From: Robert Swiecki Date: Tue, 17 Oct 2017 13:22:23 +0000 (+0200) Subject: Makefile: add columnt limit to the indent X-Git-Tag: 2.1~11 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4ffec405dedbd02b79bb1aaa18c08e4dbb08a735;p=platform%2Fupstream%2Fnsjail.git Makefile: add columnt limit to the indent --- diff --git a/Makefile b/Makefile index 71b6919..df50b5e 100644 --- a/Makefile +++ b/Makefile @@ -92,7 +92,7 @@ depend: makedepend -Y -Ykafel/include -- -- $(SRCS_C) $(SRCS_CXX) $(SRCS_PB_CXX) indent: - clang-format -style="{BasedOnStyle: webkit, IndentWidth: 8, UseTab: Always, IndentCaseLabels: false}" -i -sort-includes *.c *.h $(SRCS_CXX) + clang-format -style="{BasedOnStyle: webkit, IndentWidth: 8, UseTab: Always, IndentCaseLabels: false, ColumnLimit: 100}" -i -sort-includes *.c *.h $(SRCS_CXX) # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/caps.c b/caps.c index 0910830..aafe526 100644 --- a/caps.c +++ b/caps.c @@ -232,7 +232,8 @@ bool capsInitNs(struct nsjconf_t* nsjconf) return CapsInitNsKeepCaps(cap_data); } - /* Set all requested caps in the inheritable set if these are present in the permitted set */ + /* Set all requested caps in the inheritable set if these are present in the permitted set + */ dbgmsg[0] = '\0'; TAILQ_FOREACH(p, &nsjconf->caps, pointers) { @@ -261,7 +262,8 @@ bool capsInitNs(struct nsjconf_t* nsjconf) continue; } utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name); - if (prctl(PR_CAPBSET_DROP, (unsigned long)capNames[i].val, 0UL, 0UL, 0UL) == -1) { + if (prctl(PR_CAPBSET_DROP, (unsigned long)capNames[i].val, 0UL, 0UL, 0UL) + == -1) { PLOG_W("prctl(PR_CAPBSET_DROP, %s)", capNames[i].name); return false; } @@ -273,7 +275,8 @@ bool capsInitNs(struct nsjconf_t* nsjconf) dbgmsg[0] = '\0'; TAILQ_FOREACH(p, &nsjconf->caps, pointers) { - if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) == -1) { + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) + == -1) { PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)", capsValToStr(p->val)); } else { diff --git a/cgroup.c b/cgroup.c index 9439c35..54e9f78 100644 --- a/cgroup.c +++ b/cgroup.c @@ -57,7 +57,8 @@ static bool cgroupInitNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) snprintf(mem_max_str, sizeof(mem_max_str), "%zu", nsjconf->cgroup_mem_max); snprintf(fname, sizeof(fname), "%s/memory.limit_in_bytes", mem_cgroup_path); LOG_D("Setting '%s' to '%s'", fname, mem_max_str); - if (utilWriteBufToFile(fname, mem_max_str, strlen(mem_max_str), O_WRONLY) == false) { + if (utilWriteBufToFile(fname, mem_max_str, strlen(mem_max_str), O_WRONLY) + == false) { LOG_E("Could not update memory cgroup max limit"); return false; } @@ -106,7 +107,8 @@ static bool cgroupInitNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) snprintf(pids_max_str, sizeof(pids_max_str), "%zu", nsjconf->cgroup_pids_max); snprintf(fname, sizeof(fname), "%s/pids.max", pids_cgroup_path); LOG_D("Setting '%s' to '%s'", fname, pids_max_str); - if (utilWriteBufToFile(fname, pids_max_str, strlen(pids_max_str), O_WRONLY) == false) { + if (utilWriteBufToFile(fname, pids_max_str, strlen(pids_max_str), O_WRONLY) + == false) { LOG_E("Could not update pids cgroup max limit"); return false; } @@ -171,7 +173,4 @@ void cgroupFinishFromParent(struct nsjconf_t* nsjconf, pid_t pid) cgroupFinishFromParentPids(nsjconf, pid); } -bool cgroupInitNs(void) -{ - return true; -} +bool cgroupInitNs(void) { return true; } diff --git a/cmdline.c b/cmdline.c index fce303c..683b48b 100644 --- a/cmdline.c +++ b/cmdline.c @@ -142,10 +142,7 @@ struct custom_option deprecated_opts[] = { }; // clang-format on -static const char* logYesNo(bool yes) -{ - return (yes ? "true" : "false"); -} +static const char* logYesNo(bool yes) { return (yes ? "true" : "false"); } static void cmdlineOptUsage(struct custom_option* option) { @@ -172,8 +169,8 @@ static void cmdlineUsage(const char* pname) // Find replacement flag. for (size_t j = 0; j < ARRAYSIZE(custom_opts); j++) { if (custom_opts[j].opt.val == deprecated_opts[i].opt.val) { - LOG_HELP_BOLD("\tDEPRECATED: Use %s instead.", - custom_opts[j].opt.name); + LOG_HELP_BOLD( + "\tDEPRECATED: Use %s instead.", custom_opts[j].opt.name); break; } } @@ -240,7 +237,9 @@ void cmdlineLogParams(struct nsjconf_t* nsjconf) (unsigned long)p->inside_id, (unsigned long)p->outside_id, p->count, p->is_newidmap ? "true" : "false"); if (p->outside_id == 0 && nsjconf->clone_newuser) { - LOG_W("Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files"); + LOG_W("Process will be UID/EUID=0 in the global user namespace, " + "and will have user " + "root-level access to files"); } } TAILQ_FOREACH(p, &nsjconf->gids, pointers) @@ -249,7 +248,9 @@ void cmdlineLogParams(struct nsjconf_t* nsjconf) (unsigned long)p->inside_id, (unsigned long)p->outside_id, p->count, p->is_newidmap ? "true" : "false"); if (p->outside_id == 0 && nsjconf->clone_newuser) { - LOG_W("Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files"); + LOG_W("Process will be GID/EGID=0 in the global user namespace, " + "and will have group " + "root-level access to files"); } } } @@ -271,7 +272,8 @@ __rlim64_t cmdlineParseRLimit(int res, const char* optarg, unsigned long mul) return cur.rlim_max; } if (utilIsANumber(optarg) == false) { - LOG_F("RLIMIT %d needs a numeric or 'max'/'hard'/'def'/'soft'/'inf' value ('%s' provided)", + LOG_F("RLIMIT %d needs a numeric or 'max'/'hard'/'def'/'soft'/'inf' value ('%s' " + "provided)", res, optarg); } __rlim64_t val = strtoull(optarg, NULL, 0) * mul; @@ -402,8 +404,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) int opt_index = 0; for (;;) { int c = getopt_long(argc, argv, - "x:H:D:C:c:p:i:u:g:l:L:t:M:NdvqQeh?E:R:B:T:P:I:U:G:", opts, - &opt_index); + "x:H:D:C:c:p:i:u:g:l:L:t:M:NdvqQeh?E:R:B:T:P:I:U:G:", opts, &opt_index); if (c == -1) { break; } @@ -592,9 +593,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) char* cnt = cmdlineSplitStrByColon(o_id); size_t count = (cnt == NULL || strlen(cnt) == 0) ? 1U - : (size_t)strtoull(cnt, - NULL, - 0); + : (size_t)strtoull(cnt, NULL, 0); if (userParseId(nsjconf, i_id, o_id, count, false /* is_gid */, false /* is_newidmap */) == false) { @@ -607,9 +606,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) char* cnt = cmdlineSplitStrByColon(o_id); size_t count = (cnt == NULL || strlen(cnt) == 0) ? 1U - : (size_t)strtoull(cnt, - NULL, - 0); + : (size_t)strtoull(cnt, NULL, 0); if (userParseId(nsjconf, i_id, o_id, count, true /* is_gid */, false /* is_newidmap */) == false) { @@ -622,9 +619,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) char* cnt = cmdlineSplitStrByColon(o_id); size_t count = (cnt == NULL || strlen(cnt) == 0) ? 1U - : (size_t)strtoull(cnt, - NULL, - 0); + : (size_t)strtoull(cnt, NULL, 0); if (userParseId(nsjconf, i_id, o_id, count, false /* is_gid */, true /* is_newidmap */) == false) { @@ -637,9 +632,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) char* cnt = cmdlineSplitStrByColon(o_id); size_t count = (cnt == NULL || strlen(cnt) == 0) ? 1U - : (size_t)strtoull(cnt, - NULL, - 0); + : (size_t)strtoull(cnt, NULL, 0); if (userParseId(nsjconf, i_id, o_id, count, true /* is_gid */, true /* is_newidmap */) == false) { @@ -656,28 +649,28 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) /* is_symlink= */ false)) { return false; } - }; - break; + }; break; case 'B': { const char* dst = cmdlineSplitStrByColon(optarg); dst = dst ? dst : optarg; if (!mountAddMountPtTail(nsjconf, /* src= */ optarg, dst, /* fs_type= */ "", - /* options= */ "", MS_BIND | MS_REC | MS_PRIVATE, /* isDir= */ NS_DIR_MAYBE, + /* options= */ "", MS_BIND | MS_REC | MS_PRIVATE, + /* isDir= */ NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) { return false; } - }; - break; + }; break; case 'T': { - if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, optarg, "tmpfs", /* options= */ "", + if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, optarg, "tmpfs", + /* options= */ "", /* flags= */ 0, /* isDir= */ true, /* mandatory= */ true, NULL, - NULL, NULL, 0, /* is_symlink= */ false)) { + NULL, NULL, 0, + /* is_symlink= */ false)) { return false; } - }; - break; + }; break; case 'M': switch (optarg[0]) { case 'l': @@ -753,14 +746,15 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) if (nsjconf->mount_proc) { if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, nsjconf->proc_path, "proc", "", nsjconf->is_proc_rw ? 0 : MS_RDONLY, /* isDir= */ true, - /* mandatory= */ true, - NULL, NULL, NULL, 0, /* is_symlink= */ false)) { + /* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) { return false; } } if (nsjconf->chroot) { - if (!mountAddMountPtHead(nsjconf, nsjconf->chroot, "/", /* fs_type= */ "", /* options= */ "", - nsjconf->is_root_rw ? (MS_BIND | MS_REC | MS_PRIVATE) : (MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY), + if (!mountAddMountPtHead(nsjconf, nsjconf->chroot, "/", /* fs_type= */ "", + /* options= */ "", + nsjconf->is_root_rw ? (MS_BIND | MS_REC | MS_PRIVATE) + : (MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY), /* isDir= */ true, /* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) { return false; @@ -768,8 +762,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) } else { if (!mountAddMountPtHead(nsjconf, /* src= */ NULL, "/", "tmpfs", /* options= */ "", nsjconf->is_root_rw ? 