From: Robert Swiecki Date: Wed, 25 Oct 2017 22:26:02 +0000 (+0200) Subject: Makefile/indent: base it on the google template with modifications X-Git-Tag: 2.2~12 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e2529ce04f0d5a278aa5d8e19ccb2f6eb0bc760f;p=platform%2Fupstream%2Fnsjail.git Makefile/indent: base it on the google template with modifications --- diff --git a/Makefile b/Makefile index 387683d..6faa2af 100644 --- a/Makefile +++ b/Makefile @@ -92,7 +92,7 @@ depend: makedepend -Y -Ykafel/include -- -- $(SRCS_C) $(SRCS_CXX) $(SRCS_PB_CXX) indent: - clang-format -style="{BasedOnStyle: webkit, IndentWidth: 8, UseTab: Always, IndentCaseLabels: false, ColumnLimit: 100}" -i -sort-includes *.c *.h $(SRCS_CXX) + clang-format -style="{BasedOnStyle: google, IndentWidth: 8, UseTab: Always, IndentCaseLabels: false, ColumnLimit: 100, AlignAfterOpenBracket: false}" -i -sort-includes *.c *.h $(SRCS_CXX) # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/caps.c b/caps.c index 5148bf1..b1d02d3 100644 --- a/caps.c +++ b/caps.c @@ -36,50 +36,49 @@ static struct { const int val; const char* const name; } const capNames[] = { - NS_VALSTR_STRUCT(CAP_CHOWN), - NS_VALSTR_STRUCT(CAP_DAC_OVERRIDE), - NS_VALSTR_STRUCT(CAP_DAC_READ_SEARCH), - NS_VALSTR_STRUCT(CAP_FOWNER), - NS_VALSTR_STRUCT(CAP_FSETID), - NS_VALSTR_STRUCT(CAP_KILL), - NS_VALSTR_STRUCT(CAP_SETGID), - NS_VALSTR_STRUCT(CAP_SETUID), - NS_VALSTR_STRUCT(CAP_SETPCAP), - NS_VALSTR_STRUCT(CAP_LINUX_IMMUTABLE), - NS_VALSTR_STRUCT(CAP_NET_BIND_SERVICE), - NS_VALSTR_STRUCT(CAP_NET_BROADCAST), - NS_VALSTR_STRUCT(CAP_NET_ADMIN), - NS_VALSTR_STRUCT(CAP_NET_RAW), - NS_VALSTR_STRUCT(CAP_IPC_LOCK), - NS_VALSTR_STRUCT(CAP_IPC_OWNER), - NS_VALSTR_STRUCT(CAP_SYS_MODULE), - NS_VALSTR_STRUCT(CAP_SYS_RAWIO), - NS_VALSTR_STRUCT(CAP_SYS_CHROOT), - NS_VALSTR_STRUCT(CAP_SYS_PTRACE), - NS_VALSTR_STRUCT(CAP_SYS_PACCT), - NS_VALSTR_STRUCT(CAP_SYS_ADMIN), - NS_VALSTR_STRUCT(CAP_SYS_BOOT), - NS_VALSTR_STRUCT(CAP_SYS_NICE), - NS_VALSTR_STRUCT(CAP_SYS_RESOURCE), - NS_VALSTR_STRUCT(CAP_SYS_TIME), - NS_VALSTR_STRUCT(CAP_SYS_TTY_CONFIG), - NS_VALSTR_STRUCT(CAP_MKNOD), - NS_VALSTR_STRUCT(CAP_LEASE), - NS_VALSTR_STRUCT(CAP_AUDIT_WRITE), - NS_VALSTR_STRUCT(CAP_AUDIT_CONTROL), - NS_VALSTR_STRUCT(CAP_SETFCAP), - NS_VALSTR_STRUCT(CAP_MAC_OVERRIDE), - NS_VALSTR_STRUCT(CAP_MAC_ADMIN), - NS_VALSTR_STRUCT(CAP_SYSLOG), - NS_VALSTR_STRUCT(CAP_WAKE_ALARM), - NS_VALSTR_STRUCT(CAP_BLOCK_SUSPEND), + NS_VALSTR_STRUCT(CAP_CHOWN), + NS_VALSTR_STRUCT(CAP_DAC_OVERRIDE), + NS_VALSTR_STRUCT(CAP_DAC_READ_SEARCH), + NS_VALSTR_STRUCT(CAP_FOWNER), + NS_VALSTR_STRUCT(CAP_FSETID), + NS_VALSTR_STRUCT(CAP_KILL), + NS_VALSTR_STRUCT(CAP_SETGID), + NS_VALSTR_STRUCT(CAP_SETUID), + NS_VALSTR_STRUCT(CAP_SETPCAP), + NS_VALSTR_STRUCT(CAP_LINUX_IMMUTABLE), + NS_VALSTR_STRUCT(CAP_NET_BIND_SERVICE), + NS_VALSTR_STRUCT(CAP_NET_BROADCAST), + NS_VALSTR_STRUCT(CAP_NET_ADMIN), + NS_VALSTR_STRUCT(CAP_NET_RAW), + NS_VALSTR_STRUCT(CAP_IPC_LOCK), + NS_VALSTR_STRUCT(CAP_IPC_OWNER), + NS_VALSTR_STRUCT(CAP_SYS_MODULE), + NS_VALSTR_STRUCT(CAP_SYS_RAWIO), + NS_VALSTR_STRUCT(CAP_SYS_CHROOT), + NS_VALSTR_STRUCT(CAP_SYS_PTRACE), + NS_VALSTR_STRUCT(CAP_SYS_PACCT), + NS_VALSTR_STRUCT(CAP_SYS_ADMIN), + NS_VALSTR_STRUCT(CAP_SYS_BOOT), + NS_VALSTR_STRUCT(CAP_SYS_NICE), + NS_VALSTR_STRUCT(CAP_SYS_RESOURCE), + NS_VALSTR_STRUCT(CAP_SYS_TIME), + NS_VALSTR_STRUCT(CAP_SYS_TTY_CONFIG), + NS_VALSTR_STRUCT(CAP_MKNOD), + NS_VALSTR_STRUCT(CAP_LEASE), + NS_VALSTR_STRUCT(CAP_AUDIT_WRITE), + NS_VALSTR_STRUCT(CAP_AUDIT_CONTROL), + NS_VALSTR_STRUCT(CAP_SETFCAP), + NS_VALSTR_STRUCT(CAP_MAC_OVERRIDE), + NS_VALSTR_STRUCT(CAP_MAC_ADMIN), + NS_VALSTR_STRUCT(CAP_SYSLOG), + NS_VALSTR_STRUCT(CAP_WAKE_ALARM), + NS_VALSTR_STRUCT(CAP_BLOCK_SUSPEND), #if defined(CAP_AUDIT_READ) - NS_VALSTR_STRUCT(CAP_AUDIT_READ), + NS_VALSTR_STRUCT(CAP_AUDIT_READ), #endif /* defined(CAP_AUDIT_READ) */ }; -int capsNameToVal(const char* name) -{ +int capsNameToVal(const char* name) { for (size_t i = 0; i < ARRAYSIZE(capNames); i++) { if (strcmp(name, capNames[i].name) == 0) { return capNames[i].val; @@ -89,8 +88,7 @@ int capsNameToVal(const char* name) return -1; } -static const char* capsValToStr(int val) -{ +static const char* capsValToStr(int val) { static __thread char capsStr[1024]; for (size_t i = 0; i < ARRAYSIZE(capNames); i++) { if (val == capNames[i].val) { @@ -103,12 +101,11 @@ static const char* capsValToStr(int val) return capsStr; } -static cap_user_data_t capsGet() -{ +static cap_user_data_t capsGet() { static __thread struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3]; const struct __user_cap_header_struct cap_hdr = { - .version = _LINUX_CAPABILITY_VERSION_3, - .pid = 0, + .version = _LINUX_CAPABILITY_VERSION_3, + .pid = 0, }; if (syscall(__NR_capget, &cap_hdr, &cap_data) == -1) { PLOG_W("capget() failed"); @@ -117,11 +114,10 @@ static cap_user_data_t capsGet() return cap_data; } -static bool capsSet(const cap_user_data_t cap_data) -{ +static bool capsSet(const cap_user_data_t cap_data) { const struct __user_cap_header_struct cap_hdr = { - .version = _LINUX_CAPABILITY_VERSION_3, - .pid = 0, + .version = _LINUX_CAPABILITY_VERSION_3, + .pid = 0, }; if (syscall(__NR_capset, &cap_hdr, cap_data) == -1) { PLOG_W("capset() failed"); @@ -130,36 +126,31 @@ static bool capsSet(const cap_user_data_t cap_data) return true; } -static void capsClearInheritable(cap_user_data_t cap_data) -{ +static void capsClearInheritable(cap_user_data_t cap_data) { for (size_t i = 0; i < _LINUX_CAPABILITY_U32S_3; i++) { cap_data[i].inheritable = 0U; } } -static bool capsGetPermitted(cap_user_data_t cap_data, unsigned int cap) -{ +static bool capsGetPermitted(cap_user_data_t cap_data, unsigned int cap) { size_t off_byte = cap / (sizeof(cap_data->permitted) * 8); size_t off_bit = cap % (sizeof(cap_data->permitted) * 8); return cap_data[off_byte].permitted & (1U << off_bit); } -static bool capsGetEffective(cap_user_data_t cap_data, unsigned int cap) -{ +static bool capsGetEffective(cap_user_data_t cap_data, unsigned int cap) { size_t off_byte = cap / (sizeof(cap_data->effective) * 8); size_t off_bit = cap % (sizeof(cap_data->effective) * 8); return cap_data[off_byte].effective & (1U << off_bit); } -static bool capsGetInheritable(cap_user_data_t cap_data, unsigned int cap) -{ +static bool capsGetInheritable(cap_user_data_t cap_data, unsigned int cap) { size_t off_byte = cap / (sizeof(cap_data->inheritable) * 8); size_t off_bit = cap % (sizeof(cap_data->inheritable) * 8); return cap_data[off_byte].inheritable & (1U << off_bit); } -static void capsSetInheritable(cap_user_data_t cap_data, unsigned int cap) -{ +static void capsSetInheritable(cap_user_data_t cap_data, unsigned int cap) { size_t off_byte = cap / (sizeof(cap_data->inheritable) * 8); size_t off_bit = cap % (sizeof(cap_data->inheritable) * 8); cap_data[off_byte].inheritable |= (1U << off_bit); @@ -170,8 +161,7 @@ static void capsSetInheritable(cap_user_data_t cap_data, unsigned int cap) #define PR_CAP_AMBIENT_RAISE 2 #define PR_CAP_AMBIENT_CLEAR_ALL 4 #endif /* !defined(PR_CAP_AMBIENT) */ -static bool CapsInitNsKeepCaps(cap_user_data_t cap_data) -{ +static bool CapsInitNsKeepCaps(cap_user_data_t cap_data) { char dbgmsg[4096]; /* Copy all permitted caps to the inheritable set */ @@ -195,8 +185,7 @@ static bool CapsInitNsKeepCaps(cap_user_data_t cap_data) continue; } if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)capNames[i].val, 0UL, - 0UL) - == -1) { + 0UL) == -1) { PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)", capNames[i].name); } else { utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name); @@ -207,8 +196,7 @@ static bool CapsInitNsKeepCaps(cap_user_data_t cap_data) return true; } -bool capsInitNs(struct nsjconf_t* nsjconf) -{ +bool capsInitNs(struct nsjconf_t* nsjconf) { char dbgmsg[4096]; struct ints_t* p; @@ -234,8 +222,7 @@ bool capsInitNs(struct nsjconf_t* nsjconf) /* Set all requested caps in the inheritable set if these are present in the permitted set */ dbgmsg[0] = '\0'; - TAILQ_FOREACH(p, &nsjconf->caps, pointers) - { + TAILQ_FOREACH(p, &nsjconf->caps, pointers) { if (capsGetPermitted(cap_data, p->val) == false) { LOG_W("Capability %s is not permitted in the namespace", capsValToStr(p->val)); @@ -261,8 +248,8 @@ bool capsInitNs(struct nsjconf_t* nsjconf) continue; } utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name); - if (prctl(PR_CAPBSET_DROP, (unsigned long)capNames[i].val, 0UL, 0UL, 0UL) - == -1) { + if (prctl(PR_CAPBSET_DROP, (unsigned long)capNames[i].val, 0UL, 0UL, 0UL) == + -1) { PLOG_W("prctl(PR_CAPBSET_DROP, %s)", capNames[i].name); return false; } @@ -272,10 +259,9 @@ bool capsInitNs(struct nsjconf_t* nsjconf) /* Make sure inheritable set is preserved across execve via the modified ambient set */ dbgmsg[0] = '\0'; - TAILQ_FOREACH(p, &nsjconf->caps, pointers) - { - if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) - == -1) { + TAILQ_FOREACH(p, &nsjconf->caps, pointers) { + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) == + -1) { PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)", capsValToStr(p->val)); } else { diff --git a/cgroup.c b/cgroup.c index a6edfb7..e523bc8 100644 --- a/cgroup.c +++ b/cgroup.c @@ -33,8 +33,7 @@ #include "log.h" #include "util.h" -static bool cgroupInitNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) -{ +static bool cgroupInitNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) { if (nsjconf->cgroup_mem_max == (size_t)0) { return true; } @@ -80,8 +79,7 @@ static bool cgroupInitNsFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) return true; } -static bool cgroupInitNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) -{ +static bool cgroupInitNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) { if (nsjconf->cgroup_pids_max == 0U) { return true; } @@ -117,8 +115,7 @@ static bool cgroupInitNsFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) return true; } -static bool cgroupInitNsFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) -{ +static bool cgroupInitNsFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) { if (nsjconf->cgroup_net_cls_classid == 0U) { return true; } @@ -156,8 +153,7 @@ static bool cgroupInitNsFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) return true; } -bool cgroupInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) -{ +bool cgroupInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) { if (cgroupInitNsFromParentMem(nsjconf, pid) == false) { return false; } @@ -170,8 +166,7 @@ bool cgroupInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) return true; } -void cgroupFinishFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) -{ +void cgroupFinishFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) { if (nsjconf->cgroup_mem_max == (size_t)0) { return; } @@ -185,8 +180,7 @@ void cgroupFinishFromParentMem(struct nsjconf_t* nsjconf, pid_t pid) return; } -void cgroupFinishFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) -{ +void cgroupFinishFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) { if (nsjconf->cgroup_pids_max == 0U) { return; } @@ -200,8 +194,7 @@ void cgroupFinishFromParentPids(struct nsjconf_t* nsjconf, pid_t pid) return; } -void cgroupFinishFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) -{ +void cgroupFinishFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) { if (nsjconf->cgroup_net_cls_classid == 0U) { return; } @@ -215,8 +208,7 @@ void cgroupFinishFromParentNetCls(struct nsjconf_t* nsjconf, pid_t pid) return; } -void cgroupFinishFromParent(struct nsjconf_t* nsjconf, pid_t pid) -{ +void cgroupFinishFromParent(struct nsjconf_t* nsjconf, pid_t pid) { cgroupFinishFromParentMem(nsjconf, pid); cgroupFinishFromParentPids(nsjconf, pid); cgroupFinishFromParentNetCls(nsjconf, pid); diff --git a/cmdline.c b/cmdline.c index a21f009..46c2e31 100644 --- a/cmdline.c +++ b/cmdline.c @@ -149,8 +149,7 @@ struct custom_option deprecated_opts[] = { static const char* logYesNo(bool yes) { return (yes ? "true" : "false"); } -static void cmdlineOptUsage(struct custom_option* option) -{ +static void cmdlineOptUsage(struct custom_option* option) { if (option->opt.val < 0x80) { LOG_HELP_BOLD(" --%s%s%c %s", option->opt.name, "|-", option->opt.val, option->opt.has_arg == required_argument ? "VALUE" : ""); @@ -161,8 +160,7 @@ static void cmdlineOptUsage(struct custom_option* option) LOG_HELP("\t%s", option->descr); } -static void cmdlineUsage(const char* pname) -{ +static void cmdlineUsage(const char* pname) { LOG_HELP_BOLD("Usage: %s [options] -- path_to_command [args]", pname); LOG_HELP_BOLD("Options:"); for (size_t i = 0; i < ARRAYSIZE(custom_opts); i++) { @@ -191,8 +189,7 @@ static void cmdlineUsage(const char* pname) LOG_HELP_BOLD(" nsjail -Me --chroot / --disable_proc -- /bin/echo \"ABC\""); } -void cmdlineLogParams(struct nsjconf_t* nsjconf) -{ +void cmdlineLogParams(struct nsjconf_t* nsjconf) { switch (nsjconf->mode) { case MODE_LISTEN_TCP: LOG_I("Mode: LISTEN_TCP"); @@ -211,12 +208,13 @@ void cmdlineLogParams(struct nsjconf_t* nsjconf) break; } - LOG_I("Jail parameters: hostname:'%s', chroot:'%s', process:'%s', " - "bind:[%s]:%d, " - "max_conns_per_ip:%u, time_limit:%ld, personality:%#lx, daemonize:%s, " - "clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, " - "clone_newipc:%s, clonew_newuts:%s, clone_newcgroup:%s, keep_caps:%s, " - "tmpfs_size:%zu, disable_no_new_privs:%s, max_cpus:%zu", + LOG_I( + "Jail parameters: hostname:'%s', chroot:'%s', process:'%s', " + "bind:[%s]:%d, " + "max_conns_per_ip:%u, time_limit:%ld, personality:%#lx, daemonize:%s, " + "clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, " + "clone_newipc:%s, clonew_newuts:%s, clone_newcgroup:%s, keep_caps:%s, " + "tmpfs_size:%zu, disable_no_new_privs:%s, max_cpus:%zu", nsjconf->hostname, nsjconf->chroot ? nsjconf->chroot : "[NULL]", nsjconf->argv[0], nsjconf->bindhost, nsjconf->port, nsjconf->max_conns_per_ip, nsjconf->tlimit, nsjconf->personality, logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet), @@ -228,41 +226,39 @@ void cmdlineLogParams(struct nsjconf_t* nsjconf) { struct mounts_t* p; - TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) - { + TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) { LOG_I("%s: %s", p->isSymlink ? "Symlink" : "Mount point", mountDescribeMountPt(p)); } } { struct idmap_t* p; - TAILQ_FOREACH(p, &nsjconf->uids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->uids, pointers) { LOG_I("Uid map: inside_uid:%lu outside_uid:%lu count:%zu newuidmap:%s", (unsigned long)p->inside_id, (unsigned long)p->outside_id, p->count, p->is_newidmap ? "true" : "false"); if (p->outside_id == 0 && nsjconf->clone_newuser) { - LOG_W("Process will be UID/EUID=0 in the global user namespace, " - "and will have user " - "root-level access to files"); + LOG_W( + "Process will be UID/EUID=0 in the global user namespace, " + "and will have user " + "root-level access to files"); } } - TAILQ_FOREACH(p, &nsjconf->gids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->gids, pointers) { LOG_I("Gid map: inside_gid:%lu outside_gid:%lu count:%zu newgidmap:%s", (unsigned long)p->inside_id, (unsigned long)p->outside_id, p->count, p->is_newidmap ? "true" : "false"); if (p->outside_id == 0 && nsjconf->clone_newuser) { - LOG_W("Process will be GID/EGID=0 in the global user namespace, " - "and will have group " - "root-level access to files"); + LOG_W( + "Process will be GID/EGID=0 in the global user namespace, " + "and will have group " + "root-level access to files"); } } } } -uint64_t cmdlineParseRLimit(int res, const char* optarg, unsigned long mul) -{ +uint64_t cmdlineParseRLimit(int res, const char* optarg, unsigned long mul) { if (strcasecmp(optarg, "inf") == 0) { return RLIM64_INFINITY; } @@ -277,8 +273,9 @@ uint64_t cmdlineParseRLimit(int res, const char* optarg, unsigned long mul) return cur.rlim_max; } if (utilIsANumber(optarg) == false) { - LOG_F("RLIMIT %d needs a numeric or 'max'/'hard'/'def'/'soft'/'inf' value ('%s' " - "provided)", + LOG_F( + "RLIMIT %d needs a numeric or 'max'/'hard'/'def'/'soft'/'inf' value ('%s' " + "provided)", res, optarg); } uint64_t val = strtoull(optarg, NULL, 0) * mul; @@ -291,8 +288,7 @@ uint64_t cmdlineParseRLimit(int res, const char* optarg, unsigned long mul) /* findSpecDestination mutates spec (source:dest) to have a null byte instead * of ':' in between source and dest, then returns a pointer to the dest * string. */ -static char* cmdlineSplitStrByColon(char* spec) -{ +static char* cmdlineSplitStrByColon(char* spec) { if (spec == NULL) { return NULL; } @@ -314,68 +310,67 @@ static char* cmdlineSplitStrByColon(char* spec) } } -bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) -{ +bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) { (*nsjconf) = (const struct nsjconf_t){ - .exec_file = NULL, - .use_execveat = false, - .exec_fd = -1, - .argv = NULL, - .hostname = "NSJAIL", - .cwd = "/", - .chroot = NULL, - .port = 0, - .bindhost = "::", - .log_fd = STDERR_FILENO, - .logfile = NULL, - .loglevel = INFO, - .daemonize = false, - .tlimit = 0, - .max_cpus = 0, - .keep_caps = false, - .disable_no_new_privs = false, - .rl_as = 512 * (1024 * 1024), - .rl_core = 0, - .rl_cpu = 600, - .rl_fsize = 1 * (1024 * 1024), - .rl_nofile = 32, - .rl_nproc = cmdlineParseRLimit(RLIMIT_NPROC, "soft", 1), - .rl_stack = cmdlineParseRLimit(RLIMIT_STACK, "soft", 1), - .personality = 0, - .clone_newnet = true, - .clone_newuser = true, - .clone_newns = true, - .clone_newpid = true, - .clone_newipc = true, - .clone_newuts = true, - .clone_newcgroup = false, - .mode = MODE_STANDALONE_ONCE, - .is_root_rw = false, - .is_silent = false, - .skip_setsid = false, - .max_conns_per_ip = 0, - .tmpfs_size = 4 * (1024 * 1024), - .mount_proc = true, - .proc_path = "/proc", - .is_proc_rw = false, - .cgroup_mem_mount = "/sys/fs/cgroup/memory", - .cgroup_mem_parent = "NSJAIL", - .cgroup_mem_max = (size_t)0, - .cgroup_pids_mount = "/sys/fs/cgroup/pids", - .cgroup_pids_parent = "NSJAIL", - .cgroup_pids_max = (unsigned int)0, - .cgroup_net_cls_mount = "/sys/fs/cgroup/net_cls", - .cgroup_net_cls_parent = "NSJAIL", - .cgroup_net_cls_classid = (unsigned int)0, - .iface_no_lo = false, - .iface_vs = NULL, - .iface_vs_ip = "0.0.0.0", - .iface_vs_nm = "255.255.255.0", - .iface_vs_gw = "0.0.0.0", - .kafel_file = NULL, - .kafel_string = NULL, - .orig_uid = getuid(), - .num_cpus = sysconf(_SC_NPROCESSORS_ONLN), + .exec_file = NULL, + .use_execveat = false, + .exec_fd = -1, + .argv = NULL, + .hostname = "NSJAIL", + .cwd = "/", + .chroot = NULL, + .port = 0, + .bindhost = "::", + .log_fd = STDERR_FILENO, + .logfile = NULL, + .loglevel = INFO, + .daemonize = false, + .tlimit = 0, + .max_cpus = 0, + .keep_caps = false, + .disable_no_new_privs = false, + .rl_as = 512 * (1024 * 1024), + .rl_core = 0, + .rl_cpu = 600, + .rl_fsize = 1 * (1024 * 1024), + .rl_nofile = 32, + .rl_nproc = cmdlineParseRLimit(RLIMIT_NPROC, "soft", 1), + .rl_stack = cmdlineParseRLimit(RLIMIT_STACK, "soft", 1), + .personality = 0, + .clone_newnet = true, + .clone_newuser = true, + .clone_newns = true, + .clone_newpid = true, + .clone_newipc = true, + .clone_newuts = true, + .clone_newcgroup = false, + .mode = MODE_STANDALONE_ONCE, + .is_root_rw = false, + .is_silent = false, + .skip_setsid = false, + .max_conns_per_ip = 0, + .tmpfs_size = 4 * (1024 * 1024), + .mount_proc = true, + .proc_path = "/proc", + .is_proc_rw = false, + .cgroup_mem_mount = "/sys/fs/cgroup/memory", + .cgroup_mem_parent = "NSJAIL", + .cgroup_mem_max = (size_t)0, + .cgroup_pids_mount = "/sys/fs/cgroup/pids", + .cgroup_pids_parent = "NSJAIL", + .cgroup_pids_max = (unsigned int)0, + .cgroup_net_cls_mount = "/sys/fs/cgroup/net_cls", + .cgroup_net_cls_parent = "NSJAIL", + .cgroup_net_cls_classid = (unsigned int)0, + .iface_no_lo = false, + .iface_vs = NULL, + .iface_vs_ip = "0.0.0.0", + .iface_vs_nm = "255.255.255.0", + .iface_vs_gw = "0.0.0.0", + .kafel_file = NULL, + .kafel_string = NULL, + .orig_uid = getuid(), + .num_cpus = sysconf(_SC_NPROCESSORS_ONLN), }; TAILQ_INIT(&nsjconf->pids); @@ -409,7 +404,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) opts[ARRAYSIZE(custom_opts) + i] = deprecated_opts[i].opt; } // Last, NULL option as a terminator. - struct option terminator = { NULL, 0, NULL, 0 }; + struct option terminator = {NULL, 0, NULL, 0}; memcpy(&opts[options_length - 1].name, &terminator, sizeof(terminator)); int opt_index = 0; @@ -605,12 +600,10 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) char* i_id = optarg; char* o_id = cmdlineSplitStrByColon(i_id); char* cnt = cmdlineSplitStrByColon(o_id); - size_t count = (cnt == NULL || strlen(cnt) == 0) - ? 1U - : (size_t)strtoull(cnt, NULL, 0); + size_t count = + (cnt == NULL || strlen(cnt) == 0) ? 1U : (size_t)strtoull(cnt, NULL, 0); if (userParseId(nsjconf, i_id, o_id, count, false /* is_gid */, - false /* is_newidmap */) - == false) { + false /* is_newidmap */) == false) { return false; } } break; @@ -618,12 +611,10 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) char* i_id = optarg; char* o_id = cmdlineSplitStrByColon(i_id); char* cnt = cmdlineSplitStrByColon(o_id); - size_t count = (cnt == NULL || strlen(cnt) == 0) - ? 1U - : (size_t)strtoull(cnt, NULL, 0); + size_t count = + (cnt == NULL || strlen(cnt) == 0) ? 1U : (size_t)strtoull(cnt, NULL, 0); if (userParseId(nsjconf, i_id, o_id, count, true /* is_gid */, - false /* is_newidmap */) - == false) { + false /* is_newidmap */) == false) { return false; } } break; @@ -631,12 +622,10 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) char* i_id = optarg; char* o_id = cmdlineSplitStrByColon(i_id); char* cnt = cmdlineSplitStrByColon(o_id); - size_t count = (cnt == NULL || strlen(cnt) == 0) - ? 1U - : (size_t)strtoull(cnt, NULL, 0); + size_t count = + (cnt == NULL || strlen(cnt) == 0) ? 1U : (size_t)strtoull(cnt, NULL, 0); if (userParseId(nsjconf, i_id, o_id, count, false /* is_gid */, - true /* is_newidmap */) - == false) { + true /* is_newidmap */) == false) { return false; } } break; @@ -644,12 +633,10 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) char* i_id = optarg; char* o_id = cmdlineSplitStrByColon(i_id); char* cnt = cmdlineSplitStrByColon(o_id); - size_t count = (cnt == NULL || strlen(cnt) == 0) - ? 1U - : (size_t)strtoull(cnt, NULL, 0); + size_t count = + (cnt == NULL || strlen(cnt) == 0) ? 1U : (size_t)strtoull(cnt, NULL, 0); if (userParseId(nsjconf, i_id, o_id, count, true /* is_gid */, - true /* is_newidmap */) - == false) { + true /* is_newidmap */) == false) { return false; } } break; @@ -821,12 +808,13 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) if (nsjconf->use_execveat) { #if !defined(__NR_execveat) - LOG_E("Your nsjail is compiled without support for the execveat() syscall, yet you " - "specified the --execute_fd flag"); + LOG_E( + "Your nsjail is compiled without support for the execveat() syscall, yet you " + "specified the --execute_fd flag"); return false; #endif /* !defined(__NR_execveat) */ - if ((nsjconf->exec_fd = open(nsjconf->exec_file, O_RDONLY | O_PATH | O_CLOEXEC)) - == -1) { + if ((nsjconf->exec_fd = open(nsjconf->exec_file, O_RDONLY | O_PATH | O_CLOEXEC)) == + -1) { PLOG_W("Couldn't open '%s' file", nsjconf->exec_file); return false; } diff --git a/common.h b/common.h index fee22fb..fbbe1a2 100644 --- a/common.h +++ b/common.h @@ -36,24 +36,21 @@ static void __attribute__ ((unused)) __clang_cleanup_func(void (^*dfunc) (void)) (*dfunc) (); } -#define defer \ - void (^_STRMERGE(__defer_f_, __COUNTER__))(void) \ - __attribute__((cleanup(__clang_cleanup_func))) __attribute__((unused)) \ - = ^ +#define defer \ + void (^_STRMERGE(__defer_f_, __COUNTER__))(void) \ + __attribute__((cleanup(__clang_cleanup_func))) __attribute__((unused)) = ^ #else #define __block -#define _DEFER(a, count) \ - auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))); \ - int _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) \ - __attribute__((unused)); \ +#define _DEFER(a, count) \ + auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))); \ + int _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) \ + __attribute__((unused)); \ void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))) #define defer _DEFER(a, __COUNTER__) #endif #endif -#define NS_VALSTR_STRUCT(x) \ - { \ - x, #x \ - } +#define NS_VALSTR_STRUCT(x) \ + { x, #x } #endif /* NS_COMMON_H */ diff --git a/config.cc b/config.cc index cd73090..50a82a9 100644 --- a/config.cc +++ b/config.cc @@ -38,9 +38,9 @@ extern "C" { #include "util.h" } -#include #include #include +#include #include #include @@ -49,8 +49,7 @@ extern "C" { #define DUP_IF_SET(njc, val) (njc.has_##val() ? njc.val().c_str() : NULL) static __rlim64_t configRLimit( - int res, const nsjail::RLimit& rl, const uint64_t val, unsigned long mul = 1UL) -{ + int res, const nsjail::RLimit& rl, const uint64_t val, unsigned long mul = 1UL) { if (rl == nsjail::RLimit::VALUE) { return (val * mul); } @@ -67,8 +66,7 @@ static __rlim64_t configRLimit( abort(); } -static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailConfig& njc) -{ +static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailConfig& njc) { switch (njc.mode()) { case nsjail::Mode::LISTEN: nsjconf->mode = MODE_LISTEN_TCP; @@ -132,16 +130,16 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC nsjconf->keep_env = njc.keep_env(); for (ssize_t i = 0; i < njc.envar_size(); i++) { - struct charptr_t* p - = reinterpret_cast(utilMalloc(sizeof(struct charptr_t))); + struct charptr_t* p = + reinterpret_cast(utilMalloc(sizeof(struct charptr_t))); p->val = njc.envar(i).c_str(); TAILQ_INSERT_TAIL(&nsjconf->envs, p, pointers); } nsjconf->keep_caps = njc.keep_caps(); for (ssize_t i = 0; i < njc.cap_size(); i++) { - struct ints_t* f - = reinterpret_cast(utilMalloc(sizeof(struct ints_t))); + struct ints_t* f = + reinterpret_cast(utilMalloc(sizeof(struct ints_t))); f->val = capsNameToVal(njc.cap(i).c_str()); if (f->val == -1) { return false; @@ -153,23 +151,23 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC nsjconf->skip_setsid = njc.skip_setsid(); for (ssize_t i = 0; i < njc.pass_fd_size(); i++) { - struct ints_t* f - = reinterpret_cast(utilMalloc(sizeof(struct ints_t))); + struct ints_t* f = + reinterpret_cast(utilMalloc(sizeof(struct ints_t))); f->val = njc.pass_fd(i); TAILQ_INSERT_HEAD(&nsjconf->open_fds, f, pointers); } nsjconf->disable_no_new_privs = njc.disable_no_new_privs(); - nsjconf->rl_as - = configRLimit(RLIMIT_AS, njc.rlimit_as_type(), njc.rlimit_as(), 1024UL * 1024UL); - nsjconf->rl_core - = configRLimit(RLIMIT_CORE, njc.rlimit_core_type(), njc.rlimit_core(), 1024UL * 1024UL); + nsjconf->rl_as = + configRLimit(RLIMIT_AS, njc.rlimit_as_type(), njc.rlimit_as(), 1024UL * 1024UL); + nsjconf->rl_core = + configRLimit(RLIMIT_CORE, njc.rlimit_core_type(), njc.rlimit_core(), 1024UL * 1024UL); nsjconf->rl_cpu = configRLimit(RLIMIT_CPU, njc.rlimit_cpu_type(), njc.rlimit_cpu()); nsjconf->rl_fsize = configRLimit( RLIMIT_FSIZE, njc.rlimit_fsize_type(), njc.rlimit_fsize(), 1024UL * 1024UL); - nsjconf->rl_nofile - = configRLimit(RLIMIT_NOFILE, njc.rlimit_nofile_type(), njc.rlimit_nofile()); + nsjconf->rl_nofile = + configRLimit(RLIMIT_NOFILE, njc.rlimit_nofile_type(), njc.rlimit_nofile()); nsjconf->rl_nproc = configRLimit(RLIMIT_NPROC, njc.rlimit_nproc_type(), njc.rlimit_nproc()); nsjconf->rl_stack = configRLimit( RLIMIT_STACK, njc.rlimit_stack_type(), njc.rlimit_stack(), 1024UL * 1024UL); @@ -201,16 +199,14 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC for (ssize_t i = 0; i < njc.uidmap_size(); i++) { if (userParseId(nsjconf, DUP_IF_SET(njc.uidmap(i), inside_id), DUP_IF_SET(njc.uidmap(i), outside_id), njc.uidmap(i).count(), - false /* is_gid */, njc.uidmap(i).use_newidmap()) - == false) { + false /* is_gid */, njc.uidmap(i).use_newidmap()) == false) { return false; } } for (ssize_t i = 0; i < njc.gidmap_size(); i++) { if (userParseId(nsjconf, DUP_IF_SET(njc.gidmap(i), inside_id), DUP_IF_SET(njc.gidmap(i), outside_id), njc.gidmap(i).count(), - true /* is_gid */, njc.gidmap(i).use_newidmap()) - == false) { + true /* is_gid */, njc.gidmap(i).use_newidmap()) == false) { return false; } } @@ -219,16 +215,16 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC for (ssize_t i = 0; i < njc.mount_size(); i++) { const char* src = (njc.mount(i).has_src()) ? njc.mount(i).src().c_str() : NULL; const char* src_env = (njc.mount(i).has_prefix_src_env()) - ? njc.mount(i).prefix_src_env().c_str() - : NULL; + ? njc.mount(i).prefix_src_env().c_str() + : NULL; const char* dst = (njc.mount(i).has_dst()) ? njc.mount(i).dst().c_str() : NULL; const char* dst_env = (njc.mount(i).has_prefix_dst_env()) - ? njc.mount(i).prefix_dst_env().c_str() - : NULL; - const char* fstype - = (njc.mount(i).has_fstype()) ? njc.mount(i).fstype().c_str() : NULL; - const char* options - = (njc.mount(i).has_options()) ? njc.mount(i).options().c_str() : NULL; + ? njc.mount(i).prefix_dst_env().c_str() + : NULL; + const char* fstype = + (njc.mount(i).has_fstype()) ? njc.mount(i).fstype().c_str() : NULL; + const char* options = + (njc.mount(i).has_options()) ? njc.mount(i).options().c_str() : NULL; uintptr_t flags = (njc.mount(i).rw() == false) ? MS_RDONLY : 0; flags |= njc.mount(i).is_bind() ? (MS_BIND | MS_REC | MS_PRIVATE) : 0; @@ -247,16 +243,16 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC } if (mountAddMountPtTail(nsjconf, src, dst, fstype, options, flags, isDir, mandatory, - src_env, dst_env, src_content, src_content_len, njc.mount(i).is_symlink()) - == false) { + src_env, dst_env, src_content, src_content_len, + njc.mount(i).is_symlink()) == false) { LOG_E("Couldn't add mountpoint for src:'%s' dst:'%s'", src, dst); return false; } } if (njc.has_seccomp_policy_file()) { - if ((nsjconf->kafel_file = fopen(njc.seccomp_policy_file().c_str(), "rb")) - == NULL) { + if ((nsjconf->kafel_file = fopen(njc.seccomp_policy_file().c_str(), "rb")) == + NULL) { PLOG_W("Couldn't open file with seccomp policy '%s'", njc.seccomp_policy_file().c_str()); return false; @@ -267,8 +263,8 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC for (ssize_t i = 0; i < njc.seccomp_string().size(); i++) { kafel_string += njc.seccomp_string(i); } - nsjconf->kafel_string - = njc.seccomp_string().size() > 0 ? utilStrDup(kafel_string.c_str()) : NULL; + nsjconf->kafel_string = + njc.seccomp_string().size() > 0 ? utilStrDup(kafel_string.c_str()) : NULL; nsjconf->cgroup_mem_max = njc.cgroup_mem_max(); nsjconf->cgroup_mem_mount = njc.cgroup_mem_mount().c_str(); @@ -306,13 +302,11 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC } static void LogHandler( - google::protobuf::LogLevel level, const char* filename, int line, const std::string& message) -{ + google::protobuf::LogLevel level, const char* filename, int line, const std::string& message) { LOG_W("config.cc: '%s'", message.c_str()); } -extern "C" bool configParse(struct nsjconf_t* nsjconf, const char* file) -{ +extern "C" bool configParse(struct nsjconf_t* nsjconf, const char* file) { LOG_I("Parsing configuration from '%s'", file); int fd = open(file, O_RDONLY); diff --git a/config.h b/config.h index 9ddeda6..a789c3b 100644 --- a/config.h +++ b/config.h @@ -33,6 +33,6 @@ extern "C" { bool configParse(struct nsjconf_t* nsjconf, const char* file); #ifdef __cplusplus -} // extern "C" +} // extern "C" #endif #endif /* NS_CONFIG_H */ diff --git a/contain.c b/contain.c index 09b38d5..c772fa4 100644 --- a/contain.c +++ b/contain.c @@ -57,8 +57,7 @@ static bool containInitUtsNs(struct nsjconf_t* nsjconf) { return utsInitNs(nsjco static bool containInitCgroupNs(void) { return cgroupInitNs(); } -static bool containDropPrivs(struct nsjconf_t* nsjconf) -{ +static bool containDropPrivs(struct nsjconf_t* nsjconf) { #ifndef PR_SET_NO_NEW_PRIVS #define PR_SET_NO_NEW_PRIVS 38 #endif @@ -76,8 +75,7 @@ static bool containDropPrivs(struct nsjconf_t* nsjconf) return true; } -static bool containPrepareEnv(struct nsjconf_t* nsjconf) -{ +static bool containPrepareEnv(struct nsjconf_t* nsjconf) { if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) { PLOG_E("prctl(PR_SET_PDEATHSIG, SIGKILL)"); return false; @@ -100,8 +98,7 @@ static bool containInitMountNs(struct nsjconf_t* nsjconf) { return mountInitNs(n static bool containCPU(struct nsjconf_t* nsjconf) { return cpuInit(nsjconf); } -static bool containSetLimits(struct nsjconf_t* nsjconf) -{ +static bool containSetLimits(struct nsjconf_t* nsjconf) { struct rlimit64 rl; rl.rlim_cur = rl.rlim_max = nsjconf->rl_as; if (setrlimit64(RLIMIT_AS, &rl) == -1) { @@ -141,11 +138,9 @@ static bool containSetLimits(struct nsjconf_t* nsjconf) return true; } -static bool containPassFd(struct nsjconf_t* nsjconf, int fd) -{ +static bool containPassFd(struct nsjconf_t* nsjconf, int fd) { struct ints_t* p; - TAILQ_FOREACH(p, &nsjconf->open_fds, pointers) - { + TAILQ_FOREACH(p, &nsjconf->open_fds, pointers) { if (p->val == fd) { return true; } @@ -153,8 +148,7 @@ static bool containPassFd(struct nsjconf_t* nsjconf, int fd) return false; } -static bool containMakeFdsCOENaive(struct nsjconf_t* nsjconf) -{ +static bool containMakeFdsCOENaive(struct nsjconf_t* nsjconf) { /* * Don't use getrlimit(RLIMIT_NOFILE) here, as it can return an artifically small value * (e.g. 32), which could be smaller than a maximum assigned number to file-descriptors @@ -181,8 +175,7 @@ static bool containMakeFdsCOENaive(struct nsjconf_t* nsjconf) return true; } -static bool containMakeFdsCOEProc(struct nsjconf_t* nsjconf) -{ +static bool containMakeFdsCOEProc(struct nsjconf_t* nsjconf) { int dirfd = open("/proc/self/fd", O_DIRECTORY | O_RDONLY | O_CLOEXEC); if (dirfd == -1) { PLOG_D("open('/proc/self/fd', O_DIRECTORY|O_RDONLY)"); @@ -243,8 +236,7 @@ static bool containMakeFdsCOEProc(struct nsjconf_t* nsjconf) return true; } -static bool containMakeFdsCOE(struct nsjconf_t* nsjconf) -{ +static bool containMakeFdsCOE(struct nsjconf_t* nsjconf) { if (containMakeFdsCOEProc(nsjconf)) { return true; } @@ -255,8 +247,7 @@ static bool containMakeFdsCOE(struct nsjconf_t* nsjconf) return false; } -bool containSetupFD(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) -{ +bool containSetupFD(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) { if (nsjconf->mode != MODE_LISTEN_TCP) { if (nsjconf->is_silent == false) { return true; @@ -282,8 +273,7 @@ bool containSetupFD(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err return true; } -bool containContain(struct nsjconf_t* nsjconf) -{ +bool containContain(struct nsjconf_t* nsjconf) { if (containUserNs(nsjconf) == false) { return false; } diff --git a/cpu.c b/cpu.c index e9a2f7f..bbd6c2f 100644 --- a/cpu.c +++ b/cpu.c @@ -30,8 +30,7 @@ #include "log.h" #include "util.h" -static void cpuSetRandomCpu(cpu_set_t* mask, size_t mask_size, size_t cpu_num) -{ +static void cpuSetRandomCpu(cpu_set_t* mask, size_t mask_size, size_t cpu_num) { if ((size_t)CPU_COUNT_S(mask_size, mask) >= cpu_num) { LOG_F( "Number of CPUs in the mask '%d' is bigger than number of available CPUs '%zu'", @@ -48,8 +47,7 @@ static void cpuSetRandomCpu(cpu_set_t* mask, size_t mask_size, size_t cpu_num) } } -bool cpuInit(struct nsjconf_t* nsjconf) -{ +bool cpuInit(struct nsjconf_t* nsjconf) { if (nsjconf->num_cpus < 0) { PLOG_W("sysconf(_SC_NPROCESSORS_ONLN) returned %ld", nsjconf->num_cpus); return false; diff --git a/log.c b/log.c index 66c664e..42ffd9c 100644 --- a/log.c +++ b/log.c @@ -49,8 +49,7 @@ __attribute__((constructor)) static void log_init(void) { log_fd_isatty = isatty * Log to stderr by default. Use a dup()d fd, because in the future we'll associate the * connection socket with fd (0, 1, 2). */ -bool logInitLogFile(struct nsjconf_t* nsjconf) -{ +bool logInitLogFile(struct nsjconf_t* nsjconf) { /* Close previous log_fd */ if (log_fd > STDERR_FILENO) { close(log_fd); @@ -66,8 +65,7 @@ bool logInitLogFile(struct nsjconf_t* nsjconf) log_fd = fcntl(log_fd, F_DUPFD_CLOEXEC, 0); } else { if (TEMP_FAILURE_RETRY( - log_fd = open(nsjconf->logfile, O_CREAT | O_RDWR | O_APPEND, 0640)) - == -1) { + log_fd = open(nsjconf->logfile, O_CREAT | O_RDWR | O_APPEND, 0640)) == -1) { log_fd = STDERR_FILENO; PLOG_E("Couldn't open logfile open('%s')", nsjconf->logfile); return false; @@ -77,8 +75,7 @@ bool logInitLogFile(struct nsjconf_t* nsjconf) return true; } -void logLog(enum llevel_t ll, const char* fn, int ln, bool perr, const char* fmt, ...) -{ +void logLog(enum llevel_t ll, const char* fn, int ln, bool perr, const char* fmt, ...) { if (ll < log_level) { return; } @@ -94,13 +91,13 @@ void logLog(enum llevel_t ll, const char* fn, int ln, bool perr, const char* fmt const bool print_time; }; static struct ll_t const logLevels[] = { - { "D", "\033[0;4m", true, true }, - { "I", "\033[1m", false, true }, - { "W", "\033[0;33m", true, true }, - { "E", "\033[1;31m", true, true }, - { "F", "\033[7;35m", true, true }, - { "HR", "\033[0m", false, false }, - { "HB", "\033[1m", false, false }, + {"D", "\033[0;4m", true, true}, + {"I", "\033[1m", false, true}, + {"W", "\033[0;33m", true, true}, + {"E", "\033[1;31m", true, true}, + {"F", "\033[7;35m", true, true}, + {"HR", "\033[0m", false, false}, + {"HB", "\033[1m", false, false}, }; time_t ltstamp = time(NULL); diff --git a/mount.c b/mount.c index eabfc8d..a1d2988 100644 --- a/mount.c +++ b/mount.c @@ -50,8 +50,7 @@ #define MS_LAZYTIME (1 << 25) #endif /* if !defined(MS_LAZYTIME) */ -const char* mountFlagsToStr(uintptr_t flags) -{ +const char* mountFlagsToStr(uintptr_t flags) { static __thread char mountFlagsStr[1024]; mountFlagsStr[0] = '\0'; @@ -59,30 +58,30 @@ const char* mountFlagsToStr(uintptr_t flags) const uintptr_t flag; const char* const name; } const mountFlags[] = { - NS_VALSTR_STRUCT(MS_RDONLY), - NS_VALSTR_STRUCT(MS_NOSUID), - NS_VALSTR_STRUCT(MS_NODEV), - NS_VALSTR_STRUCT(MS_NOEXEC), - NS_VALSTR_STRUCT(MS_SYNCHRONOUS), - NS_VALSTR_STRUCT(MS_REMOUNT), - NS_VALSTR_STRUCT(MS_MANDLOCK), - NS_VALSTR_STRUCT(MS_DIRSYNC), - NS_VALSTR_STRUCT(MS_NOATIME), - NS_VALSTR_STRUCT(MS_NODIRATIME), - NS_VALSTR_STRUCT(MS_BIND), - NS_VALSTR_STRUCT(MS_MOVE), - NS_VALSTR_STRUCT(MS_REC), - NS_VALSTR_STRUCT(MS_SILENT), - NS_VALSTR_STRUCT(MS_POSIXACL), - NS_VALSTR_STRUCT(MS_UNBINDABLE), - NS_VALSTR_STRUCT(MS_PRIVATE), - NS_VALSTR_STRUCT(MS_SLAVE), - NS_VALSTR_STRUCT(MS_SHARED), - NS_VALSTR_STRUCT(MS_RELATIME), - NS_VALSTR_STRUCT(MS_KERNMOUNT), - NS_VALSTR_STRUCT(MS_I_VERSION), - NS_VALSTR_STRUCT(MS_STRICTATIME), - NS_VALSTR_STRUCT(MS_LAZYTIME), + NS_VALSTR_STRUCT(MS_RDONLY), + NS_VALSTR_STRUCT(MS_NOSUID), + NS_VALSTR_STRUCT(MS_NODEV), + NS_VALSTR_STRUCT(MS_NOEXEC), + NS_VALSTR_STRUCT(MS_SYNCHRONOUS), + NS_VALSTR_STRUCT(MS_REMOUNT), + NS_VALSTR_STRUCT(MS_MANDLOCK), + NS_VALSTR_STRUCT(MS_DIRSYNC), + NS_VALSTR_STRUCT(MS_NOATIME), + NS_VALSTR_STRUCT(MS_NODIRATIME), + NS_VALSTR_STRUCT(MS_BIND), + NS_VALSTR_STRUCT(MS_MOVE), + NS_VALSTR_STRUCT(MS_REC), + NS_VALSTR_STRUCT(MS_SILENT), + NS_VALSTR_STRUCT(MS_POSIXACL), + NS_VALSTR_STRUCT(MS_UNBINDABLE), + NS_VALSTR_STRUCT(MS_PRIVATE), + NS_VALSTR_STRUCT(MS_SLAVE), + NS_VALSTR_STRUCT(MS_SHARED), + NS_VALSTR_STRUCT(MS_RELATIME), + NS_VALSTR_STRUCT(MS_KERNMOUNT), + NS_VALSTR_STRUCT(MS_I_VERSION), + NS_VALSTR_STRUCT(MS_STRICTATIME), + NS_VALSTR_STRUCT(MS_LAZYTIME), }; for (size_t i = 0; i < ARRAYSIZE(mountFlags); i++) { @@ -100,8 +99,7 @@ const char* mountFlagsToStr(uintptr_t flags) return mountFlagsStr; } -static bool mountIsDir(const char* path) -{ +static bool mountIsDir(const char* path) { /* * If the source dir is NULL, we assume it's a dir (for /proc and tmpfs) */ @@ -119,8 +117,7 @@ static bool mountIsDir(const char* path) return false; } -static bool mountMount(struct mounts_t* mpt, const char* newroot, const char* tmpdir) -{ +static bool mountMount(struct mounts_t* mpt, const char* newroot, const char* tmpdir) { char dst[PATH_MAX]; snprintf(dst, sizeof(dst), "%s/%s", newroot, mpt->dst); @@ -198,9 +195,10 @@ static bool mountMount(struct mounts_t* mpt, const char* newroot, const char* tm unsigned long flags = mpt->flags & ~(MS_RDONLY); if (mount(srcpath, dst, mpt->fs_type, flags, mpt->options) == -1) { if (errno == EACCES) { - PLOG_W("mount('%s') src:'%s' dst:'%s' failed. " - "Try fixing this problem by applying 'chmod o+x' to the '%s' " - "directory and its ancestors", + PLOG_W( + "mount('%s') src:'%s' dst:'%s' failed. " + "Try fixing this problem by applying 'chmod o+x' to the '%s' " + "directory and its ancestors", mountDescribeMountPt(mpt), srcpath, dst, srcpath); } else { PLOG_W("mount('%s') src:'%s' dst:'%s' failed", mountDescribeMountPt(mpt), @@ -217,8 +215,7 @@ static bool mountMount(struct mounts_t* mpt, const char* newroot, const char* tm return true; } -static bool mountRemountRO(struct mounts_t* mpt) -{ +static bool mountRemountRO(struct mounts_t* mpt) { if (!mpt->mounted) { return true; } @@ -252,8 +249,7 @@ static bool mountRemountRO(struct mounts_t* mpt) return true; } -static bool mountMkdirAndTest(const char* dir) -{ +static bool mountMkdirAndTest(const char* dir) { if (mkdir(dir, 0755) == -1 && errno != EEXIST) { PLOG_D("Couldn't create '%s' directory", dir); return false; @@ -266,8 +262,7 @@ static bool mountMkdirAndTest(const char* dir) return true; } -static bool mountGetDir(struct nsjconf_t* nsjconf, char* dir, const char* name) -{ +static bool mountGetDir(struct nsjconf_t* nsjconf, char* dir, const char* name) { snprintf(dir, PATH_MAX, "/run/user/%u/nsjail.%s", nsjconf->orig_uid, name); if (mountMkdirAndTest(dir)) { return true; @@ -296,16 +291,16 @@ static bool mountGetDir(struct nsjconf_t* nsjconf, char* dir, const char* name) return false; } -static bool mountInitNsInternal(struct nsjconf_t* nsjconf) -{ +static bool mountInitNsInternal(struct nsjconf_t* nsjconf) { /* * If CLONE_NEWNS is not used, we would be changing the global mount namespace, so simply * use --chroot in this case */ if (nsjconf->clone_newns == false) { if (nsjconf->chroot == NULL) { - PLOG_E("--chroot was not specified, and it's required when not using " - "CLONE_NEWNS"); + PLOG_E( + "--chroot was not specified, and it's required when not using " + "CLONE_NEWNS"); return false; } if (chroot(nsjconf->chroot) == -1) { @@ -351,8 +346,7 @@ static bool mountInitNsInternal(struct nsjconf_t* nsjconf) } struct mounts_t* p; - TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) - { + TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) { if (mountMount(p, destdir, tmpdir) == false && p->mandatory) { return false; } @@ -383,8 +377,7 @@ static bool mountInitNsInternal(struct nsjconf_t* nsjconf) return false; } - TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) - { + TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) { if (mountRemountRO(p) == false && p->mandatory) { return false; } @@ -397,8 +390,7 @@ static bool mountInitNsInternal(struct nsjconf_t* nsjconf) * With mode MODE_STANDALONE_EXECVE it's required to mount /proc inside a new process, * as the current process is still in the original PID namespace (man pid_namespaces) */ -bool mountInitNs(struct nsjconf_t* nsjconf) -{ +bool mountInitNs(struct nsjconf_t* nsjconf) { if (nsjconf->mode != MODE_STANDALONE_EXECVE) { return mountInitNsInternal(nsjconf); } @@ -424,8 +416,7 @@ bool mountInitNs(struct nsjconf_t* nsjconf) static bool mountAddMountPt(struct nsjconf_t* nsjconf, bool head, const char* src, const char* dst, const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env, const char* dst_env, const char* src_content, size_t src_content_len, - bool is_symlink) -{ + bool is_symlink) { struct mounts_t* p = utilCalloc(sizeof(struct mounts_t)); if (src_env) { @@ -502,8 +493,7 @@ static bool mountAddMountPt(struct nsjconf_t* nsjconf, bool head, const char* sr bool mountAddMountPtHead(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env, const char* dst_env, const char* src_content, size_t src_content_len, - bool is_symlink) -{ + bool is_symlink) { return mountAddMountPt(nsjconf, /* head= */ true, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env, src_content, src_content_len, is_symlink); } @@ -511,14 +501,12 @@ bool mountAddMountPtHead(struct nsjconf_t* nsjconf, const char* src, const char* bool mountAddMountPtTail(struct nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype, const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env, const char* dst_env, const char* src_content, size_t src_content_len, - bool is_symlink) -{ + bool is_symlink) { return mountAddMountPt(nsjconf, /* head= */ false, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env, src_content, src_content_len, is_symlink); } -const char* mountDescribeMountPt(struct mounts_t* mpt) -{ +const char* mountDescribeMountPt(struct mounts_t* mpt) { static __thread char mount_pt_descr[4096]; snprintf(mount_pt_descr, sizeof(mount_pt_descr), diff --git a/net.c b/net.c index 9cec1de..7460a5b 100644 --- a/net.c +++ b/net.c @@ -50,8 +50,7 @@ extern char** environ; #if defined(NSJAIL_NL3_WITH_MACVLAN) #include #include -bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) -{ +bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) { if (nsjconf->clone_newnet == false) { return true; } @@ -116,10 +115,9 @@ bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) nl_socket_free(sk); return true; } -#else // defined(NSJAIL_NL3_WITH_MACVLAN) +#else // defined(NSJAIL_NL3_WITH_MACVLAN) -bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) -{ +bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) { if (nsjconf->clone_newnet == false) { return true; } @@ -133,8 +131,8 @@ bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) char pid_str[256]; snprintf(pid_str, sizeof(pid_str), "%d", pid); - const char* argv[] = { "/sbin/ip", "link", "add", "link", (char*)nsjconf->iface_vs, "name", - IFACE_NAME, "netns", pid_str, "type", "macvlan", "mode", "bridge", NULL }; + const char* argv[] = {"/sbin/ip", "link", "add", "link", (char*)nsjconf->iface_vs, "name", + IFACE_NAME, "netns", pid_str, "type", "macvlan", "mode", "bridge", NULL}; if (subprocSystem(argv, environ) != 0) { LOG_E("Couldn't create MACVTAP interface for '%s'", nsjconf->iface_vs); return false; @@ -142,10 +140,9 @@ bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) return true; } -#endif // defined(NSJAIL_NL3_WITH_MACVLAN) +#endif // defined(NSJAIL_NL3_WITH_MACVLAN) -static bool netIsSocket(int fd) -{ +static bool netIsSocket(int fd) { int optval; socklen_t optlen = sizeof(optval); int ret = getsockopt(fd, SOL_SOCKET, SO_TYPE, &optval, &optlen); @@ -155,8 +152,7 @@ static bool netIsSocket(int fd) return true; } -bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) -{ +bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) { /* 0 means 'unlimited' */ if (nsjconf->max_conns_per_ip == 0) { return true; @@ -168,11 +164,9 @@ bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) unsigned int cnt = 0; struct pids_t* p; - TAILQ_FOREACH(p, &nsjconf->pids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->pids, pointers) { if (memcmp(addr.sin6_addr.s6_addr, p->remote_addr.sin6_addr.s6_addr, - sizeof(*p->remote_addr.sin6_addr.s6_addr)) - == 0) { + sizeof(*p->remote_addr.sin6_addr.s6_addr)) == 0) { cnt++; } } @@ -186,11 +180,11 @@ bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) return true; } -int netGetRecvSocket(const char* bindhost, int port) -{ +int netGetRecvSocket(const char* bindhost, int port) { if (port < 1 || port > 65535) { - LOG_F("TCP port %d out of bounds (0 <= port <= 65535), specify one with --port " - "", + LOG_F( + "TCP port %d out of bounds (0 <= port <= 65535), specify one with --port " + "", port); } @@ -220,11 +214,11 @@ int netGetRecvSocket(const char* bindhost, int port) return -1; } struct sockaddr_in6 addr = { - .sin6_family = AF_INET6, - .sin6_port = htons(port), - .sin6_flowinfo = 0, - .sin6_addr = in6a, - .sin6_scope_id = 0, + .sin6_family = AF_INET6, + .sin6_port = htons(port), + .sin6_flowinfo = 0, + .sin6_addr = in6a, + .sin6_scope_id = 0, }; if (bind(sockfd, (struct sockaddr*)&addr, sizeof(addr)) == -1) { close(sockfd); @@ -244,8 +238,7 @@ int netGetRecvSocket(const char* bindhost, int port) return sockfd; } -int netAcceptConn(int listenfd) -{ +int netAcceptConn(int listenfd) { struct sockaddr_in6 cli_addr; socklen_t socklen = sizeof(cli_addr); int connfd = accept(listenfd, (struct sockaddr*)&cli_addr, &socklen); @@ -264,8 +257,7 @@ int netAcceptConn(int listenfd) return connfd; } -void netConnToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null) -{ +void netConnToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null) { if (netIsSocket(fd) == false) { snprintf(buf, s, "[STANDALONE_MODE]"); return; @@ -301,8 +293,7 @@ void netConnToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6 return; } -static bool netIfaceUp(const char* ifacename) -{ +static bool netIfaceUp(const char* ifacename) { int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); if (sock == -1) { PLOG_E("socket(AF_INET, SOCK_STREAM, IPPROTO_IP)"); @@ -331,8 +322,7 @@ static bool netIfaceUp(const char* ifacename) return true; } -static bool netConfigureVs(struct nsjconf_t* nsjconf) -{ +static bool netConfigureVs(struct nsjconf_t* nsjconf) { struct ifreq ifr; memset(&ifr, '\0', sizeof(ifr)); snprintf(ifr.ifr_name, IF_NAMESIZE, "%s", IFACE_NAME); @@ -419,8 +409,7 @@ static bool netConfigureVs(struct nsjconf_t* nsjconf) return true; } -bool netInitNsFromChild(struct nsjconf_t* nsjconf) -{ +bool netInitNsFromChild(struct nsjconf_t* nsjconf) { if (nsjconf->clone_newnet == false) { return true; } diff --git a/nsjail.c b/nsjail.c index 3cf01d2..3bbc8a0 100644 --- a/nsjail.c +++ b/nsjail.c @@ -39,8 +39,7 @@ static __thread int nsjailSigFatal = 0; static __thread bool nsjailShowProc = false; -static void nsjailSig(int sig) -{ +static void nsjailSig(int sig) { if (sig == SIGALRM) { return; } @@ -54,17 +53,16 @@ static void nsjailSig(int sig) nsjailSigFatal = sig; } -static bool nsjailSetSigHandler(int sig) -{ +static bool nsjailSetSigHandler(int sig) { LOG_D("Setting sighandler for signal %s (%d)", utilSigName(sig), sig); sigset_t smask; sigemptyset(&smask); struct sigaction sa = { - .sa_handler = nsjailSig, - .sa_mask = smask, - .sa_flags = 0, - .sa_restorer = NULL, + .sa_handler = nsjailSig, + .sa_mask = smask, + .sa_flags = 0, + .sa_restorer = NULL, }; if (sigaction(sig, &sa, NULL) == -1) { PLOG_E("sigaction(%d)", sig); @@ -73,8 +71,7 @@ static bool nsjailSetSigHandler(int sig) return true; } -static bool nsjailSetSigHandlers(void) -{ +static bool nsjailSetSigHandlers(void) { for (size_t i = 0; i < ARRAYSIZE(nssigs); i++) { if (!nsjailSetSigHandler(nssigs[i])) { return false; @@ -83,18 +80,19 @@ static bool nsjailSetSigHandlers(void) return true; } -static bool nsjailSetTimer(struct nsjconf_t* nsjconf) -{ +static bool nsjailSetTimer(struct nsjconf_t* nsjconf) { if (nsjconf->mode == MODE_STANDALONE_EXECVE) { return true; } struct itimerval it = { - .it_value = { + .it_value = + { .tv_sec = 1, .tv_usec = 0, }, - .it_interval = { + .it_interval = + { .tv_sec = 1, .tv_usec = 0, }, @@ -106,8 +104,7 @@ static bool nsjailSetTimer(struct nsjconf_t* nsjconf) return true; } -static void nsjailListenMode(struct nsjconf_t* nsjconf) -{ +static void nsjailListenMode(struct nsjconf_t* nsjconf) { int listenfd = netGetRecvSocket(nsjconf->bindhost, nsjconf->port); if (listenfd == -1) { return; @@ -132,8 +129,7 @@ static void nsjailListenMode(struct nsjconf_t* nsjconf) } } -static int nsjailStandaloneMode(struct nsjconf_t* nsjconf) -{ +static int nsjailStandaloneMode(struct nsjconf_t* nsjconf) { subprocRunChild(nsjconf, STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO); for (;;) { int child_status = subprocReap(nsjconf); @@ -160,8 +156,7 @@ static int nsjailStandaloneMode(struct nsjconf_t* nsjconf) // not reached } -int main(int argc, char* argv[]) -{ +int main(int argc, char* argv[]) { struct nsjconf_t nsjconf; if (!cmdlineParse(argc, argv, &nsjconf)) { LOG_F("Couldn't parse cmdline options"); @@ -191,4 +186,4 @@ int main(int argc, char* argv[]) /* * To satisfy requirement for BlocksRuntime in clang -fblocks */ -void* _NSConcreteStackBlock[32] = { 0 }; +void* _NSConcreteStackBlock[32] = {0}; diff --git a/nsjail.h b/nsjail.h index 6c3dd0e..038e58c 100644 --- a/nsjail.h +++ b/nsjail.h @@ -32,12 +32,12 @@ #include static const int nssigs[] = { - SIGINT, - SIGQUIT, - SIGUSR1, - SIGALRM, - SIGCHLD, - SIGTERM, + SIGINT, + SIGQUIT, + SIGUSR1, + SIGALRM, + SIGCHLD, + SIGTERM, }; struct pids_t { diff --git a/pid.c b/pid.c index 1da2485..79073d8 100644 --- a/pid.c +++ b/pid.c @@ -31,8 +31,7 @@ #include "log.h" #include "subproc.h" -bool pidInitNs(struct nsjconf_t* nsjconf) -{ +bool pidInitNs(struct nsjconf_t* nsjconf) { if (nsjconf->mode != MODE_STANDALONE_EXECVE) { return true; } @@ -68,9 +67,9 @@ bool pidInitNs(struct nsjconf_t* nsjconf) /* Act sort-a like a init by reaping zombie processes */ struct sigaction sa = { - .sa_handler = SIG_DFL, - .sa_flags = SA_NOCLDWAIT | SA_NOCLDSTOP, - .sa_restorer = NULL, + .sa_handler = SIG_DFL, + .sa_flags = SA_NOCLDWAIT | SA_NOCLDSTOP, + .sa_restorer = NULL, }; sigemptyset(&sa.sa_mask); if (sigaction(SIGCHLD, &sa, NULL) == -1) { diff --git a/sandbox.c b/sandbox.c index ca27437..381849a 100644 --- a/sandbox.c +++ b/sandbox.c @@ -33,8 +33,7 @@ #define PR_SET_NO_NEW_PRIVS 38 #endif /* PR_SET_NO_NEW_PRIVS */ -static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) -{ +static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) { if (nsjconf->kafel_file == NULL && nsjconf->kafel_string == NULL) { return true; } diff --git a/subproc.c b/subproc.c index 77d895a..3c6f6e4 100644 --- a/subproc.c +++ b/subproc.c @@ -57,8 +57,7 @@ static const char subprocDoneChar = 'D'; #define CLONE_NEWCGROUP 0x02000000 #endif /* !defined(CLONE_NEWCGROUP) */ -static const char* subprocCloneFlagsToStr(uintptr_t flags) -{ +static const char* subprocCloneFlagsToStr(uintptr_t flags) { static __thread char cloneFlagName[1024]; cloneFlagName[0] = '\0'; @@ -66,29 +65,29 @@ static const char* subprocCloneFlagsToStr(uintptr_t flags) const uintptr_t flag; const char* const name; } const cloneFlags[] = { - NS_VALSTR_STRUCT(CLONE_VM), - NS_VALSTR_STRUCT(CLONE_FS), - NS_VALSTR_STRUCT(CLONE_FILES), - NS_VALSTR_STRUCT(CLONE_SIGHAND), - NS_VALSTR_STRUCT(CLONE_PTRACE), - NS_VALSTR_STRUCT(CLONE_VFORK), - NS_VALSTR_STRUCT(CLONE_PARENT), - NS_VALSTR_STRUCT(CLONE_THREAD), - NS_VALSTR_STRUCT(CLONE_NEWNS), - NS_VALSTR_STRUCT(CLONE_SYSVSEM), - NS_VALSTR_STRUCT(CLONE_SETTLS), - NS_VALSTR_STRUCT(CLONE_PARENT_SETTID), - NS_VALSTR_STRUCT(CLONE_CHILD_CLEARTID), - NS_VALSTR_STRUCT(CLONE_DETACHED), - NS_VALSTR_STRUCT(CLONE_UNTRACED), - NS_VALSTR_STRUCT(CLONE_CHILD_SETTID), - NS_VALSTR_STRUCT(CLONE_NEWCGROUP), - NS_VALSTR_STRUCT(CLONE_NEWUTS), - NS_VALSTR_STRUCT(CLONE_NEWIPC), - NS_VALSTR_STRUCT(CLONE_NEWUSER), - NS_VALSTR_STRUCT(CLONE_NEWPID), - NS_VALSTR_STRUCT(CLONE_NEWNET), - NS_VALSTR_STRUCT(CLONE_IO), + NS_VALSTR_STRUCT(CLONE_VM), + NS_VALSTR_STRUCT(CLONE_FS), + NS_VALSTR_STRUCT(CLONE_FILES), + NS_VALSTR_STRUCT(CLONE_SIGHAND), + NS_VALSTR_STRUCT(CLONE_PTRACE), + NS_VALSTR_STRUCT(CLONE_VFORK), + NS_VALSTR_STRUCT(CLONE_PARENT), + NS_VALSTR_STRUCT(CLONE_THREAD), + NS_VALSTR_STRUCT(CLONE_NEWNS), + NS_VALSTR_STRUCT(CLONE_SYSVSEM), + NS_VALSTR_STRUCT(CLONE_SETTLS), + NS_VALSTR_STRUCT(CLONE_PARENT_SETTID), + NS_VALSTR_STRUCT(CLONE_CHILD_CLEARTID), + NS_VALSTR_STRUCT(CLONE_DETACHED), + NS_VALSTR_STRUCT(CLONE_UNTRACED), + NS_VALSTR_STRUCT(CLONE_CHILD_SETTID), + NS_VALSTR_STRUCT(CLONE_NEWCGROUP), + NS_VALSTR_STRUCT(CLONE_NEWUTS), + NS_VALSTR_STRUCT(CLONE_NEWIPC), + NS_VALSTR_STRUCT(CLONE_NEWUSER), + NS_VALSTR_STRUCT(CLONE_NEWPID), + NS_VALSTR_STRUCT(CLONE_NEWNET), + NS_VALSTR_STRUCT(CLONE_IO), }; for (size_t i = 0; i < ARRAYSIZE(cloneFlags); i++) { @@ -111,8 +110,7 @@ static const char* subprocCloneFlagsToStr(uintptr_t flags) } /* Reset the execution environment for the new process */ -static bool subprocReset(void) -{ +static bool subprocReset(void) { /* Set all previously changed signals to their default behavior */ for (size_t i = 0; i < ARRAYSIZE(nssigs); i++) { if (signal(nssigs[i], SIG_DFL) == SIG_ERR) { @@ -130,8 +128,8 @@ static bool subprocReset(void) return true; } -static int subprocNewProc(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd) -{ +static int subprocNewProc( + struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd) { if (containSetupFD(nsjconf, fd_in, fd_out, fd_err) == false) { _exit(0xff); } @@ -183,7 +181,7 @@ static int subprocNewProc(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int #if defined(__NR_execveat) syscall(__NR_execveat, (uintptr_t)nsjconf->exec_fd, "", (char* const*)&nsjconf->argv[0], environ, (uintptr_t)AT_EMPTY_PATH); -#else /* defined(__NR_execveat) */ +#else /* defined(__NR_execveat) */ LOG_F("Your system doesn't support execveat() syscall"); #endif /* defined(__NR_execveat) */ } else { @@ -195,8 +193,7 @@ static int subprocNewProc(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int _exit(0xff); } -static void subprocAdd(struct nsjconf_t* nsjconf, pid_t pid, int sock) -{ +static void subprocAdd(struct nsjconf_t* nsjconf, pid_t pid, int sock) { struct pids_t* p = utilMalloc(sizeof(struct pids_t)); p->pid = pid; p->start = time(NULL); @@ -213,11 +210,9 @@ static void subprocAdd(struct nsjconf_t* nsjconf, pid_t pid, int sock) (unsigned int)p->start, p->remote_txt); } -static void subprocRemove(struct nsjconf_t* nsjconf, pid_t pid) -{ +static void subprocRemove(struct nsjconf_t* nsjconf, pid_t pid) { struct pids_t* p; - TAILQ_FOREACH(p, &nsjconf->pids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->pids, pointers) { if (p->pid == pid) { LOG_D("Removing pid '%d' from the queue (IP:'%s', start time:'%s')", p->pid, p->remote_txt, utilTimeToStr(p->start)); @@ -230,21 +225,18 @@ static void subprocRemove(struct nsjconf_t* nsjconf, pid_t pid) LOG_W("PID: %d not found (?)", pid); } -int subprocCount(struct nsjconf_t* nsjconf) -{ +int subprocCount(struct nsjconf_t* nsjconf) { int cnt = 0; struct pids_t* p; TAILQ_FOREACH(p, &nsjconf->pids, pointers) { cnt++; } return cnt; } -void subprocDisplay(struct nsjconf_t* nsjconf) -{ +void subprocDisplay(struct nsjconf_t* nsjconf) { LOG_I("Total number of spawned namespaces: %d", subprocCount(nsjconf)); time_t now = time(NULL); struct pids_t* p; - TAILQ_FOREACH(p, &nsjconf->pids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->pids, pointers) { time_t diff = now - p->start; time_t left = nsjconf->tlimit ? nsjconf->tlimit - diff : 0; LOG_I("PID: %d, Remote host: %s, Run time: %ld sec. (time left: %ld sec.)", p->pid, @@ -252,11 +244,9 @@ void subprocDisplay(struct nsjconf_t* nsjconf) } } -static struct pids_t* subprocGetPidElem(struct nsjconf_t* nsjconf, pid_t pid) -{ +static struct pids_t* subprocGetPidElem(struct nsjconf_t* nsjconf, pid_t pid) { struct pids_t* p; - TAILQ_FOREACH(p, &nsjconf->pids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->pids, pointers) { if (p->pid == pid) { return p; } @@ -264,8 +254,7 @@ static struct pids_t* subprocGetPidElem(struct nsjconf_t* nsjconf, pid_t pid) return NULL; } -static void subprocSeccompViolation(struct nsjconf_t* nsjconf, siginfo_t* si) -{ +static void subprocSeccompViolation(struct nsjconf_t* nsjconf, siginfo_t* si) { LOG_W("PID: %d commited a syscall/seccomp violation and exited with SIGSYS", si->si_pid); struct pids_t* p = subprocGetPidElem(nsjconf, si->si_pid); @@ -304,8 +293,7 @@ static void subprocSeccompViolation(struct nsjconf_t* nsjconf, siginfo_t* si) } } -int subprocReap(struct nsjconf_t* nsjconf) -{ +int subprocReap(struct nsjconf_t* nsjconf) { int status; int rv = 0; siginfo_t si; @@ -354,8 +342,7 @@ int subprocReap(struct nsjconf_t* nsjconf) time_t now = time(NULL); struct pids_t* p; - TAILQ_FOREACH(p, &nsjconf->pids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->pids, pointers) { if (nsjconf->tlimit == 0) { continue; } @@ -377,14 +364,12 @@ int subprocReap(struct nsjconf_t* nsjconf) return rv; } -void subprocKillAll(struct nsjconf_t* nsjconf) -{ +void subprocKillAll(struct nsjconf_t* nsjconf) { struct pids_t* p; TAILQ_FOREACH(p, &nsjconf->pids, pointers) { kill(p->pid, SIGKILL); } } -static bool subprocInitParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) -{ +static bool subprocInitParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) { if (netInitNsFromParent(nsjconf, pid) == false) { LOG_E("Couldn't create and put MACVTAP interface into NS of PID '%d'", pid); return false; @@ -397,8 +382,8 @@ static bool subprocInitParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) LOG_E("Couldn't initialize user namespaces for pid %d", pid); return false; } - if (utilWriteToFd(pipefd, &subprocDoneChar, sizeof(subprocDoneChar)) - != sizeof(subprocDoneChar)) { + if (utilWriteToFd(pipefd, &subprocDoneChar, sizeof(subprocDoneChar)) != + sizeof(subprocDoneChar)) { LOG_E("Couldn't signal the new process via a socketpair"); return false; } @@ -413,8 +398,7 @@ static uint8_t subprocCloneStack[128 * 1024] __attribute__((aligned(__BIGGEST_AL /* Cannot be on the stack, as the child's stack pointer will change after clone() */ static __thread jmp_buf env; -static int subprocCloneFunc(void* arg __attribute__((unused))) -{ +static int subprocCloneFunc(void* arg __attribute__((unused))) { longjmp(env, 1); return 0; } @@ -424,8 +408,7 @@ static int subprocCloneFunc(void* arg __attribute__((unused))) * update the internal PID/TID caches, what can lead to invalid values being returned by getpid() * or incorrect PID/TIDs used in raise()/abort() functions */ -pid_t subprocClone(uintptr_t flags) -{ +pid_t subprocClone(uintptr_t flags) { if (flags & CLONE_VM) { LOG_E("Cannot use clone(flags & CLONE_VM)"); return -1; @@ -446,8 +429,7 @@ pid_t subprocClone(uintptr_t flags) return 0; } -void subprocRunChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) -{ +void subprocRunChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) { if (netLimitConns(nsjconf, fd_in) == false) { return; } @@ -487,11 +469,12 @@ void subprocRunChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_er } close(child_fd); if (pid == -1) { - PLOG_E("clone(flags=%s) failed. You probably need root privileges if your system " - "doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile " - "your " - "kernel with support for namespaces or check the setting of the " - "kernel.unprivileged_userns_clone sysctl", + PLOG_E( + "clone(flags=%s) failed. You probably need root privileges if your system " + "doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile " + "your " + "kernel with support for namespaces or check the setting of the " + "kernel.unprivileged_userns_clone sysctl", subprocCloneFlagsToStr(flags)); close(parent_fd); return; @@ -508,8 +491,7 @@ void subprocRunChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_er netConnToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL); } -int subprocSystem(const char** argv, char** env) -{ +int subprocSystem(const char** argv, char** env) { bool exec_failed = false; int sv[2]; diff --git a/user.c b/user.c index 738a1b4..2aeb471 100644 --- a/user.c +++ b/user.c @@ -44,15 +44,14 @@ #include "subproc.h" #include "util.h" -static bool userSetResGid(gid_t gid) -{ +static bool userSetResGid(gid_t gid) { LOG_D("setresgid(%d)", gid); #if defined(__NR_setresgid32) if (syscall(__NR_setresgid32, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1) { PLOG_W("setresgid32(%d)", (int)gid); return false; } -#else /* defined(__NR_setresgid32) */ +#else /* defined(__NR_setresgid32) */ if (syscall(__NR_setresgid, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1) { PLOG_W("setresgid(%d)", gid); return false; @@ -61,15 +60,14 @@ static bool userSetResGid(gid_t gid) return true; } -static bool userSetResUid(uid_t uid) -{ +static bool userSetResUid(uid_t uid) { LOG_D("setresuid(%d)", uid); #if defined(__NR_setresuid32) if (syscall(__NR_setresuid32, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1) { PLOG_W("setresuid32(%d)", (int)uid); return false; } -#else /* defined(__NR_setresuid32) */ +#else /* defined(__NR_setresuid32) */ if (syscall(__NR_setresuid, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1) { PLOG_W("setresuid(%d)", uid); return false; @@ -78,8 +76,7 @@ static bool userSetResUid(uid_t uid) return true; } -static bool userSetGroups(pid_t pid) -{ +static bool userSetGroups(pid_t pid) { /* * No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to * uid_map/gid_map will succeed anyway @@ -98,16 +95,14 @@ static bool userSetGroups(pid_t pid) return true; } -static bool userUidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) -{ +static bool userUidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) { char fname[PATH_MAX]; snprintf(fname, sizeof(fname), "/proc/%d/uid_map", pid); - char map[4096] = { [0] = '\0' }; + char map[4096] = {[0] = '\0'}; struct idmap_t* p; - TAILQ_FOREACH(p, &nsjconf->uids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->uids, pointers) { if (p->is_newidmap) { continue; } @@ -128,16 +123,14 @@ static bool userUidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) return true; } -static bool userGidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) -{ +static bool userGidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) { char fname[PATH_MAX]; snprintf(fname, sizeof(fname), "/proc/%d/gid_map", pid); - char map[4096] = { [0] = '\0' }; + char map[4096] = {[0] = '\0'}; struct idmap_t* p; - TAILQ_FOREACH(p, &nsjconf->gids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->gids, pointers) { if (p->is_newidmap) { continue; } @@ -159,8 +152,7 @@ static bool userGidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) } /* Use /usr/bin/newgidmap for writing the gid map */ -static bool userGidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) -{ +static