Patrick Steinhardt [Thu, 20 Jun 2019 09:45:27 +0000 (11:45 +0200)]
user: allow setting multiple groups without user namespaces
When not using a user namespace, then we'll completely ignore
whether multiple groups have been specified by the user and only set
up the process's GID. With user namespaces, we in fact cannot set up
supplementary groups as we have set up "/proc/self/setgroups" to
deny any call to setgroups(2). But we can do better than that when
not using user namespaces, as we're free to use that syscall.
As nsjail(1) documents that "--group" can be specified multiple
times without mentioning that this won't work with
"--disable_clone_newuser", change the code to make that
constellation work.
Robert Swiecki [Wed, 17 Apr 2019 21:10:18 +0000 (23:10 +0200)]
use TEMP_FAILURE_RETRY with some restartable funcs
Robert Swiecki [Mon, 1 Apr 2019 21:32:06 +0000 (23:32 +0200)]
configs/image-magic: make convert be overridable
Robert Swiecki [Mon, 1 Apr 2019 20:46:39 +0000 (22:46 +0200)]
cmdline: don't clear cmdline exec_file is arguments are provided on cmdline
Robert Swiecki [Mon, 1 Apr 2019 20:43:17 +0000 (22:43 +0200)]
config.proto: Exe.path is required
Robert Swiecki [Mon, 1 Apr 2019 20:42:14 +0000 (22:42 +0200)]
cmdline: make sure that argv[0] exists
Robert Swiecki [Sun, 31 Mar 2019 13:16:24 +0000 (15:16 +0200)]
user: function naming
Robert Swiecki [Sat, 30 Mar 2019 15:20:04 +0000 (16:20 +0100)]
configs/firefox-with-cloned-net: add fontconfig config envvars
Robert Swiecki [Sat, 30 Mar 2019 15:19:30 +0000 (16:19 +0100)]
configs/firefox: add fontconfig config envvars
Robert Swiecki [Sat, 30 Mar 2019 15:10:14 +0000 (16:10 +0100)]
cmdline: allow to override config cmdline with cmdline cmdline
Robert Swiecki [Sat, 30 Mar 2019 14:49:18 +0000 (15:49 +0100)]
configs/conver: revert the last one to properly figure it out
robertswiecki [Sat, 30 Mar 2019 14:45:04 +0000 (15:45 +0100)]
Merge pull request #114 from disconnect3d/patch-1
Fixes issue #113
Disconnect3d [Fri, 29 Mar 2019 22:48:56 +0000 (23:48 +0100)]
Fixes issue #113
Robert Swiecki [Fri, 29 Mar 2019 20:42:05 +0000 (21:42 +0100)]
nsjail: remove warning about CLONE_NEWUSER
Robert Swiecki [Fri, 29 Mar 2019 20:38:14 +0000 (21:38 +0100)]
allow to use nsjail w/o namespaces
Robert Swiecki [Thu, 28 Mar 2019 22:25:15 +0000 (23:25 +0100)]
mnt: try /run/user/<uid>/nsjail as a root mount dir first
Robert Swiecki [Mon, 18 Mar 2019 15:37:04 +0000 (16:37 +0100)]
mnt: use /run/usr/<uid> first when mounting dirs
Robert Swiecki [Tue, 12 Mar 2019 16:07:24 +0000 (17:07 +0100)]
subproc: save/restore errno when printing error message twice
Robert Swiecki [Sun, 10 Mar 2019 14:00:45 +0000 (15:00 +0100)]
flush stdin after nsjail ends
robertswiecki [Wed, 6 Mar 2019 07:18:35 +0000 (08:18 +0100)]
Merge pull request #109 from disconnect3d/fix-cgroup-cpu-mount-option
Fix #108 - missing cgroup_cpu_mount option setting
disconnect3d [Tue, 5 Mar 2019 22:41:38 +0000 (16:41 -0600)]
Fix #108 - missing cgroup_cpu_mount option setting
robertswiecki [Fri, 1 Mar 2019 15:48:18 +0000 (16:48 +0100)]
Merge pull request #107 from adamcarheden/tomcat
Added example config for tomcat
