Kunhoon Baik [Thu, 15 Jul 2021 05:16:27 +0000 (14:16 +0900)]
Adjust cgroup cpu for Tizen
Latest public Tizen does not support cfs_period_us or cfs_quota_us because CONFIG_FAIR_GROUP_SCHED, CONFIG_CFS_BANDWIDTH are not enabled.
Thus, instead of strict cpu limitation using cfs_quota, use cpu_shares.
The cpu_shares of each NSJAIL process will be assigned according to ratio (cfs_quota/cfs_period)
This is temporary patch and is not well validated.
Tizen will consider to enable the kernel option for cfs_quota_us.
Kunhoon Baik [Mon, 12 Jul 2021 09:07:35 +0000 (18:07 +0900)]
Creating nsjail RPM specification and build patch based on upstream-git branch
Upstream git was created with "nsjail 2021-07-07 version"
For Tizen RPM, additional patches were created based on the open source version
1) Linking to upstream-git branch - .gbs.conf
: You can check the Tizen open source updating guide at https://wiki.tizen.org/Updating_packages
2) Creating kafel.tar.gz
: Unfortunately, Tizen does not provide git tool at build time. (git-core package is required)
: Thus, instead of using git submodule command, create kafel.tar.gz from the git submodule.
: For your information, following patch is added for the kafel for fixing build error (TODO)
+// Fix for Linux <3.12
+#ifndef EM_ARM
+#define EM_ARM 40
+#endif
+
3) NSJail requires 3.2.24 over libnl3 vesion.
Unfortunately, current Tizen libnl3 version 3.2.22. (TODO)
Robert Swiecki [Wed, 7 Jul 2021 09:55:17 +0000 (11:55 +0200)]
cmdline: clone_newcgroup -> true by default; clone_newtime should be false
Robert Swiecki [Wed, 16 Jun 2021 15:44:07 +0000 (17:44 +0200)]
make indent
robertswiecki [Wed, 16 Jun 2021 15:43:31 +0000 (17:43 +0200)]
Merge pull request #172 from eli-zr/_macvlan_mode
MACVLAN modes support
Eli Zrihen [Wed, 16 Jun 2021 13:59:12 +0000 (16:59 +0300)]
MACVLAN modes support
Robert Swiecki [Tue, 18 May 2021 12:38:01 +0000 (14:38 +0200)]
Enable support for clone3() and for CLONE_NEWTIME
robertswiecki [Wed, 12 May 2021 07:51:35 +0000 (09:51 +0200)]
Merge pull request #170 from infiniteregrets/fix-macro
Fixed macro in subproc.cc
Mehul Arora [Wed, 12 May 2021 06:43:06 +0000 (12:13 +0530)]
Fixed macro in subproc.cc
Robert Swiecki [Tue, 11 May 2021 12:48:45 +0000 (14:48 +0200)]
Initial support for CLONE_NEWTIME
Wiktor Garbacz [Fri, 7 May 2021 15:50:31 +0000 (17:50 +0200)]
Update kafel to include bugfixes
Robert Swiecki [Wed, 5 May 2021 11:50:51 +0000 (13:50 +0200)]
configs/ - add comments to config files using #
robertswiecki [Tue, 4 May 2021 19:41:17 +0000 (21:41 +0200)]
Merge pull request #164 from ziqin/master
Fix a typo in command line description
Wiktor Garbacz [Wed, 28 Apr 2021 14:32:09 +0000 (16:32 +0200)]
Bump kafel
Wiktor Garbacz [Thu, 22 Apr 2021 09:01:04 +0000 (11:01 +0200)]
Yet another bugfix Kafel version bump
Wiktor Garbacz [Wed, 21 Apr 2021 07:47:20 +0000 (09:47 +0200)]
update kafel again to include a bugfix.