0 : MS_RDONLY, /* isDir= */ true, - /* mandatory= */ true, - NULL, NULL, NULL, 0, /* is_symlink= */ false)) { + /* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) { return false; } } diff --git a/common.h b/common.h index 9386b8c..94c621b 100644 --- a/common.h +++ b/common.h @@ -44,20 +44,24 @@ static void __attribute__ ((unused)) __clang_cleanup_func(void (^*dfunc) (void)) (*dfunc) (); } -#define defer void (^_STRMERGE(__defer_f_, __COUNTER__))(void) __attribute__((cleanup(__clang_cleanup_func))) __attribute__((unused)) = ^ +#define defer \ + void (^_STRMERGE(__defer_f_, __COUNTER__))(void) \ + __attribute__((cleanup(__clang_cleanup_func))) __attribute__((unused)) \ + = ^ #else #define __block -#define _DEFER(a, count) \ - auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))); \ - int _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) __attribute__((unused)); \ +#define _DEFER(a, count) \ + auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))); \ + int _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) \ + __attribute__((unused)); \ void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))) #define defer _DEFER(a, __COUNTER__) #endif #endif -#define NS_VALSTR_STRUCT(x) \ - { \ - x, #x \ +#define NS_VALSTR_STRUCT(x) \ + { \ + x, #x \ } struct pids_t { diff --git a/config.cc b/config.cc index a1d6674..95f4270 100644 --- a/config.cc +++ b/config.cc @@ -48,7 +48,8 @@ extern "C" { #define DUP_IF_SET(njc, val) (njc.has_##val() ? njc.val().c_str() : NULL) -static __rlim64_t configRLimit(int res, const nsjail::RLimit& rl, const uint64_t val, unsigned long mul = 1UL) +static __rlim64_t configRLimit( + int res, const nsjail::RLimit& rl, const uint64_t val, unsigned long mul = 1UL) { if (rl == nsjail::RLimit::VALUE) { return (val * mul); @@ -66,8 +67,7 @@ static __rlim64_t configRLimit(int res, const nsjail::RLimit& rl, const uint64_t abort(); } -static bool configParseInternal(struct nsjconf_t* nsjconf, - const nsjail::NsJailConfig& njc) +static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailConfig& njc) { switch (njc.mode()) { case nsjail::Mode::LISTEN: @@ -132,14 +132,16 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, nsjconf->keep_env = njc.keep_env(); for (ssize_t i = 0; i < njc.envar_size(); i++) { - struct charptr_t* p = reinterpret_cast(utilMalloc(sizeof(struct charptr_t))); + struct charptr_t* p + = reinterpret_cast(utilMalloc(sizeof(struct charptr_t))); p->val = njc.envar(i).c_str(); TAILQ_INSERT_TAIL(&nsjconf->envs, p, pointers); } nsjconf->keep_caps = njc.keep_caps(); for (ssize_t i = 0; i < njc.cap_size(); i++) { - struct ints_t* f = reinterpret_cast(utilMalloc(sizeof(struct ints_t))); + struct ints_t* f + = reinterpret_cast(utilMalloc(sizeof(struct ints_t))); f->val = capsNameToVal(njc.cap(i).c_str()); if (f->val == -1) { return false; @@ -151,20 +153,26 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, nsjconf->skip_setsid = njc.skip_setsid(); for (ssize_t i = 0; i < njc.pass_fd_size(); i++) { - struct ints_t* f = reinterpret_cast(utilMalloc(sizeof(struct ints_t))); + struct ints_t* f + = reinterpret_cast(utilMalloc(sizeof(struct ints_t))); f->val = njc.pass_fd(i); TAILQ_INSERT_HEAD(&nsjconf->open_fds, f, pointers); } nsjconf->disable_no_new_privs = njc.disable_no_new_privs(); - nsjconf->rl_as = configRLimit(RLIMIT_AS, njc.rlimit_as_type(), njc.rlimit_as(), 1024UL * 1024UL); - nsjconf->rl_core = configRLimit(RLIMIT_CORE, njc.rlimit_core_type(), njc.rlimit_core(), 1024UL * 1024UL); + nsjconf->rl_as + = configRLimit(RLIMIT_AS, njc.rlimit_as_type(), njc.rlimit_as(), 1024UL * 1024UL); + nsjconf->rl_core + = configRLimit(RLIMIT_CORE, njc.rlimit_core_type(), njc.rlimit_core(), 1024UL * 1024UL); nsjconf->rl_cpu = configRLimit(RLIMIT_CPU, njc.rlimit_cpu_type(), njc.rlimit_cpu()); - nsjconf->rl_fsize = configRLimit(RLIMIT_FSIZE, njc.rlimit_fsize_type(), njc.rlimit_fsize(), 1024UL * 1024UL); - nsjconf->rl_nofile = configRLimit(RLIMIT_NOFILE, njc.rlimit_nofile_type(), njc.rlimit_nofile()); + nsjconf->rl_fsize = configRLimit( + RLIMIT_FSIZE, njc.rlimit_fsize_type(), njc.rlimit_fsize(), 1024UL * 1024UL); + nsjconf->rl_nofile + = configRLimit(RLIMIT_NOFILE, njc.rlimit_nofile_type(), njc.rlimit_nofile()); nsjconf->rl_nproc = configRLimit(RLIMIT_NPROC, njc.rlimit_nproc_type(), njc.rlimit_nproc()); - nsjconf->rl_stack = configRLimit(RLIMIT_STACK, njc.rlimit_stack_type(), njc.rlimit_stack(), 1024UL * 1024UL); + nsjconf->rl_stack = configRLimit( + RLIMIT_STACK, njc.rlimit_stack_type(), njc.rlimit_stack(), 1024UL * 1024UL); if (njc.persona_addr_compat_layout()) { nsjconf->personality |= ADDR_COMPAT_LAYOUT; @@ -191,17 +199,17 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, nsjconf->clone_newcgroup = njc.clone_newcgroup(); for (ssize_t i = 0; i < njc.uidmap_size(); i++) { - if (userParseId(nsjconf, DUP_IF_SET(njc.uidmap(i), inside_id), DUP_IF_SET(njc.uidmap(i), outside_id), - njc.uidmap(i).count(), false /* is_gid */, - njc.uidmap(i).use_newidmap()) + if (userParseId(nsjconf, DUP_IF_SET(njc.uidmap(i), inside_id), + DUP_IF_SET(njc.uidmap(i), outside_id), njc.uidmap(i).count(), + false /* is_gid */, njc.uidmap(i).use_newidmap()) == false) { return false; } } for (ssize_t i = 0; i < njc.gidmap_size(); i++) { - if (userParseId(nsjconf, DUP_IF_SET(njc.gidmap(i), inside_id), DUP_IF_SET(njc.gidmap(i), outside_id), - njc.gidmap(i).count(), true /* is_gid */, - njc.gidmap(i).use_newidmap()) + if (userParseId(nsjconf, DUP_IF_SET(njc.gidmap(i), inside_id), + DUP_IF_SET(njc.gidmap(i), outside_id), njc.gidmap(i).count(), + true /* is_gid */, njc.gidmap(i).use_newidmap()) == false) { return false; } @@ -210,11 +218,17 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, nsjconf->mount_proc = njc.mount_proc(); for (ssize_t i = 0; i < njc.mount_size(); i++) { const char* src = (njc.mount(i).has_src()) ? njc.mount(i).src().c_str() : NULL; - const char* src_env = (njc.mount(i).has_prefix_src_env()) ? njc.mount(i).prefix_src_env().c_str() : NULL; + const char* src_env = (njc.mount(i).has_prefix_src_env()) + ? njc.mount(i).prefix_src_env().c_str() + : NULL; const char* dst = (njc.mount(i).has_dst()) ? njc.mount(i).dst().c_str() : NULL; - const char* dst_env = (njc.mount(i).has_prefix_dst_env()) ? njc.mount(i).prefix_dst_env().c_str() : NULL; - const char* fstype = (njc.mount(i).has_fstype()) ? njc.mount(i).fstype().c_str() : NULL; - const char* options = (njc.mount(i).has_options()) ? njc.mount(i).options().c_str() : NULL; + const char* dst_env = (njc.mount(i).has_prefix_dst_env()) + ? njc.mount(i).prefix_dst_env().c_str() + : NULL; + const char* fstype + = (njc.mount(i).has_fstype()) ? njc.mount(i).fstype().c_str() : NULL; + const char* options + = (njc.mount(i).has_options()) ? njc.mount(i).options().c_str() : NULL; uintptr_t flags = (njc.mount(i).rw() == false) ? MS_RDONLY : 0; flags |= njc.mount(i).is_bind() ? (MS_BIND | MS_REC | MS_PRIVATE) : 0; @@ -232,9 +246,8 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, src_content_len = njc.mount(i).src_content().size(); } - if (mountAddMountPtTail(nsjconf, src, dst, fstype, options, flags, isDir, - mandatory, src_env, dst_env, src_content, - src_content_len, njc.mount(i).is_symlink()) + if (mountAddMountPtTail(nsjconf, src, dst, fstype, options, flags, isDir, mandatory, + src_env, dst_env, src_content, src_content_len, njc.mount(i).is_symlink()) == false) { LOG_E("Couldn't add mountpoint for src:'%s' dst:'%s'", src, dst); return false; @@ -242,7 +255,8 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, } if (njc.has_seccomp_policy_file()) { - if ((nsjconf->kafel_file = fopen(njc.seccomp_policy_file().c_str(), "rb")) == NULL) { + if ((nsjconf->kafel_file = fopen(njc.seccomp_policy_file().c_str(), "rb")) + == NULL) { PLOG_W("Couldn't open file with seccomp policy '%s'", njc.seccomp_policy_file().c_str()); return false; @@ -253,9 +267,8 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, for (ssize_t i = 0; i < njc.seccomp_string().size(); i++) { kafel_string += njc.seccomp_string(i); } - nsjconf->kafel_string = njc.seccomp_string().size() > 0 - ? utilStrDup(kafel_string.c_str()) - : NULL; + nsjconf->kafel_string + = njc.seccomp_string().size() > 0 ? utilStrDup(kafel_string.c_str()) : NULL; nsjconf->cgroup_mem_max = njc.cgroup_mem_max(); nsjconf->cgroup_mem_mount = njc.cgroup_mem_mount().c_str(); @@ -288,7 +301,8 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, return true; } -static void LogHandler(google::protobuf::LogLevel level, const char* filename, int line, const std::string& message) +static void LogHandler( + google::protobuf::LogLevel level, const char* filename, int line, const std::string& message) { LOG_W("config.cc: '%s'", message.c_str()); } diff --git a/contain.c b/contain.c index ad4a07c..686e512 100644 --- a/contain.c +++ b/contain.c @@ -47,30 +47,15 @@ #include "util.h" #include "uts.h" -static bool containUserNs(struct nsjconf_t* nsjconf) -{ - return userInitNsFromChild(nsjconf); -} +static bool containUserNs(struct nsjconf_t* nsjconf) { return userInitNsFromChild(nsjconf); } -static bool containInitPidNs(struct nsjconf_t* nsjconf) -{ - return pidInitNs(nsjconf); -} +static bool containInitPidNs(struct nsjconf_t* nsjconf) { return pidInitNs(nsjconf); } -static bool containInitNetNs(struct nsjconf_t* nsjconf) -{ - return netInitNsFromChild(nsjconf); -} +static bool containInitNetNs(struct nsjconf_t* nsjconf) { return netInitNsFromChild(nsjconf); } -static