Robert Swiecki [Mon, 18 Dec 2017 01:04:44 +0000 (02:04 +0100)]
new kafel
robertswiecki [Sat, 9 Dec 2017 13:13:11 +0000 (14:13 +0100)]
Merge pull request #66 from kant/patch-1
Minor fixes (proposal)
Darío Hereñú [Sat, 9 Dec 2017 12:05:37 +0000 (09:05 -0300)]
Minor fixes (proposal)
Robert Swiecki [Thu, 7 Dec 2017 14:35:52 +0000 (15:35 +0100)]
configs: use rlimit_cpu_type instead of rlimit_cpu:
18446744073709551615
Robert Swiecki [Thu, 7 Dec 2017 14:06:31 +0000 (15:06 +0100)]
configs/ #typos
Robert Swiecki [Thu, 7 Dec 2017 14:03:23 +0000 (15:03 +0100)]
New config for xchat2 #typos
Robert Swiecki [Thu, 7 Dec 2017 13:39:19 +0000 (14:39 +0100)]
New config for xchat2
Robert Swiecki [Tue, 5 Dec 2017 21:23:48 +0000 (22:23 +0100)]
configs/firefox*: add fontconfig
Robert Swiecki [Tue, 5 Dec 2017 21:13:00 +0000 (22:13 +0100)]
configs/imagemagick: more syscalls allowed
Robert Swiecki [Tue, 5 Dec 2017 14:44:53 +0000 (15:44 +0100)]
config.cc: set exec_file only if arg0 is set
Robert Swiecki [Tue, 5 Dec 2017 14:01:27 +0000 (15:01 +0100)]
configs: some fixes thanks to the write-up at https://offbyinfinity.com/2017/12/sandboxing-imagemagick-with-nsjail/
Robert Swiecki [Sat, 2 Dec 2017 01:53:32 +0000 (02:53 +0100)]
user: correct check for getpwnam/gegrpnam failures
Robert Swiecki [Mon, 20 Nov 2017 16:03:06 +0000 (17:03 +0100)]
remove _NSConcreteStackBlock as we don't use defer{} any more
Robert Swiecki [Wed, 8 Nov 2017 16:20:57 +0000 (17:20 +0100)]
nsjail.h: different if guards for TEMP_FAILURE_RETRY
robertswiecki [Wed, 8 Nov 2017 16:16:53 +0000 (17:16 +0100)]
Merge pull request #64 from ebadi/master
Minor fixes
Hamid Ebadi [Wed, 8 Nov 2017 15:45:02 +0000 (16:45 +0100)]
Minor fixes
robertswiecki [Sat, 4 Nov 2017 16:52:59 +0000 (17:52 +0100)]
Merge pull request #63 from ShikChen/master
Fix max_conns_per_ip
shik [Sat, 4 Nov 2017 14:15:31 +0000 (22:15 +0800)]
fix max_conns_per_ip
Robert Swiecki [Thu, 2 Nov 2017 12:13:07 +0000 (13:13 +0100)]
cmdline: comment on skip_setsid
Robert Swiecki [Thu, 2 Nov 2017 12:08:08 +0000 (13:08 +0100)]
config.proto: comment on skip_setsid
Robert Swiecki [Wed, 1 Nov 2017 13:21:50 +0000 (14:21 +0100)]
subproc: actually si_syscall don't show syscalls
robertswiecki [Sat, 28 Oct 2017 21:36:02 +0000 (23:36 +0200)]
Merge pull request #61 from jvvv/master
Adjust documents for clone_newcgroup change.
John Vogel [Fri, 27 Oct 2017 04:25:59 +0000 (00:25 -0400)]
Adjust documents for clone_newcgroup change.
Change --enable_clone_newcgroup to --disable_clone_newcgroup.
Add comment about kernel version for clone_newcgroup option.