Wiktor Garbacz [Fri, 16 Apr 2021 12:22:30 +0000 (14:22 +0200)]
Update kafel
WANG Ziqin [Sat, 3 Apr 2021 15:59:35 +0000 (23:59 +0800)]
Fix default value of cgroup_cpu_mount in README
Ziqin Wang [Sat, 3 Apr 2021 15:31:56 +0000 (23:31 +0800)]
Fix typo in command line description
happyCoder92 [Wed, 10 Feb 2021 07:47:34 +0000 (08:47 +0100)]
Merge pull request #160 from ginkoid/master
net: add support for max_conns
Philip Papurt [Tue, 9 Feb 2021 22:13:35 +0000 (17:13 -0500)]
net: add support for max_conns
Robert Swiecki [Mon, 1 Feb 2021 22:22:43 +0000 (23:22 +0100)]
subproc: refer users to dmesg in case si_syscall==31 (SIGSYS)
Wiktor Garbacz [Thu, 28 Jan 2021 08:47:31 +0000 (09:47 +0100)]
Fix build
Wiktor Garbacz [Wed, 27 Jan 2021 13:37:12 +0000 (14:37 +0100)]
Add new capabilities, ignore unsupported caps for bounding set
Robert Swiecki [Sun, 30 Aug 2020 21:22:22 +0000 (23:22 +0200)]
nsjail: don't add connections to the proxy map if launching a new process failed
Robert Swiecki [Sun, 30 Aug 2020 20:02:08 +0000 (22:02 +0200)]
subproc: kill a process once in the -Ml mode once the TCP connection has ended
robertswiecki [Wed, 26 Aug 2020 15:02:02 +0000 (17:02 +0200)]
Merge pull request #150 from joemiller/patch-1
remove build dependency on which
Robert Swiecki [Wed, 26 Aug 2020 14:09:55 +0000 (16:09 +0200)]
make indent
joe miller [Sat, 15 Aug 2020 00:07:30 +0000 (17:07 -0700)]
remove build dependency on which
robertswiecki [Mon, 3 Aug 2020 20:42:28 +0000 (22:42 +0200)]
Merge pull request #148 from boryspoplawski/master
Fix compilation errors on old gcc (5.4.0)
Robert Swiecki [Mon, 3 Aug 2020 18:43:08 +0000 (20:43 +0200)]
Makefile: compile kafel with -fPIE (maybe fixes #149)
borysp [Wed, 29 Jul 2020 13:18:10 +0000 (15:18 +0200)]
Fix compilation errors on old gcc (5.4.0)
Robert Swiecki [Tue, 28 Jul 2020 12:03:27 +0000 (14:03 +0200)]
config.proto: make indent
Robert Swiecki [Tue, 28 Jul 2020 12:02:34 +0000 (14:02 +0200)]
config.proto: renumerate config fields
robertswiecki [Wed, 22 Jul 2020 22:09:23 +0000 (00:09 +0200)]
Merge pull request #147 from disconnect3d/patch-2
Fixes #146: cgroups_mem_max unit in config.proto
Disconnect3d [Thu, 16 Jul 2020 12:43:43 +0000 (14:43 +0200)]
Fixes #146: cgroups_mem_max unit in config.proto
This commit fixes the incorrect cgroups_mem_max unit described in a config.proto comment.
We do not perform any calculations on this value and we don't specify the values unit (k/M/G) when writing to memory cgroup controller files, so the value is specified in bytes.
Robert Swiecki [Thu, 9 Jul 2020 15:29:02 +0000 (17:29 +0200)]
make indent
Robert Swiecki [Thu, 9 Jul 2020 15:28:56 +0000 (17:28 +0200)]
config: remove deprecated config options
robertswiecki [Tue, 7 Jul 2020 14:52:21 +0000 (16:52 +0200)]
Merge pull request #145 from cblichmann/master
Fix a few typos.
Christian Blichmann [Tue, 7 Jul 2020 12:07:22 +0000 (14:07 +0200)]
Fix a few typos.
These were found by external tooling while preparing the Debian package.
* Uknown -> Unknown
* Writting -> Writing
* commited -> committed
* processess -> processes
Signed-off-by: Christian Blichmann <mail@blichmann.eu>
happyCoder92 [Tue, 7 Jul 2020 09:55:11 +0000 (11:55 +0200)]
Merge pull request #144 from arcz/config-deps-paths
Build-time config of newuidmap and newgidmap paths
Artur Cygan [Mon, 6 Jul 2020 12:38:11 +0000 (14:38 +0200)]
Stringify CLI-passed paths
Artur Cygan [Mon, 22 Jun 2020 11:42:22 +0000 (13:42 +0200)]
Build-time config of newuidmap and newgidmap paths
Robert Swiecki [Tue, 21 Apr 2020 09:25:06 +0000 (11:25 +0200)]
nsjail: don't change cwd during daemon()
Wiktor Garbacz [Fri, 27 Mar 2020 09:19:40 +0000 (10:19 +0100)]
Fix format specifier for size_t
happyCoder92 [Thu, 19 Mar 2020 12:50:35 +0000 (13:50 +0100)]
Merge pull request #136 from c7f-m0d3/master
fix non-functional max_conns_per_ip
Piotr Krysiuk [Thu, 19 Mar 2020 00:13:28 +0000 (00:13 +0000)]
fix non-functional max_conns_per_ip
Starting with nsjail::listenMode update to pipe socket traffic [commit
273ce6bc846b7325c7f0915067c54bf8cf6f5654], a pipe file descriptor is passed as connsock parameter when calling net::limitConns and also as sock parameter when calling addProc in subproc::runChild.
This breaks net::limitConns because pid.remote_addr and also local variable addr are left uninitialized despite net::connToText calls when counting number of existing network connections from the same peer.