bool containInitUtsNs(struct nsjconf_t* nsjconf) -{ - return utsInitNs(nsjconf); -} +static bool containInitUtsNs(struct nsjconf_t* nsjconf) { return utsInitNs(nsjconf); } -static bool containInitCgroupNs(void) -{ - return cgroupInitNs(); -} +static bool containInitCgroupNs(void) { return cgroupInitNs(); } static bool containDropPrivs(struct nsjconf_t* nsjconf) { @@ -111,15 +96,9 @@ static bool containPrepareEnv(struct nsjconf_t* nsjconf) return true; } -static bool containInitMountNs(struct nsjconf_t* nsjconf) -{ - return mountInitNs(nsjconf); -} +static bool containInitMountNs(struct nsjconf_t* nsjconf) { return mountInitNs(nsjconf); } -static bool containCPU(struct nsjconf_t* nsjconf) -{ - return cpuInit(nsjconf); -} +static bool containCPU(struct nsjconf_t* nsjconf) { return cpuInit(nsjconf); } static bool containSetLimits(struct nsjconf_t* nsjconf) { diff --git a/cpu.c b/cpu.c index d9a02cf..f313e10 100644 --- a/cpu.c +++ b/cpu.c @@ -31,7 +31,8 @@ static void cpuSetRandomCpu(cpu_set_t* mask, size_t mask_size, size_t cpu_num) { if ((size_t)CPU_COUNT_S(mask_size, mask) >= cpu_num) { - LOG_F("Number of CPUs in the mask '%d' is bigger than number of available CPUs '%zu'", + LOG_F( + "Number of CPUs in the mask '%d' is bigger than number of available CPUs '%zu'", CPU_COUNT(mask), cpu_num); } diff --git a/log.c b/log.c index 4ff34e6..569952a 100644 --- a/log.c +++ b/log.c @@ -60,7 +60,9 @@ bool logInitLogFile(struct nsjconf_t* nsjconf) if (nsjconf->logfile == NULL) { log_fd = fcntl(log_fd, F_DUPFD_CLOEXEC, 0); } else { - if (TEMP_FAILURE_RETRY(log_fd = open(nsjconf->logfile, O_CREAT | O_RDWR | O_APPEND, 0640)) == -1) { + if (TEMP_FAILURE_RETRY( + log_fd = open(nsjconf->logfile, O_CREAT | O_RDWR | O_APPEND, 0640)) + == -1) { log_fd = STDERR_FILENO; PLOG_E("Couldn't open logfile open('%s')", nsjconf->logfile); return false; @@ -133,7 +135,4 @@ void logLog(enum llevel_t ll, const char* fn, int ln, bool perr, const char* fmt } } -void logStop(int sig) -{ - LOG_I("Server stops due to fatal signal (%d) caught. Exiting", sig); -} +void logStop(int sig) { LOG_I("Server stops due to fatal signal (%d) caught. Exiting", sig); } diff --git a/mount.c b/mount.c index d116c56..90df190 100644 --- a/mount.c +++ b/mount.c @@ -81,8 +81,8 @@ const char* mountFlagsToStr(uintptr_t flags) for (size_t i = 0; i < ARRAYSIZE(mountFlags); i++) { if (flags & mountFlags[i].flag) { - utilSSnPrintf(mountFlagsStr, sizeof(mountFlagsStr), "%s|", - mountFlags[i].name); + utilSSnPrintf( + mountFlagsStr, sizeof(mountFlagsStr), "%s|", mountFlags[i].name); } } @@ -169,9 +169,10 @@ static bool mountMount(struct mounts_t* mpt, const char* newroot, const char* tm if (mpt->src_content) { static uint64_t df_counter = 0; - snprintf(srcpath, sizeof(srcpath), "%s/dynamic_file.%" PRIu64, tmpdir, - ++df_counter); - int fd = TEMP_FAILURE_RETRY(open(srcpath, O_CREAT | O_EXCL | O_CLOEXEC | O_WRONLY, 0644)); + snprintf( + srcpath, sizeof(srcpath), "%s/dynamic_file.%" PRIu64, tmpdir, ++df_counter); + int fd = TEMP_FAILURE_RETRY( + open(srcpath, O_CREAT | O_EXCL | O_CLOEXEC | O_WRONLY, 0644)); if (fd < 0) { PLOG_W("open(srcpath, O_CREAT|O_EXCL|O_CLOEXEC|O_WRONLY, 0644) failed"); return false; @@ -192,7 +193,8 @@ static bool mountMount(struct mounts_t* mpt, const char* newroot, const char* tm if (mount(srcpath, dst, mpt->fs_type, flags, mpt->options) == -1) { if (errno == EACCES) { PLOG_W("mount('%s') src:'%s' dst:'%s' failed. " - "Try fixing this problem by applying 'chmod o+x' to the '%s' directory and " + "Try fixing this problem by applying 'chmod o+x' to the '%s' " + "directory and " "its ancestors", mountDescribeMountPt(mpt), srcpath, dst, srcpath); } else { @@ -293,7 +295,8 @@ static bool mountInitNsInternal(struct nsjconf_t* nsjconf) */ if (nsjconf->clone_newns == false) { if (nsjconf->chroot == NULL) { - PLOG_E("--chroot was not specified, and it's required when not using CLONE_NEWNS"); + PLOG_E("--chroot was not specified, and it's required when not using " + "CLONE_NEWNS"); return false; } if (chroot(nsjconf->chroot) == -1) { @@ -351,11 +354,11 @@ static bool mountInitNsInternal(struct nsjconf_t* nsjconf) return false; } /* - * This requires some explanation: It's actually possible to pivot_root('/', '/'). After this - * operation has been completed, the old root is mounted over the new root, and it's OK to - * simply umount('/') now, and to have new_root as '/'. This allows us not care about - * providing any special directory for old_root, which is sometimes not easy, given that e.g. - * /tmp might not always be present inside new_root + * This requires some explanation: It's actually possible to pivot_root('/', '/'). After + * this operation