Robert Swiecki [Thu, 26 Oct 2017 23:53:05 +0000 (01:53 +0200)]
Makefile: remove relro,now as it doesn't allow to compile under some archs
Robert Swiecki [Thu, 26 Oct 2017 21:00:15 +0000 (23:00 +0200)]
mount: add info about mounting /proc
Robert Swiecki [Thu, 26 Oct 2017 20:57:14 +0000 (22:57 +0200)]
subproc: reflow comments
Robert Swiecki [Thu, 26 Oct 2017 14:19:30 +0000 (16:19 +0200)]
cmdline/config: make --enable_clone_newcgroup obsolete by enabling CLONE_NEWCGROUP by default. This can be disabled by flags/config #2
Robert Swiecki [Thu, 26 Oct 2017 14:16:05 +0000 (16:16 +0200)]
cmdline/config: make --enable_clone_newcgroup obsolete by enabling CLONE_NEWCGROUP by default. This can be disabled by flags/config
Robert Swiecki [Thu, 26 Oct 2017 00:43:40 +0000 (02:43 +0200)]
configs/ increas rlimit_nofile for firefox
Robert Swiecki [Thu, 26 Oct 2017 00:29:15 +0000 (02:29 +0200)]
mount: const'antize the mountPair struct
Robert Swiecki [Thu, 26 Oct 2017 00:27:18 +0000 (02:27 +0200)]
mount: an array of known mount/vfsmount flag pairs
Robert Swiecki [Thu, 26 Oct 2017 00:17:52 +0000 (02:17 +0200)]
mount: don't reuse flags from statvfs directly for remounting
Robert Swiecki [Wed, 25 Oct 2017 22:35:59 +0000 (00:35 +0200)]
config.proto: reflow field numbering
Robert Swiecki [Wed, 25 Oct 2017 22:34:32 +0000 (00:34 +0200)]
Makefile/indent: add clang-format for proto
Robert Swiecki [Wed, 25 Oct 2017 22:26:02 +0000 (00:26 +0200)]
Makefile/indent: base it on the google template with modifications
Robert Swiecki [Wed, 25 Oct 2017 14:04:28 +0000 (16:04 +0200)]
Robert Swiecki [Wed, 25 Oct 2017 13:57:17 +0000 (15:57 +0200)]
cgroup: remove duplicated check for values
Robert Swiecki [Wed, 25 Oct 2017 13:51:06 +0000 (15:51 +0200)]
nsjail: make njsconf::cgroup_pids_max unsigned int #2
Robert Swiecki [Wed, 25 Oct 2017 13:50:24 +0000 (15:50 +0200)]
nsjail: make njsconf::cgroup_pids_max unsigned int
Robert Swiecki [Wed, 25 Oct 2017 13:44:35 +0000 (15:44 +0200)]
Use uint64_t instead of __rlim64_t
robertswiecki [Wed, 25 Oct 2017 13:35:35 +0000 (15:35 +0200)]
Merge pull request #58 from pandax381/support-cgroup-net-cls
Support cgroup net_cls subsystem
YAMAMOTO Masaya [Wed, 25 Oct 2017 08:56:14 +0000 (17:56 +0900)]
Update documents
YAMAMOTO Masaya [Wed, 25 Oct 2017 08:15:03 +0000 (17:15 +0900)]
Support cgroup net_cls subsystem
Robert Swiecki [Tue, 24 Oct 2017 23:45:39 +0000 (01:45 +0200)]
mount: don't complain about ability to create mount dirs
Robert Swiecki [Tue, 24 Oct 2017 23:34:10 +0000 (01:34 +0200)]
pid: Don't start new ns-init id CLONE_NEWPID is not requested
Robert Swiecki [Tue, 24 Oct 2017 14:20:51 +0000 (16:20 +0200)]
log: do isatty(log_fd) in log constructor
Robert Swiecki [Fri, 20 Oct 2017 13:56:32 +0000 (15:56 +0200)]
subproc: use SIG_SETMASK to unblock all signals
Robert Swiecki [Fri, 20 Oct 2017 12:46:43 +0000 (14:46 +0200)]
configs/busybox: indicate that the busybox must be statically compiled
Robert Swiecki [Fri, 20 Oct 2017 12:44:07 +0000 (14:44 +0200)]
Merge branch 'master' of ssh://github.com/google/nsjail
Robert Swiecki [Fri, 20 Oct 2017 12:43:56 +0000 (14:43 +0200)]
subproc: unblock all signals before executing a process
Robert Swiecki [Fri, 20 Oct 2017 11:02:15 +0000 (13:02 +0200)]
mount: use NS_DIR_TRUE instead of true in cmdline
