIGXCPU),
- VALSTR_STRUCT(SIGXFSZ),
- VALSTR_STRUCT(SIGVTALRM),
- VALSTR_STRUCT(SIGPROF),
- VALSTR_STRUCT(SIGUSR1),
- VALSTR_STRUCT(SIGUSR2),
- VALSTR_STRUCT(SIGWINCH),
- };
- // clang-format on
+ static struct {
+ const int signo;
+ const char* const name;
+ } const sigNames[] = {
+ VALSTR_STRUCT(SIGINT),
+ VALSTR_STRUCT(SIGILL),
+ VALSTR_STRUCT(SIGABRT),
+ VALSTR_STRUCT(SIGFPE),
+ VALSTR_STRUCT(SIGSEGV),
+ VALSTR_STRUCT(SIGTERM),
+ VALSTR_STRUCT(SIGHUP),
+ VALSTR_STRUCT(SIGQUIT),
+ VALSTR_STRUCT(SIGTRAP),
+ VALSTR_STRUCT(SIGKILL),
+ VALSTR_STRUCT(SIGBUS),
+ VALSTR_STRUCT(SIGSYS),
+ VALSTR_STRUCT(SIGPIPE),
+ VALSTR_STRUCT(SIGALRM),
+ VALSTR_STRUCT(SIGURG),
+ VALSTR_STRUCT(SIGSTOP),
+ VALSTR_STRUCT(SIGTSTP),
+ VALSTR_STRUCT(SIGCONT),
+ VALSTR_STRUCT(SIGCHLD),
+ VALSTR_STRUCT(SIGTTIN),
+ VALSTR_STRUCT(SIGTTOU),
+ VALSTR_STRUCT(SIGPOLL),
+ VALSTR_STRUCT(SIGXCPU),
+ VALSTR_STRUCT(SIGXFSZ),
+ VALSTR_STRUCT(SIGVTALRM),
+ VALSTR_STRUCT(SIGPROF),
+ VALSTR_STRUCT(SIGUSR1),
+ VALSTR_STRUCT(SIGUSR2),
+ VALSTR_STRUCT(SIGWINCH),
+ };
for (size_t i = 0; i < ARRAYSIZE(sigNames); i++) {
if (signo == sigNames[i].signo) {
projects / platform / upstream / nsjail.git / commitdiff