The subsequent correction to fetch remote address [commit
2cf562160d308f9b5cca767a2459332f2041b41c] made the bug even more interesting, since the loop in net::limitConns now compares unsanitized content of stack with network addresses of already connected clients.
happyCoder92 [Mon, 2 Mar 2020 14:31:37 +0000 (15:31 +0100)]
Merge pull request #133 from sirdarckcat/master
Create dockerpush.yml
Eduardo' Vela" Nava (sirdarckcat) [Sun, 1 Mar 2020 06:56:34 +0000 (07:56 +0100)]
Create dockerpush.yml
Robert Swiecki [Mon, 17 Feb 2020 19:33:45 +0000 (20:33 +0100)]
make indent
Wiktor Garbacz [Mon, 17 Feb 2020 14:55:08 +0000 (15:55 +0100)]
fix POLLNVAL in pipeTraffic
Wiktor Garbacz [Mon, 17 Feb 2020 13:16:40 +0000 (14:16 +0100)]
fix infinite loop in pipeTraffic
Robert Swiecki [Mon, 17 Feb 2020 13:13:17 +0000 (14:13 +0100)]
subproc: debug log when hotting SIHQUIT (Ctrl+\) #2 - better check
Robert Swiecki [Mon, 17 Feb 2020 13:11:58 +0000 (14:11 +0100)]
subproc: debug log when hotting SIHQUIT (Ctrl+\)
Robert Swiecki [Mon, 17 Feb 2020 13:07:25 +0000 (14:07 +0100)]
subproc: verify that a pid in a pid map doesn't exist before inserting
Robert Swiecki [Sun, 16 Feb 2020 21:34:19 +0000 (22:34 +0100)]
nsjail/pid/subproc: a). keep childrens' PIDs in a map indexed by pid b). correctly fetch remote IPv6 address text
robertswiecki [Fri, 14 Feb 2020 16:08:41 +0000 (17:08 +0100)]
Merge pull request #130 from happyCoder92/proxy
pipe socket traffic in and out of sandboxee
robertswiecki [Fri, 14 Feb 2020 16:08:07 +0000 (17:08 +0100)]
Merge pull request #128 from disconnect3d/patch-2
Update Dockerfile to use ubuntu:18.04 image
Wiktor Garbacz [Thu, 13 Feb 2020 11:24:28 +0000 (12:24 +0100)]
pipe socket traffic in and out of sandboxee
Wiktor Garbacz [Mon, 27 Jan 2020 09:32:10 +0000 (10:32 +0100)]
Makefile: fix kafel submodule init for parallel build
Robert Swiecki [Tue, 10 Dec 2019 10:09:14 +0000 (11:09 +0100)]
subproc: recognize CLONE_PIDFD
robertswiecki [Sat, 7 Dec 2019 16:24:29 +0000 (17:24 +0100)]
Merge pull request #129 from disconnect3d/patch-3
Fix default rlimit_stack value
Disconnect3d [Sat, 7 Dec 2019 16:05:45 +0000 (17:05 +0100)]
Fix default rlimit_stack value
The default `rlimit_stack` value was set to
1048576. However, this value is in MiB and so is later multiplied by 1024*1024 in https://github.com/google/nsjail/blob/
b3d544d155f5d1543dce1bd3e5327ef41583815a/config.cc#L161-L162 and it ends up as a limit of 1 TB for the stack size.