bool userGidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) { size_t idx = 0; const char* argv[1024]; @@ -174,8 +166,7 @@ static bool userGidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) struct idmap_t* p; bool use = false; - TAILQ_FOREACH(p, &nsjconf->gids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->gids, pointers) { if (p->is_newidmap == false) { continue; } @@ -213,8 +204,7 @@ static bool userGidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) } /* Use /usr/bin/newuidmap for writing the uid map */ -static bool userUidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) -{ +static bool userUidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) { size_t idx = 0; const char* argv[1024]; @@ -228,8 +218,7 @@ static bool userUidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) bool use = false; struct idmap_t* p; - TAILQ_FOREACH(p, &nsjconf->uids, pointers) - { + TAILQ_FOREACH(p, &nsjconf->uids, pointers) { if (p->is_newidmap == false) { continue; } @@ -266,8 +255,7 @@ static bool userUidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) return true; } -static bool userUidGidMap(struct nsjconf_t* nsjconf, pid_t pid) -{ +static bool userUidGidMap(struct nsjconf_t* nsjconf, pid_t pid) { if (!userGidMapSelf(nsjconf, pid)) { return false; } @@ -283,8 +271,7 @@ static bool userUidGidMap(struct nsjconf_t* nsjconf, pid_t pid) return true; } -bool userInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) -{ +bool userInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) { if (userSetGroups(pid) == false) { return false; } @@ -297,8 +284,7 @@ bool userInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) return true; } -bool userInitNsFromChild(struct nsjconf_t* nsjconf) -{ +bool userInitNsFromChild(struct nsjconf_t* nsjconf) { /* * Best effort because of /proc/self/setgroups */ @@ -312,8 +298,8 @@ bool userInitNsFromChild(struct nsjconf_t* nsjconf) * Make sure all capabilities are retained after the subsequent setuid/setgid, as they will * be needed for privileged operations: mounts, uts change etc. */ - if (prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS | SECBIT_NO_SETUID_FIXUP, 0UL, 0UL, 0UL) - == -1) { + if (prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS | SECBIT_NO_SETUID_FIXUP, 0UL, 0UL, 0UL) == + -1) { PLOG_E("prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS | SECBIT_NO_SETUID_FIXUP)"); return false; } @@ -330,8 +316,7 @@ bool userInitNsFromChild(struct nsjconf_t* nsjconf) return true; } -static uid_t cmdParseUid(const char* id) -{ +static uid_t cmdParseUid(const char* id) { if (id == NULL || strlen(id) == 0) { return getuid(); } @@ -345,8 +330,7 @@ static uid_t cmdParseUid(const char* id) return -1; } -static gid_t cmdParseGid(const char* id) -{ +static gid_t cmdParseGid(const char* id) { if (id == NULL || strlen(id) == 0) { return getgid(); } @@ -361,8 +345,7 @@ static gid_t cmdParseGid(const char* id) } bool userParseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, - bool is_gid, bool is_newidmap) -{ + bool is_gid, bool is_newidmap) { uid_t inside_id; uid_t outside_id; diff --git a/util.c b/util.c index 5571d9e..8c3a638 100644 --- a/util.c +++ b/util.c @@ -43,8 +43,7 @@ #include "common.h" #include "log.h" -void* utilMalloc(size_t sz) -{ +void* utilMalloc(size_t sz) { void* ret = malloc(sz); if (ret == NULL) { LOG_F("malloc(sz=%zu) failed", sz); @@ -52,15 +51,13 @@ void* utilMalloc(size_t sz) return ret; } -void* utilCalloc(size_t sz) -{ +void* utilCalloc(size_t sz) { void* r = utilMalloc(sz); memset(r, '\0', sz); return r; } -char* utilStrDup(const char* str) -{ +char* utilStrDup(const char* str) { if (str == NULL) { return NULL; } @@ -71,8 +68,7 @@ char* utilStrDup(const char* str) return ret; } -uint8_t* utilMemDup(const uint8_t* src, size_t len) -{ +uint8_t* utilMemDup(const uint8_t* src, size_t len) { if (src == NULL) { return NULL; } @@ -81,26 +77,22 @@ uint8_t* utilMemDup(const uint8_t* src, size_t len) return ret; } -ssize_t utilReadFromFd(int fd, void* buf, size_t len) -{ +ssize_t utilReadFromFd(int fd, void* buf, size_t len) { uint8_t* charbuf = (uint8_t*)buf; size_t readSz = 0; while (readSz < len) { ssize_t sz = read(fd, &charbuf[readSz], len - readSz); - if (sz < 0 && errno == EINTR) - continue; + if (sz < 0 && errno == EINTR) continue; - if (sz <= 0) - break; + if (sz <= 0) break; readSz += sz; } return readSz; } -ssize_t utilReadFromFile(const char* fname, void* buf, size_t len) -{ +ssize_t utilReadFromFile(const char* fname, void* buf, size_t len) { int fd; TEMP_FAILURE_RETRY(fd = open(fname, O_RDONLY | O_CLOEXEC)); if (fd == -1) { @@ -112,26 +104,22 @@ ssize_t utilReadFromFile(const char* fname, void* buf, size_t len) return ret; } -ssize_t utilWriteToFd(int fd, const void* buf, size_t len) -{ +ssize_t utilWriteToFd(int fd, const void* buf, size_t len) { const uint8_t* charbuf = (const uint8_t*)buf; size_t writtenSz = 0; while (writtenSz < len) { ssize_t sz = write(fd, &charbuf[writtenSz], len - writtenSz); - if (sz < 0 && errno == EINTR) - continue; + if (sz < 0 && errno == EINTR) continue; - if (sz < 0) - return false; + if (sz < 0) return false; writtenSz += sz; } return true; } -bool utilWriteBufToFile(const char* filename, const void* buf, size_t len, int open_flags) -{ +bool utilWriteBufToFile(const char* filename, const void* buf, size_t len, int open_flags) { int fd; TEMP_FAILURE_RETRY(fd = open(filename, open_flags, 0644)); if (fd == -1) { @@ -152,8 +140,7 @@ bool utilWriteBufToFile(const char* filename, const void* buf, size_t len, int o return true; } -bool utilCreateDirRecursively(const char* dir) -{ +bool utilCreateDirRecursively(const char* dir) { if (dir[0] != '/') { LOG_W("The directory path must start with '/': '%s' provided", dir); return false; @@ -198,8 +185,7 @@ bool utilCreateDirRecursively(const char* dir) } } -int utilSSnPrintf(char* str, size_t size, const char* format, ...) -{ +int utilSSnPrintf(char* str, size_t size, const char* format, ...) { char buf1[size]; char buf2[size]; @@ -213,8 +199,7 @@ int utilSSnPrintf(char* str, size_t size, const char* format, ...) return snprintf(str, size, "%s%s", buf1, buf2); } -bool utilIsANumber(const char* s) -{ +bool utilIsANumber(const char* s) { for (int i = 0; s[i]; s++) { if (!isdigit(s[i]) && s[i] != 'x') { return false; @@ -230,8 +215,7 @@ static __thread uint64_t rndX; static const uint64_t a = 6364136223846793005ULL; static const uint64_t c = 1442695040888963407ULL; -static void utilRndInitThread(void) -{ +static void utilRndInitThread(void) { #if defined(__NR_getrandom) if (syscall(__NR_getrandom, &rndX, sizeof(rndX), 0) == sizeof(rndX)) { return; @@ -252,15 +236,13 @@ static void utilRndInitThread(void) close(fd); } -uint64_t utilRnd64(void) -{ +uint64_t utilRnd64(void) { pthread_once(&rndThreadOnce, utilRndInitThread); rndX = a * rndX + c; return rndX; } -const char* utilSigName(int signo) -{ +const char* utilSigName(int signo) { static __thread char sigstr[32]; sigstr[0] = '\0'; @@ -268,35 +250,35 @@ const char* utilSigName(int signo) const int signo; const char* const name; } const sigNames[] = { - NS_VALSTR_STRUCT(SIGINT), - NS_VALSTR_STRUCT(SIGILL), - NS_VALSTR_STRUCT(SIGABRT), - NS_VALSTR_STRUCT(SIGFPE), - NS_VALSTR_STRUCT(SIGSEGV), - NS_VALSTR_STRUCT(SIGTERM), - NS_VALSTR_STRUCT(SIGHUP), - NS_VALSTR_STRUCT(SIGQUIT), - NS_VALSTR_STRUCT(SIGTRAP), - NS_VALSTR_STRUCT(SIGKILL), - NS_VALSTR_STRUCT(SIGBUS), - NS_VALSTR_STRUCT(SIGSYS), - NS_VALSTR_STRUCT(SIGPIPE), - NS_VALSTR_STRUCT(SIGALRM), - NS_VALSTR_STRUCT(SIGURG), - NS_VALSTR_STRUCT(SIGSTOP), - NS_VALSTR_STRUCT(SIGTSTP), - NS_VALSTR_STRUCT(SIGCONT), - NS_VALSTR_STRUCT(SIGCHLD), - NS_VALSTR_STRUCT(SIGTTIN), - NS_VALSTR_STRUCT(SIGTTOU), - NS_VALSTR_STRUCT(SIGPOLL), - NS_VALSTR_STRUCT(SIGXCPU), - NS_VALSTR_STRUCT(SIGXFSZ), - NS_VALSTR_STRUCT(SIGVTALRM), - NS_VALSTR_STRUCT(SIGPROF), - NS_VALSTR_STRUCT(SIGUSR1), - NS_VALSTR_STRUCT(SIGUSR2), - NS_VALSTR_STRUCT(SIGWINCH), + NS_VALSTR_STRUCT(SIGINT), + NS_VALSTR_STRUCT(SIGILL), + NS_VALSTR_STRUCT(SIGABRT), + NS_VALSTR_STRUCT(SIGFPE), + NS_VALSTR_STRUCT(SIGSEGV), + NS_VALSTR_STRUCT(SIGTERM), + NS_VALSTR_STRUCT(SIGHUP), + NS_VALSTR_STRUCT(SIGQUIT), + NS_VALSTR_STRUCT(SIGTRAP), + NS_VALSTR_STRUCT(SIGKILL), + NS_VALSTR_STRUCT(SIGBUS), + NS_VALSTR_STRUCT(SIGSYS), + NS_VALSTR_STRUCT(SIGPIPE), + NS_VALSTR_STRUCT(SIGALRM), + NS_VALSTR_STRUCT(SIGURG), + NS_VALSTR_STRUCT(SIGSTOP), + NS_VALSTR_STRUCT(SIGTSTP), + NS_VALSTR_STRUCT(SIGCONT), + NS_VALSTR_STRUCT(SIGCHLD), + NS_VALSTR_STRUCT(SIGTTIN), + NS_VALSTR_STRUCT(SIGTTOU), + NS_VALSTR_STRUCT(SIGPOLL), + NS_VALSTR_STRUCT(SIGXCPU), + NS_VALSTR_STRUCT(SIGXFSZ), + NS_VALSTR_STRUCT(SIGVTALRM), + NS_VALSTR_STRUCT(SIGPROF), + NS_VALSTR_STRUCT(SIGUSR1), + NS_VALSTR_STRUCT(SIGUSR2), + NS_VALSTR_STRUCT(SIGWINCH), }; for (size_t i = 0; i < ARRAYSIZE(sigNames); i++) { @@ -315,8 +297,7 @@ const char* utilSigName(int signo) } static __thread char timestr[64]; -const char* utilTimeToStr(time_t t) -{ +const char* utilTimeToStr(time_t t) { struct tm utctime; localtime_r(&t, &utctime); if (strftime(timestr, sizeof(timestr) - 1, "%FT%T%z", &utctime) == 0) { diff --git a/uts.c b/uts.c index 0e7fed1..fc3f585 100644 --- a/uts.c +++ b/uts.c @@ -26,8 +26,7 @@ #include "log.h" -bool utsInitNs(struct nsjconf_t* nsjconf) -{ +bool utsInitNs(struct nsjconf_t* nsjconf) { if (nsjconf->clone_newuts == false) { return true; }