has been completed, the old root is mounted over the new root, and it's OK + * to simply umount('/') now, and to have new_root as '/'. This allows us not care about + * providing any special directory for old_root, which is sometimes not easy, given that + * e.g. /tmp might not always be present inside new_root */ if (syscall(__NR_pivot_root, destdir, destdir) == -1) { PLOG_E("pivot_root('%s', '%s')", destdir, destdir); @@ -410,9 +413,9 @@ bool mountInitNs(struct nsjconf_t* nsjconf) } static bool mountAddMountPt(struct nsjconf_t* nsjconf, bool head, const char* src, const char* dst, - const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, - bool mandatory, const char* src_env, const char* dst_env, - const char* src_content, size_t src_content_len, bool is_symlink) + const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, + const char* src_env, const char* dst_env, const char* src_content, size_t src_content_len, + bool is_symlink) { struct mounts_t* p = utilCalloc(sizeof(struct mounts_t)); @@ -488,23 +491,21 @@ static bool mountAddMountPt(struct nsjconf_t* nsjconf, bool head, const char* sr } bool mountAddMountPtHead(struct nsjconf_t* nsjconf, const char* src, const char* dst, - const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, - bool mandatory, const char* src_env, const char* dst_env, - const char* src_content, size_t src_content_len, bool is_symlink) + const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, + const char* src_env, const char* dst_env, const char* src_content, size_t src_content_len, + bool is_symlink) { return mountAddMountPt(nsjconf, /* head= */ true, src, dst, fstype, options, flags, isDir, - mandatory, src_env, dst_env, src_content, src_content_len, - is_symlink); + mandatory, src_env, dst_env, src_content, src_content_len, is_symlink); } bool mountAddMountPtTail(struct nsjconf_t* nsjconf, const char* src, const char* dst, - const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, - bool mandatory, const char* src_env, const char* dst_env, - const char* src_content, size_t src_content_len, bool is_symlink) + const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, + const char* src_env, const char* dst_env, const char* src_content, size_t src_content_len, + bool is_symlink) { return mountAddMountPt(nsjconf, /* head= */ false, src, dst, fstype, options, flags, isDir, - mandatory, src_env, dst_env, src_content, src_content_len, - is_symlink); + mandatory, src_env, dst_env, src_content, src_content_len, is_symlink); } const char* mountDescribeMountPt(struct mounts_t* mpt) diff --git a/mount.h b/mount.h index 9d38469..71be2d0 100644 --- a/mount.h +++ b/mount.h @@ -35,13 +35,13 @@ typedef enum { const char* mountFlagsToStr(uintptr_t flags); bool mountInitNs(struct nsjconf_t* nsjconf); bool mountAddMountPtHead(struct nsjconf_t* nsjconf, const char* src, const char* dst, - const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, - bool mandatory, const char* src_env, const char* dst_env, - const char* src_content, size_t src_content_len, bool is_symlink); + const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, + const char* src_env, const char* dst_env, const char* src_content, size_t src_content_len, + bool is_symlink); bool mountAddMountPtTail(struct nsjconf_t* nsjconf, const char* src, const char* dst, - const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, - bool mandatory, const char* src_env, const char* dst_env, - const char* src_content, size_t src_content_len, bool is_symlink); + const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, + const char* src_env, const char* dst_env, const char* src_content, size_t src_content_len, + bool is_symlink); const char* mountDescribeMountPt(struct mounts_t* mpt); #endif /* NS_MOUNT_H */ diff --git a/net.c b/net.c index 12f39d0..771b671 100644 --- a/net.c +++ b/net.c @@ -127,16 +127,14 @@ bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) return true; } - LOG_D("Putting iface:'%s' into namespace of PID:%d (with /sbin/ip)", nsjconf->iface_vs, - pid); + LOG_D( + "Putting iface:'%s' into namespace of PID:%d (with /sbin/ip)", nsjconf->iface_vs, pid); char pid_str[256]; snprintf(pid_str, sizeof(pid_str), "%d", pid); - const char* argv[] = { - "/sbin/ip", "link", "add", "link", (char*)nsjconf->iface_vs, "name", IFACE_NAME, - "netns", pid_str, "type", "macvlan", "mode", "bridge", NULL - }; + const char* argv[] = { "/sbin/ip", "link", "add", "link", (char*)nsjconf->iface_vs, "name", + IFACE_NAME, "netns", pid_str, "type", "macvlan", "mode", "bridge", NULL }; if (subprocSystem(argv, environ) != 0) { LOG_E("Couldn't create MACVTAP interface for '%s'", nsjconf->iface_vs); return false; @@ -191,7 +189,8 @@ bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) int netGetRecvSocket(const char* bindhost, int port) { if (port < 1 || port > 65535) { - LOG_F("TCP port %d out of bounds (0 <= port <= 65535), specify one with --port ", + LOG_F("TCP port %d out of bounds (0 <= port <= 65535), specify one with --port " + "", port); } @@ -205,8 +204,8 @@ int netGetRecvSocket(const char* bindhost, int port) struct in6_addr in6a; if (inet_pton(AF_INET6, bindaddr, &in6a) != 1) { - PLOG_E("Couldn't convert '%s' (orig:'%s') into AF_INET6 address", bindaddr, - bindhost); + PLOG_E( + "Couldn't convert '%s' (orig:'%s') into AF_INET6 address", bindaddr, bindhost); return -1; } diff --git a/pid.c b/pid.c index adb81ec..9b015a4 100644 --- a/pid.c +++ b/pid.c @@ -40,9 +40,9 @@ bool pidInitNs(struct nsjconf_t* nsjconf) LOG_D("Creating a dummy 'init' process"); /* - * If -Me is used then we need to create permanent init inside PID ns, otherwise only the first - * clone/fork will work, and the rest will fail with ENOMEM (see 'man pid_namespaces' for - * details on this behavior) + * If -Me is used then we need to create permanent init inside PID ns, otherwise only the + * first clone/fork will work, and the rest will fail with ENOMEM (see 'man pid_namespaces' + * for details on this behavior) */ pid_t pid = subprocClone(CLONE_FS); if (pid == -1) { diff --git a/sandbox.c b/sandbox.c index 971555f..823b45f 100644 --- a/sandbox.c +++ b/sandbox.c @@ -66,7 +66,4 @@ static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) return true; } -bool sandboxApply(struct nsjconf_t* nsjconf) -{ - return sandboxPrepareAndCommit(nsjconf); -} +bool sandboxApply(struct nsjconf_t* nsjconf) { return sandboxPrepareAndCommit(nsjconf); } diff --git a/subproc.c b/subproc.c index cc7b4af..efb855e 100644 --- a/subproc.c +++ b/subproc.c @@ -92,8 +92,8 @@ static const char* subprocCloneFlagsToStr(uintptr_t flags) for (size_t i = 0; i < ARRAYSIZE(cloneFlags); i++) { if (flags & cloneFlags[i].flag) { - utilSSnPrintf(cloneFlagName, sizeof(cloneFlagName), "%s|", - cloneFlags[i].name); + utilSSnPrintf( + cloneFlagName, sizeof(cloneFlagName), "%s|", cloneFlags[i].name); } } @@ -102,8 +102,8 @@ static const char* subprocCloneFlagsToStr(uintptr_t flags) knownFlagMask |= cloneFlags[i].flag; } if (flags & ~(knownFlagMask)) { - utilSSnPrintf(cloneFlagName, sizeof(cloneFlagName), "%#tx|", - flags & ~(knownFlagMask)); + utilSSnPrintf( + cloneFlagName, sizeof(cloneFlagName), "%#tx|", flags & ~(knownFlagMask)); } utilSSnPrintf(cloneFlagName, sizeof(cloneFlagName), "%s", utilSigName(flags & CSIGNAL)); return cloneFlagName; @@ -140,10 +140,7 @@ static int subprocNewProc(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int clearenv(); } struct charptr_t* p; - TAILQ_FOREACH(p, &nsjconf->envs, pointers) - { - putenv((char*)p->val); - } + TAILQ_FOREACH(p, &nsjconf->envs, pointers) { putenv((char*)p->val); } char cs_addr[64]; netConnToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL); @@ -169,8 +166,8 @@ static void subprocAdd(struct nsjconf_t* nsjconf, pid_t pid, int sock) struct pids_t* p = utilMalloc(sizeof(struct pids_t)); p->pid = pid; p->start = time(NULL); - netConnToText(sock, true /* remote */, p->remote_txt, sizeof(p->remote_txt), - &p->remote_addr); + netConnToText( + sock, true /* remote */, p->remote_txt, sizeof(p->remote_txt), &p->remote_addr); char fname[PATH_MAX]; snprintf(fname, sizeof(fname), "/proc/%d/syscall", (int)pid); @@ -203,10 +200,7 @@ int subprocCount(struct nsjconf_t* nsjconf) { int cnt = 0; struct pids_t* p; - TAILQ_FOREACH(p, &nsjconf->pids, pointers) - { - cnt++; - } + TAILQ_FOREACH(p, &nsjconf->pids, pointers) { cnt++; } return cnt; } @@ -259,13 +253,14 @@ static void subprocSeccompViolation(struct nsjconf_t* nsjconf, siginfo_t* si) uintptr_t arg1, arg2, arg3, arg4, arg5, arg6, sp, pc; ptrdiff_t sc; - int ret = sscanf(buf, "%td %tx %tx %tx %tx %tx %tx %tx %tx", &sc, &arg1, &arg2, &arg3, &arg4, - &arg5, &arg6, &sp, &pc); + int ret = sscanf(buf, "%td %tx %tx %tx %tx %tx %tx %tx %tx", &sc, &arg1, &arg2, &arg3, + &arg4, &arg5, &arg6, &sp, &pc); if (ret == 9) { - LOG_W("PID: %d, Syscall number: %td, Arguments: %#tx, %#tx, %#tx, %#tx, %#tx, %#tx, " - "SP: %#tx, PC: %#tx, si_syscall: %d, si_errno: %#x", - (int)si->si_pid, sc, arg1, arg2, arg3, arg4, arg5, arg6, sp, pc, - si->si_syscall, si->si_errno); + LOG_W( + "PID: %d, Syscall number: %td, Arguments: %#tx, %#tx, %#tx, %#tx, %#tx, %#tx, " + "SP: %#tx, PC: %#tx, si_syscall: %d, si_errno: %#x", + (int)si->si_pid, sc, arg1, arg2, arg3, arg4, arg5, arg6, sp, pc, si->si_syscall, + si->si_errno); } else if (ret == 3) { LOG_W("PID: %d, Syscall number: %d, Seccomp reason: %d, SP: %#tx, PC: %#tx", (int)si->si_pid, si->si_syscall, si->si_errno, arg1, arg2); @@ -313,7 +308,8 @@ int subprocReap(struct nsjconf_t* nsjconf) } } if (WIFSIGNALED(status)) { - LOG_I("PID: %d (%s) terminated with signal: %s (%d), (PIDs left: %d)", + LOG_I( + "PID: %d (%s) terminated with signal: %s (%d), (PIDs left: %d)", si.si_pid, remote_txt, utilSigName(WTERMSIG(status)), WTERMSIG(status), subprocCount(nsjconf) - 1); subprocRemove(nsjconf, si.si_pid); @@ -350,10 +346,7 @@ int subprocReap(struct nsjconf_t* nsjconf) void subprocKillAll(struct nsjconf_t* nsjconf) { struct pids_t* p; - TAILQ_FOREACH(p, &nsjconf->pids, pointers) - { - kill(p->pid, SIGKILL); - } + TAILQ_FOREACH(p, &nsjconf->pids, pointers) { kill(p->pid, SIGKILL); } } static bool subprocInitParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) @@ -370,7 +363,8 @@ static bool subprocInitParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) LOG_E("Couldn't initialize user namespaces for pid %d", pid); return false; } - if (utilWriteToFd(pipefd, &subprocDoneChar, sizeof(subprocDoneChar)) != sizeof(subprocDoneChar)) { + if (utilWriteToFd(pipefd, &subprocDoneChar, sizeof(subprocDoneChar)) + != sizeof(subprocDoneChar)) { LOG_E("Couldn't signal the new process via a socketpair"); return false; } @@ -403,8 +397,9 @@ pid_t subprocClone(uintptr_t flags) if (setjmp(env) == 0) { LOG_D("Cloning process with flags:%s", subprocCloneFlagsToStr(flags)); /* - * Avoid the problem of the stack growing up/down under different CPU architectures, by using - * middle of the static stack buffer (which is temporary, and used only inside of subprocCloneFunc + * Avoid the problem of the stack growing up/down under different CPU architectures, + * by using middle of the static stack buffer (which is temporary, and used only + * inside of subprocCloneFunc */ void* stack = &subprocCloneStack[sizeof(subprocCloneStack) / 2]; /* Parent */ @@ -456,7 +451,8 @@ void subprocRunChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_er close(child_fd); if (pid == -1) { PLOG_E("clone(flags=%s) failed. You probably need root privileges if your system " - "doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile your " + "doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile " + "your " "kernel with support for namespaces or check the setting of the " "kernel.unprivileged_userns_clone sysctl", subprocCloneFlagsToStr(flags)); diff --git a/user.c b/user.c index a992c91..1dd742c 100644 --- a/user.c +++ b/user.c @@ -44,11 +44,12 @@ static bool userSetResGid(gid_t gid) { LOG_D("setresgid(%d)", gid); #if defined(__NR_setresgid32) - if (syscall(__NR_setresgid32, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1 && errno != ENOSYS) { + if (syscall(__NR_setresgid32, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1 + && errno != ENOSYS) { PLOG_W("setresgid32(%d)", (int)gid); return false; } -#endif +#endif /* defined(__NR_setresgid32) */ if (syscall(__NR_setresgid, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1) { PLOG_W("setresgid(%d)", gid); return false; @@ -60,11 +61,12 @@ static bool userSetResUid(uid_t uid) { LOG_D("setresuid(%d)", uid); #if defined(__NR_setresuid32) - if (syscall(__NR_setresuid32, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1 && errno != ENOSYS) { + if (syscall(__NR_setresuid32, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1 + && errno != ENOSYS) { PLOG_W("setresuid32(%d)", (int)uid); return false; } -#endif +#endif /* defined(__NR_setresuid32) */ if (syscall(__NR_setresuid, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1) { PLOG_W("setresuid(%d)", uid); return false; @@ -75,8 +77,8 @@ static bool userSetResUid(uid_t uid) static bool userSetGroups(pid_t pid) { /* - * No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to uid_map/gid_map - * will succeed anyway + * No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to + * uid_map/gid_map will succeed anyway */ if (geteuid() == 0) { return true; @@ -303,10 +305,11 @@ bool userInitNsFromChild(struct nsjconf_t* nsjconf) } /* - * Make sure all capabilities are retained after the subsequent setuid/setgid, as they will be - * needed for privileged operations: mounts, uts change etc. + * Make sure all capabilities are retained after the subsequent setuid/setgid, as they will + * be needed for privileged operations: mounts, uts change etc. */ - if (prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS | SECBIT_NO_SETUID_FIXUP, 0UL, 0UL, 0UL) == -1) { + if (prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS | SECBIT_NO_SETUID_FIXUP, 0UL, 0UL, 0UL) + == -1) { PLOG_E("prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS | SECBIT_NO_SETUID_FIXUP)"); return false; }