Adam Carheden [Tue, 12 Feb 2019 19:31:40 +0000 (12:31 -0700)]
Added example config for tomcat
Robert Swiecki [Wed, 6 Feb 2019 16:06:42 +0000 (17:06 +0100)]
incrase the default RLIMIT_AS limit to 4GiB. 512MiB is not enough for many payloas, and cgroups should be used for memory limiting anyway
robertswiecki [Tue, 29 Jan 2019 20:04:25 +0000 (21:04 +0100)]
Merge pull request #104 from adamcarheden/libnl-dep
Fixed missing dependency on libnl-route-3-dev
Adam Carheden [Tue, 29 Jan 2019 16:48:35 +0000 (09:48 -0700)]
Fixed missing dependency on libnl-route-3-dev
Robert Swiecki [Mon, 21 Jan 2019 21:42:34 +0000 (22:42 +0100)]
util: call ::syscall for syscall()
Robert Swiecki [Mon, 21 Jan 2019 21:37:30 +0000 (22:37 +0100)]
use util::syscall whenever possible
Robert Swiecki [Mon, 21 Jan 2019 21:25:37 +0000 (22:25 +0100)]
util: introduce syscall to avoid vararg argument parsing
Robert Swiecki [Mon, 21 Jan 2019 19:03:17 +0000 (20:03 +0100)]
contain: log formatting
Robert Swiecki [Sun, 20 Jan 2019 20:41:10 +0000 (21:41 +0100)]
configs/xorg: add /dev/[u]random
Robert Swiecki [Sun, 20 Jan 2019 17:43:42 +0000 (18:43 +0100)]
cmdline: more bried debug output
Robert Swiecki [Sun, 20 Jan 2019 17:41:44 +0000 (18:41 +0100)]
log: don't print description of level with HELP/HELP_BOLD
Robert Swiecki [Sun, 20 Jan 2019 17:37:47 +0000 (18:37 +0100)]
Make netlink3-route mandatory
happyCoder92 [Wed, 9 Jan 2019 13:01:16 +0000 (14:01 +0100)]
Merge pull request #103 from remexre/master
Fixes typo in manpage.
Nathan Ringo [Wed, 9 Jan 2019 10:24:34 +0000 (00:24 -1000)]
Fixes typo in manpage.
happyCoder92 [Mon, 7 Jan 2019 13:39:57 +0000 (14:39 +0100)]
Merge pull request #102 from jvvv/master
README.md: update cgroup_cpu_ms_per_sec
Robert Swiecki [Sat, 5 Jan 2019 23:03:36 +0000 (00:03 +0100)]
open might return EINTR
Robert Swiecki [Fri, 4 Jan 2019 00:41:26 +0000 (01:41 +0100)]
subproc: PLOG -> LOG
Robert Swiecki [Tue, 1 Jan 2019 10:36:02 +0000 (11:36 +0100)]
More of RETURN_ON_FAILURE
John Vogel [Sat, 22 Dec 2018 06:03:34 +0000 (01:03 -0500)]
README.md: update cgroup_cpu_ms_per_sec
Robert Swiecki [Mon, 17 Dec 2018 07:46:31 +0000 (08:46 +0100)]
make indent
Robert Swiecki [Sun, 16 Dec 2018 13:22:01 +0000 (14:22 +0100)]
logs: va_end() used too early
Robert Swiecki [Sun, 16 Dec 2018 10:55:33 +0000 (11:55 +0100)]
logs: avoid multiple syscall(__NR_write) in logs
Robert Swiecki [Sun, 16 Dec 2018 06:47:22 +0000 (07:47 +0100)]
logs: use anonymous struct
Robert Swiecki [Wed, 5 Dec 2018 13:35:16 +0000 (14:35 +0100)]
cmdline: clarify cgroup_cpu_ms_per_sec
Robert Swiecki [Wed, 5 Dec 2018 09:10:21 +0000 (10:10 +0100)]
subproc: print more data on sigsys
Robert Swiecki [Sun, 25 Nov 2018 22:12:43 +0000 (23:12 +0100)]
Merge branch 'master' of ssh://github.com/google/nsjail
robertswiecki [Sun, 25 Nov 2018 22:12:23 +0000 (23:12 +0100)]
Merge pull request #99 from rutsky/writeToFd_return_type
fix writeToFD() return type in declaration
Vladimir Rutsky [Sun, 25 Nov 2018 17:26:52 +0000 (18:26 +0100)]
fix writeToFD() return type in declaration
In
25a7791d return type of writeToFD() was changed from `ssize_t` to `bool`, but header wasn't updated.