This PR changes it to 8 MB which is a more sane default or, at least I took it from my virtual machine's ulimits:
```
$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 31175
max locked memory (kbytes, -l) 16384
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 31175
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
```
Disconnect3d [Sat, 7 Dec 2019 13:24:32 +0000 (14:24 +0100)]
Update Dockerfile to use ubuntu:18.04 image
Wiktor Garbacz [Fri, 1 Nov 2019 12:40:25 +0000 (13:40 +0100)]
allow setgroups when using exclusively newgid
Robert Swiecki [Tue, 29 Oct 2019 00:40:52 +0000 (01:40 +0100)]
configs/: indent
Robert Swiecki [Thu, 3 Oct 2019 22:35:36 +0000 (00:35 +0200)]
configs/znc: remove a problematic quote
Robert Swiecki [Thu, 3 Oct 2019 22:33:29 +0000 (00:33 +0200)]
nsjail: don't restore console if nsjail runs in background
Robert Swiecki [Wed, 2 Oct 2019 17:43:58 +0000 (19:43 +0200)]
config: simplify log/logfd setting
Robert Swiecki [Wed, 2 Oct 2019 06:28:23 +0000 (08:28 +0200)]
configs: new config for znc - remove log_fd
Robert Swiecki [Tue, 1 Oct 2019 06:27:17 +0000 (08:27 +0200)]
configs: new config for znc
Robert Swiecki [Sat, 28 Sep 2019 21:00:21 +0000 (23:00 +0200)]
configs/xchat: daemonize by default
Robert Swiecki [Thu, 12 Sep 2019 20:22:04 +0000 (22:22 +0200)]
Merge branch 'master' of ssh://github.com/google/nsjail
Robert Swiecki [Thu, 12 Sep 2019 20:21:49 +0000 (22:21 +0200)]
user: better formatting directives for printf'like functions
robertswiecki [Sat, 7 Sep 2019 00:04:39 +0000 (02:04 +0200)]
Merge pull request #123 from LMMilewski/master
Fix typo in config.proto: s/lofs/logs/
Lukasz Milewski [Fri, 6 Sep 2019 22:08:30 +0000 (15:08 -0700)]
Fix typo in config.proto: s/lofs/logs/
Robert Swiecki [Mon, 2 Sep 2019 14:10:28 +0000 (16:10 +0200)]
Merge branch 'master' of github.com:google/nsjail
Robert Swiecki [Mon, 2 Sep 2019 14:10:19 +0000 (16:10 +0200)]
subproc: fix invalid conversions from util::syscall to syscall
Robert Swiecki [Sat, 31 Aug 2019 20:08:02 +0000 (22:08 +0200)]
mnt: shorter description of mount points
Robert Swiecki [Wed, 28 Aug 2019 20:18:58 +0000 (22:18 +0200)]
standardize on envar vs envvar
Robert Swiecki [Sun, 25 Aug 2019 09:23:20 +0000 (11:23 +0200)]
log: close previous log descriptor a bit later:
Robert Swiecki [Sun, 25 Aug 2019 09:17:12 +0000 (11:17 +0200)]
mnt: use setcwd unconditionally with and w/o clone_newns
Robert Swiecki [Sun, 25 Aug 2019 09:16:12 +0000 (11:16 +0200)]
mnt: use setcwd unconditionally with and w/o clone_newns
Robert Swiecki [Thu, 22 Aug 2019 11:59:15 +0000 (13:59 +0200)]
log: a bit clearer calls to dup()
Robert Swiecki [Wed, 21 Aug 2019 12:29:35 +0000 (14:29 +0200)]
Fix missing chdir in non-CLONE_NEWNS path
Robert Swiecki [Tue, 20 Aug 2019 12:16:21 +0000 (14:16 +0200)]
log: simplify logging code
Robert Swiecki [Mon, 19 Aug 2019 12:28:45 +0000 (14:28 +0200)]
config.proto: move disable_rl higher
robertswiecki [Mon, 19 Aug 2019 12:26:27 +0000 (14:26 +0200)]
Merge pull request #120 from jaylees14/disable-rlimits
Add flag to disable rlimits
Robert Swiecki [Mon, 19 Aug 2019 09:35:17 +0000 (11:35 +0200)]
Merge branch 'master' of github.com:google/nsjail
Robert Swiecki [Mon, 19 Aug 2019 09:34:34 +0000 (11:34 +0200)]
net/cmdline: better checks for TCP port values
Jay Lees [Mon, 5 Aug 2019 10:25:22 +0000 (03:25 -0700)]
Add flag to disable rlimits
Robert Swiecki [Sun, 4 Aug 2019 07:54:38 +0000 (09:54 +0200)]
cgroup-code: remove some spaces to make code more consistent
Robert Swiecki [Sun, 4 Aug 2019 07:50:34 +0000 (09:50 +0200)]
make indent depend
robertswiecki [Sun, 4 Aug 2019 07:49:35 +0000 (09:49 +0200)]
Merge pull request #119 from jaylees14/cgroup-v2
[cgroup-v2] support cgroup v2 for mem, cpu and pids
Jay Lees [Fri, 26 Jul 2019 14:02:17 +0000 (07:02 -0700)]
[cgroup-v2] support cgroup v2 for mem, cpu and pids
Robert Swiecki [Fri, 12 Jul 2019 14:07:06 +0000 (16:07 +0200)]
configs/imagemagick-convert: add madvise
Robert Swiecki [Mon, 1 Jul 2019 12:52:32 +0000 (14:52 +0200)]
Merge branch 'master' of github.com:google/nsjail
Robert Swiecki [Mon, 1 Jul 2019 12:51:32 +0000 (14:51 +0200)]
Disable securebits again to avoid spawned programs unexpectedly retaining capabilities after a UID/GID change
Robert Swiecki [Sun, 30 Jun 2019 20:03:57 +0000 (22:03 +0200)]
cmdline: no need to check for nice values
Robert Swiecki [Sun, 30 Jun 2019 19:50:56 +0000 (21:50 +0200)]
Add nice_level to cmd-line/config options
projects / platform / upstream / nsjail.git / log