Robert Swiecki [Thu, 19 Oct 2017 20:39:37 +0000 (22:39 +0200)]
mount: try creating starting tmpfs's in /run/user/<uid> first
Robert Swiecki [Thu, 19 Oct 2017 13:58:57 +0000 (15:58 +0200)]
mount: merge string line in log
Robert Swiecki [Thu, 19 Oct 2017 13:46:31 +0000 (15:46 +0200)]
mount: missing 'return false' if the mount fails
Robert Swiecki [Thu, 19 Oct 2017 13:25:20 +0000 (15:25 +0200)]
nsjail: use CTRL+\ (SIGQUIT) to display active sessions
Robert Swiecki [Thu, 19 Oct 2017 12:56:45 +0000 (14:56 +0200)]
use O_CLOEXEC with utilWriteBufToFile wherever possible
Robert Swiecki [Thu, 19 Oct 2017 11:11:41 +0000 (13:11 +0200)]
subproc: comments around new proc stack
Robert Swiecki [Thu, 19 Oct 2017 00:32:55 +0000 (02:32 +0200)]
subproc: typos
Robert Swiecki [Thu, 19 Oct 2017 00:24:34 +0000 (02:24 +0200)]
make indent
robertswiecki [Thu, 19 Oct 2017 00:22:08 +0000 (02:22 +0200)]
Merge pull request #56 from VCTLabs/stack-alignment
align stack for child process
Robert Swiecki [Thu, 19 Oct 2017 00:14:58 +0000 (02:14 +0200)]
user: avoid calling setresgid twice on machines that support setres(g|u)id32
robertswiecki [Wed, 18 Oct 2017 21:32:13 +0000 (23:32 +0200)]
Merge pull request #55 from jvvv/master
manpage: add --execute_fd option
John Vogel [Wed, 18 Oct 2017 18:48:24 +0000 (14:48 -0400)]
manpage: add --execute_fd option
Robert Swiecki [Wed, 18 Oct 2017 16:02:23 +0000 (18:02 +0200)]
cmdline: typo
Robert Swiecki [Wed, 18 Oct 2017 15:57:52 +0000 (17:57 +0200)]
cmdline: add option --execute_fd and support for it, in order to use execveat()
Robert Swiecki [Wed, 18 Oct 2017 13:41:16 +0000 (15:41 +0200)]
No need to use '== true'
Robert Swiecki [Wed, 18 Oct 2017 13:41:02 +0000 (15:41 +0200)]
No need to add custom flags when remounting RO
Robert Swiecki [Wed, 18 Oct 2017 13:31:15 +0000 (15:31 +0200)]
mount: mountFlagsToStr cannot be repeated as it uses TLS buffer
Robert Swiecki [Wed, 18 Oct 2017 12:46:17 +0000 (14:46 +0200)]
simplify includes, remove unneeded, add needed
Robert Swiecki [Wed, 18 Oct 2017 12:27:34 +0000 (14:27 +0200)]
Move struct nsjail_t definition to nsjail.h and leave only macros in common.h
Robert Swiecki [Wed, 18 Oct 2017 10:33:24 +0000 (12:33 +0200)]
subproc: clear signal handlers in the child process
robertswiecki [Tue, 17 Oct 2017 13:40:48 +0000 (15:40 +0200)]
Merge pull request #54 from VCTLabs/compat-3.x-kernel
Revert "caps: define CAP_AUDIT_READ if not defined"
Robert Swiecki [Tue, 17 Oct 2017 13:22:23 +0000 (15:22 +0200)]
Makefile: add columnt limit to the indent
Robert Swiecki [Tue, 17 Oct 2017 13:16:27 +0000 (15:16 +0200)]
user: use setresuid32 where available first (on some 32bit platforms:
Ron Lockwood-Childs [Tue, 17 Oct 2017 09:22:58 +0000 (02:22 -0700)]
align stack for child process
Fixes "bus error" crashes on aarch64 caused by alignment faults.
On aarch64, the stack pointer needs to be 16-byte aligned; use gcc
builtin macro __BIGGEST_ALIGNMENT__ to specify a stack alignment
suitable for each platform.
Ron Lockwood-Childs [Mon, 16 Oct 2017 21:01:10 +0000 (14:01 -0700)]
Revert "caps: define CAP_AUDIT_READ if not defined"
Restore compatibility with 3.x kernels by not requiring CAP_AUDIT_READ
if not defined in kernel header file
This reverts commit
7820553cb9296b5f1a3137153948db45309aa6b1.