Robert Swiecki [Sat, 24 Nov 2018 16:22:13 +0000 (17:22 +0100)]
Merge branch 'master' of ssh://github.com/google/nsjail
robertswiecki [Sat, 24 Nov 2018 16:21:48 +0000 (17:21 +0100)]
Merge pull request #98 from disconnect3d/fix-writeToFd-return-type
Fix utils::writeToFd return type
disconnect3d [Sat, 24 Nov 2018 15:23:45 +0000 (16:23 +0100)]
Fix utils::writeToFd return type
The `writeToFd` function in `util.cc` returns `ssize_t` but the only
returned values are either `false` or `true`.
```
ssize_t writeToFd(int fd, const void* buf, size_t len) {
(...) return false;
(...) return true;
```
Robert Swiecki [Thu, 22 Nov 2018 07:44:43 +0000 (08:44 +0100)]
mnt: better description for mounts
Robert Swiecki [Thu, 22 Nov 2018 07:44:36 +0000 (08:44 +0100)]
Merge branch 'master' of ssh://github.com/google/nsjail
Robert Swiecki [Thu, 22 Nov 2018 07:44:25 +0000 (08:44 +0100)]
mnt: better description for mounts
Wiktor Garbacz [Wed, 21 Nov 2018 14:36:43 +0000 (15:36 +0100)]
Update kafel - fixes build on Ubuntu 14.04
Robert Swiecki [Thu, 8 Nov 2018 06:09:41 +0000 (07:09 +0100)]
config.proto: renumber the fields
Robert Swiecki [Tue, 6 Nov 2018 16:30:04 +0000 (17:30 +0100)]
config.proto: comments
Robert Swiecki [Tue, 30 Oct 2018 00:44:08 +0000 (01:44 +0100)]
mnt: simplify debug message #2
Robert Swiecki [Tue, 30 Oct 2018 00:33:09 +0000 (01:33 +0100)]
mnt: simplify debug message
Robert Swiecki [Sun, 28 Oct 2018 20:07:46 +0000 (21:07 +0100)]
mnt: simplify printing mnt points
Robert Swiecki [Sun, 28 Oct 2018 20:03:10 +0000 (21:03 +0100)]
cmdline/env: don't set empty envvars
Robert Swiecki [Sun, 28 Oct 2018 16:15:55 +0000 (17:15 +0100)]
cmdline: add ability to passthrough current envvars
Robert Swiecki [Thu, 25 Oct 2018 12:49:46 +0000 (14:49 +0200)]
Support --iface_vs_ma with libnl3
Robert Swiecki [Thu, 25 Oct 2018 12:10:33 +0000 (14:10 +0200)]
Merge branch 'master' of github.com:google/nsjail
Robert Swiecki [Thu, 25 Oct 2018 12:10:23 +0000 (14:10 +0200)]
configs/xchat: add LANG
Wiktor Garbacz [Wed, 24 Oct 2018 08:31:14 +0000 (10:31 +0200)]
code formatting
happyCoder92 [Wed, 24 Oct 2018 08:27:17 +0000 (10:27 +0200)]
Merge pull request #96 from mickydelfavero/master
Added --macvlan_vs_ma switch to be able to set macvlan's mac-address.
Micky Del Favero [Tue, 23 Oct 2018 20:24:43 +0000 (22:24 +0200)]
Remove duplicate code
Signed-off-by: Micky Del Favero <micky@BeeCloudy.net>
Micky Del Favero [Tue, 23 Oct 2018 13:05:50 +0000 (15:05 +0200)]
Added --macvlan_vs_ma switch to be able to set macvlan's mac-address.
Signed-off-by: Micky Del Favero <micky@BeeCloudy.net>
Robert Swiecki [Mon, 22 Oct 2018 12:44:12 +0000 (14:44 +0200)]
Updated kafel
Wiktor Garbacz [Thu, 6 Sep 2018 09:14:24 +0000 (11:14 +0200)]
use new kafel features in configs and examples
Wiktor Garbacz [Thu, 6 Sep 2018 09:12:06 +0000 (11:12 +0200)]
update kafel
robertswiecki [Mon, 3 Sep 2018 05:22:32 +0000 (07:22 +0200)]
Merge pull request #94 from tomj/master
README Docker disambiguations
tomj [Sun, 2 Sep 2018 15:39:41 +0000 (01:39 +1000)]
README Docker disambiguations
Disambiguate between nsjail _container_ and _command_ in README for easier reading.
