From: Jagger <robert@swiecki.net>
Date: Sun, 19 Jun 2016 09:55:55 +0000 (+0200)
Subject: Support for CLONE_NEWCGROUP
X-Git-Tag: 1.2~34
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a1f0ec79252a3b28bf96b0a0bb0331bf23998cc3;p=platform%2Fupstream%2Fnsjail.git

Support for CLONE_NEWCGROUP
---

diff --git a/cmdline.c b/cmdline.c
index 7b77f51..4c5f75c 100644
--- a/cmdline.c
+++ b/cmdline.c
@@ -103,7 +103,7 @@ void cmdlineLogParams(struct nsjconf_t *nsjconf)
 	    ("Jail parameters: hostname:'%s', chroot:'%s', process:'%s', bind:[%s]:%d, "
 	     "max_conns_per_ip:%u, uid:(ns:%u, global:%u), gid:(ns:%u, global:%u), time_limit:%ld, personality:%#lx, daemonize:%s, "
 	     "clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, "
-	     "clone_newipc:%s, clonew_newuts:%s, apply_sandbox:%s, keep_caps:%s, "
+	     "clone_newipc:%s, clonew_newuts:%s, clone_newcgroup:%s, apply_sandbox:%s, keep_caps:%s, "
 	     "tmpfs_size:%zu",
 	     nsjconf->hostname, nsjconf->chroot, nsjconf->argv[0], nsjconf->bindhost, nsjconf->port,
 	     nsjconf->max_conns_per_ip, nsjconf->inside_uid, nsjconf->outside_uid,
@@ -111,8 +111,8 @@ void cmdlineLogParams(struct nsjconf_t *nsjconf)
 	     logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
 	     logYesNo(nsjconf->clone_newuser), logYesNo(nsjconf->clone_newns),
 	     logYesNo(nsjconf->clone_newpid), logYesNo(nsjconf->clone_newipc),
-	     logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->apply_sandbox),
-	     logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size);
+	     logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->clone_newcgroup),
+	     logYesNo(nsjconf->apply_sandbox), logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size);
 
 	struct mounts_t *p;
 	TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
@@ -279,6 +279,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 		.clone_newpid = true,
 		.clone_newipc = true,
 		.clone_newuts = true,
+		.clone_newcgroup = false,
 		.mode = MODE_LISTEN_TCP,
 		.is_root_rw = false,
 		.is_silent = false,
@@ -366,6 +367,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 		{{"disable_clone_newpid", no_argument, NULL, 0x0404}, "Don't use CLONE_NEWPID"},
 		{{"disable_clone_newipc", no_argument, NULL, 0x0405}, "Don't use CLONE_NEWIPC"},
 		{{"disable_clone_newuts", no_argument, NULL, 0x0406}, "Don't use CLONE_NEWUTS"},
+		{{"enable_clone_newcgroup", no_argument, NULL, 0x0407}, "Use CLONE_NEWCGROUP"},
 		{{"bindmount_ro", required_argument, NULL, 'R'}, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"},
 		{{"bindmount", required_argument, NULL, 'B'}, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"},
 		{{"tmpfsmount", required_argument, NULL, 'T'}, "List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax"},
@@ -490,6 +492,9 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 		case 0x0406:
 			nsjconf->clone_newuts = false;
 			break;
+		case 0x0407:
+			nsjconf->clone_newcgroup = true;
+			break;
 		case 0x0500:
 			nsjconf->mode = MODE_STANDALONE_ONCE;
 			break;
diff --git a/common.h b/common.h
index 78998a7..1be6bf8 100644
--- a/common.h
+++ b/common.h
@@ -112,6 +112,7 @@ struct nsjconf_t {
 	bool clone_newpid;
 	bool clone_newipc;
 	bool clone_newuts;
+	bool clone_newcgroup;
 	enum mode_t mode;
 	const char *chroot;
 	bool is_root_rw;
diff --git a/mount.c b/mount.c
index ce6b938..6a6efea 100644
--- a/mount.c
+++ b/mount.c
@@ -76,8 +76,8 @@ static bool mountNotIsDir(const char *path)
 
 static bool mountMount(struct nsjconf_t *nsjconf, struct mounts_t *mpt, const char *dst)
 {
-	LOG_D("Mounting '%s' on '%s' (type:'%s', flags:0x%tx)", mpt->src, dst, mpt->fs_type,
-	      mpt->flags);
+	LOG_D("Mounting '%s' on '%s' (type:'%s', flags:0x%tx, options:'%s')", mpt->src, dst,
+	      mpt->fs_type, mpt->flags, mpt->options);
 
 	if (mountIsDir(mpt->src) == true) {
 		if (mkdir(dst, 0711) == -1 && errno != EEXIST) {
diff --git a/subproc.c b/subproc.c
index 69a548f..1aea024 100644
--- a/subproc.c
+++ b/subproc.c
@@ -283,7 +283,9 @@ void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_er
 	if (netLimitConns(nsjconf, fd_in) == false) {
 		return;
 	}
-
+#ifndef CLONE_NEWCGROUP
+#define CLONE_NEWCGROUP 0x02000000
+#endif
 	unsigned long flags = 0UL;
 	flags |= (nsjconf->clone_newnet ? CLONE_NEWNET : 0);
 	flags |= (nsjconf->clone_newuser ? CLONE_NEWUSER : 0);
@@ -291,6 +293,7 @@ void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_er
 	flags |= (nsjconf->clone_newpid ? CLONE_NEWPID : 0);
 	flags |= (nsjconf->clone_newipc ? CLONE_NEWIPC : 0);
 	flags |= (nsjconf->clone_newuts ? CLONE_NEWUTS : 0);
+	flags |= (nsjconf->clone_newcgroup ? CLONE_NEWCGROUP : 0);
 
 	if (nsjconf->mode == MODE_STANDALONE_EXECVE) {
 		LOG_D("Entering namespace with flags: %#lx", flags);