Conflicts:
caps.c
contain.h
Robert Swiecki [Mon, 16 Oct 2017 13:31:14 +0000 (15:31 +0200)]
nsjail: add missing commans in nested structs and make indent
Robert Swiecki [Mon, 16 Oct 2017 13:19:07 +0000 (15:19 +0200)]
user: remove static from idx vars, it causes crash after many iterations of nsjail
robertswiecki [Thu, 12 Oct 2017 12:11:45 +0000 (14:11 +0200)]
Merge pull request #51 from jvvv/master
manpage: update for recent option changes
John Vogel [Thu, 12 Oct 2017 06:53:10 +0000 (02:53 -0400)]
manpage: update for recent option changes
Add --proc_path and --proc_rw options.
Also clean up --mode|-M option layout.
Robert Swiecki [Wed, 11 Oct 2017 13:43:59 +0000 (15:43 +0200)]
net: prettier logging in bind
Robert Swiecki [Wed, 11 Oct 2017 00:16:14 +0000 (02:16 +0200)]
cmdline: better --rw description
Robert Swiecki [Wed, 11 Oct 2017 00:10:52 +0000 (02:10 +0200)]
cmdline: add --proc_path and --proc_rw options
Robert Swiecki [Sun, 8 Oct 2017 21:06:40 +0000 (23:06 +0200)]
move VALSTR_STRUCT to common.h
Robert Swiecki [Sun, 8 Oct 2017 21:03:02 +0000 (23:03 +0200)]
allow for indentation of more structures (now with clang-format)
Robert Swiecki [Sun, 8 Oct 2017 21:00:45 +0000 (23:00 +0200)]
make indent
Robert Swiecki [Sun, 8 Oct 2017 20:52:52 +0000 (22:52 +0200)]
switch indent to clang-format completely
Robert Swiecki [Sun, 8 Oct 2017 20:50:06 +0000 (22:50 +0200)]
config.proto: reflow numbering of fields
Robert Swiecki [Sun, 8 Oct 2017 13:17:57 +0000 (15:17 +0200)]
mount: make mountIsDir static
Robert Swiecki [Sun, 8 Oct 2017 13:02:41 +0000 (15:02 +0200)]
subproc: print syscall number as decimal
Robert Swiecki [Sun, 8 Oct 2017 11:00:37 +0000 (13:00 +0200)]
cmdline: missing 'soft'/'hard' variants for RLIMIT_STACK in usage()
Robert Swiecki [Sun, 8 Oct 2017 10:57:51 +0000 (12:57 +0200)]
Merge branch 'master' of ssh://github.com/google/nsjail
Robert Swiecki [Sun, 8 Oct 2017 10:57:43 +0000 (12:57 +0200)]
cmdline: missing comparison in cmdlineParseRLimit()
robertswiecki [Sun, 8 Oct 2017 10:56:22 +0000 (12:56 +0200)]
Merge pull request #50 from jvvv/master
manpage: tweak for recent options changes
robertswiecki [Sun, 8 Oct 2017 10:55:56 +0000 (12:55 +0200)]
Merge pull request #49 from disconnect3d/small-refactor-sandbox
sandbox.c: small refactor
Robert Swiecki [Sun, 8 Oct 2017 10:00:19 +0000 (12:00 +0200)]
subproc: print si->si_errno as well as it provides user-supplied value from seccomp-bpf
Robert Swiecki [Sun, 8 Oct 2017 09:55:11 +0000 (11:55 +0200)]
subproc: reorder printing of si->si_syscall #2
Robert Swiecki [Sun, 8 Oct 2017 09:53:24 +0000 (11:53 +0200)]
subproc: reorder printing of si->si_syscall
Robert Swiecki [Sun, 8 Oct 2017 09:51:37 +0000 (11:51 +0200)]
subproc: print si->si_syscall
John Vogel [Sun, 8 Oct 2017 05:28:06 +0000 (01:28 -0400)]
manpage: tweak for recent options changes
Adjust rlimit_* options to match command line --help output.
Add --really_quiet option.
And some clean up:
Remove 'See Also' section that only references a non-existent
info page that is a relic of using help2man for initial manual
page generation.
projects / platform / upstream / nsjail.git / log