- Being a n00b to this project I feel this makes the onboarding of use with Docker somewhat easier by removing duplicated/overloaded terms.
robertswiecki [Tue, 31 Jul 2018 21:15:43 +0000 (23:15 +0200)]
Merge pull request #90 from disconnect3d/patch-1
Update config.proto
Disconnect3d [Tue, 31 Jul 2018 21:10:05 +0000 (23:10 +0200)]
Update config.proto
Disconnect3d [Tue, 31 Jul 2018 21:09:24 +0000 (23:09 +0200)]
Update config.proto
Robert Swiecki [Tue, 31 Jul 2018 20:52:03 +0000 (22:52 +0200)]
config: correct way of setting pass_fd
Robert Swiecki [Sat, 28 Jul 2018 22:30:08 +0000 (00:30 +0200)]
mnt: function rename
Robert Swiecki [Fri, 27 Jul 2018 20:54:28 +0000 (22:54 +0200)]
configs/bash: add noexec/nodev/nosuid to a mount
Wiktor Garbacz [Fri, 27 Jul 2018 11:33:39 +0000 (13:33 +0200)]
subproc: reap processes after killing
Always try to release resources if possible.
Fixes #69
Wiktor Garbacz [Fri, 27 Jul 2018 09:27:01 +0000 (11:27 +0200)]
mnt: added nosuid/nodev/noexec flags to config
Closes #70
Wiktor Garbacz [Thu, 26 Jul 2018 12:16:55 +0000 (14:16 +0200)]
cgroup: refactor cgroup code
Extract common functions, use c++ strings.
Fixes #83
Wiktor Garbacz [Tue, 24 Jul 2018 14:30:31 +0000 (16:30 +0200)]
mnt: remount all filesystems
Explicitly specifying RW "/" mount in config did not yield desired
result.
The reason was a default RO "/" tmpfs is prepended to mountpoint
list. All filesystems are initially mounted RW to be able to create
directories for mountpoints. Read only filesystems were remounted
during a 2nd pass, effectively overriding RW flag of fs mounted
over them.
Fixes #88
Wiktor Garbacz [Tue, 24 Jul 2018 13:20:44 +0000 (15:20 +0200)]
conifg: parse cgroup_cpu settings
Fixes #87
robertswiecki [Mon, 23 Jul 2018 22:38:27 +0000 (00:38 +0200)]
Merge pull request #85 from jvvv/master
README.md, nsjail.1: add --stderr_to_null option
Robert Swiecki [Mon, 23 Jul 2018 22:23:44 +0000 (00:23 +0200)]
nsjail: clearer new_proc/reap_proc loop
Robert Swiecki [Mon, 23 Jul 2018 21:35:01 +0000 (23:35 +0200)]
subproc: better log messages
Robert Swiecki [Mon, 23 Jul 2018 15:13:17 +0000 (17:13 +0200)]
Don't re-run process if previous execution failed
John Vogel [Sat, 14 Jul 2018 14:20:34 +0000 (10:20 -0400)]
README.md, nsjail.1: add --stderr_to_null option
Robert Swiecki [Thu, 5 Jul 2018 12:32:07 +0000 (14:32 +0200)]
subproc: correct casting for nsjconf->tlimit in printf
Robert Swiecki [Mon, 25 Jun 2018 02:12:07 +0000 (04:12 +0200)]
configs/bash: add stderr_to_null
Robert Swiecki [Mon, 25 Jun 2018 02:10:42 +0000 (04:10 +0200)]
cmdline: more stderr_to_null closer to is_silent
Robert Swiecki [Mon, 25 Jun 2018 01:12:27 +0000 (03:12 +0200)]
config: Implement --stderr_to_null
Robert Swiecki [Wed, 20 Jun 2018 13:36:44 +0000 (15:36 +0200)]
net: use memset to init stack structs
Robert Swiecki [Tue, 19 Jun 2018 01:58:17 +0000 (03:58 +0200)]
Makefile: lower -Wformat to 1
Robert Swiecki [Sat, 16 Jun 2018 00:16:24 +0000 (02:16 +0200)]
util: c++ version of sprintf
robertswiecki [Tue, 12 Jun 2018 21:39:47 +0000 (23:39 +0200)]
Merge pull request #82 from jvvv/master
nsjail.1: update manpage to match README
projects / platform / upstream / nsjail.git / log