Youngjae Cho [Thu, 26 Dec 2024 10:36:03 +0000 (19:36 +0900)]
Fix c++ standard from 14 to 17 for abseil-cpp version up to
20240722.0
It fixes the below build error.
/usr/include/absl/strings/string_view.h:53:26:
error: 'string_view' in namespace 'std' does not name a type
53 | using string_view = std::string_view;
| ^~~~~~~~~~~
/usr/include/absl/strings/string_view.h:53:21:
note: 'std::string_view' is only available from C++17 onwards
53 | using string_view = std::string_view;
Change-Id: I65c3ae573d9510934222e3b41764dca3285cc2cd
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>
Youngjae Cho [Mon, 23 Dec 2024 01:28:21 +0000 (10:28 +0900)]
Fix conflicts casued by protobuf version up to 25.0
Firstly, the protobuf has changed not to accept base c++ standard
below 14. Therefore, fixed it to C++14.
/usr/include/absl/base/policy_checks.h:79:2: error: #error "C++ versions
less than C++14 are not supported."
79 | #error "C++ versions less than C++14 are not supported."
And the protobuf has removed SetLogHandler() as of the below commit at
version 22.0.
Breaking change: Migrate to Abseil's logging library.
(https://github.com/protocolbuffers/protobuf/commit/
a9f1ea6)
Unfortunately, they have not offered any replacement function nor
guideline for alternative implementation of SetLogHandler() after
removing it. And the latest upstream nsjail has not fixed it too.
Therefore, removed the SetLogHandler() for now.
Change-Id: I2dbc35d499d71f63772d52e439738f14f460b6d5
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>
Unsung Lee [Fri, 24 Nov 2023 12:49:34 +0000 (21:49 +0900)]
spec: Remove test program from main package
Currently, test program is inclueded in both main package and test package.
This is because, main package includeis all file start from nsjail.
It excludes nsjail_test directory from main package.
Change-Id: I83a004297524545d15b028d2f4d17a163ccc7774
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
Unsung Lee [Fri, 24 Nov 2023 12:41:42 +0000 (21:41 +0900)]
Makefile: Add security compiling flags (RELRO)
Add "-Wl,-z,relro" (Partial RELRO) in COMMON_FLAGS and LDFLAGS
to support RELRO (RELocation Read-Only).
It is used to defend against GOT-Overwrite attack by removeing write permission.
Change-Id: If15e159d5b2e5ad1a07e54098ac9051581881abe
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
Łukasz Stelmach [Thu, 3 Aug 2023 12:09:37 +0000 (14:09 +0200)]
packaging: add the patch for kafel
The patch fixes problems with paralel builds on highly loaded systems,
where bison(1) and flex(2) may be invoked twice and break currently
running compilers.
Change-Id: I1699ad46b5bad49f5076623f7b7b38a482e789f2
Cc: HyungGi Lee <hyunggi.lee@samsung.com>
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Łukasz Stelmach [Wed, 9 Aug 2023 08:22:04 +0000 (10:22 +0200)]
Restore "riscv64: Update kafel"
This reverts commit
4adb2b26b95c34474b45ab716c131ac26165eea3.
Change-Id: Ieb57480755310acc21e0911cd16e92367b89ba6b
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Chanwoo Choi [Thu, 27 Jul 2023 01:26:14 +0000 (10:26 +0900)]
Revert "riscv64: Update kafel"
This reverts commit
7fd784c88b99962b40087bce082ae970464091df.
It cause the build fail. Revert it and then fix the build issue.
Change-Id: I8adab0910411f2cf60aab060535d382598554345
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
ndrewh [Thu, 4 Nov 2021 01:17:18 +0000 (21:17 -0400)]
Fix compile using `FROM ubuntu:20.04`
Remove clone_args members that are only present in 5.5+ and 5.7+
cherry-picked upstream commit
b248125
Change-Id: I05e6d003bf528ff4c445d1610b440eafc2f81ff7
Marek Pikuła [Tue, 8 Nov 2022 15:20:55 +0000 (16:20 +0100)]
riscv64: Update kafel
Upstream Kafel version https://github.com/google/kafel.git
1af0975
Change-Id: I4754aa094ad0efb4b308a9e1c1fb0f9cfba39493
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Hyotaek Shim [Mon, 14 Mar 2022 09:21:48 +0000 (18:21 +0900)]
Add .gitignore
Change-Id: I45d3a57cea80ba0a6d6f949568a306db76f8d367
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
Hyotaek Shim [Mon, 14 Mar 2022 09:20:02 +0000 (18:20 +0900)]
Fix nsjail.service to remove duplicated options
Change-Id: I8c468e8e13fb8de25f585c58370987667529ba86
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
Kunhoon Baik [Fri, 24 Sep 2021 05:40:24 +0000 (14:40 +0900)]
Fix Multiple Targets and Parallel builds issue
In parallel build (with -j option), xxx.c and xxx.h is scheduled independently.
Thus, bison and flex will be called twice.
Sometimes, it causes build error.
To create multiple targets in one invocation, pattern rules with multiple targets are used.
Kunhoon Baik [Thu, 16 Sep 2021 08:20:41 +0000 (17:20 +0900)]
Disable remount memory cgroup and no malort creation if no memory cgroup
If memory cgroup does not existed,
- we will not try to create memory cgroup or remount memory cgroup.
- malort will not setup memory cgroup
Kunhoon Baik [Fri, 10 Sep 2021 08:20:59 +0000 (17:20 +0900)]
Remove /bin, /usr/bin mount from test configuration
For minimal expose of executable binary
Kunhoon Baik [Thu, 9 Sep 2021 12:57:58 +0000 (21:57 +0900)]
Adjust test configuration of nsjail test
Kunhoon Baik [Thu, 9 Sep 2021 12:56:04 +0000 (21:56 +0900)]
[Temporary] Add lua related directory
This is a patch for malort project.
This patch will be moved to other git with refactoring.
Kunhoon Baik [Thu, 9 Sep 2021 00:19:10 +0000 (09:19 +0900)]
Fix test nsjail configuration
The number of nsjail's default nofile is 32.
In some target platform, it is too low.
Thus, this patch set enough large number to nofile.
Kunhoon Baik [Thu, 9 Sep 2021 00:18:17 +0000 (09:18 +0900)]
Fix to apply mthumb option to only arm
Kunhoon Baik [Wed, 8 Sep 2021 02:12:18 +0000 (11:12 +0900)]
Add mthumb option to Linker flag
For supporting mthumb (+lto) in compiler 9.2, -mthumb should be also applied to "link flags"
Kunhoon Baik [Tue, 7 Sep 2021 03:02:25 +0000 (12:02 +0900)]
Add TV permission signature to service file
Kunhoon Baik [Mon, 6 Sep 2021 07:41:04 +0000 (16:41 +0900)]
Add cgroup_remount program for target using old-resourced
Old Tizen resourced used "resourced" cgroup folder for controlling memory instead of "memory"
To apply nsjail(+malort) for such target, memory folder should be created.
For the compatibility, cgroup_mount is provided.
cf) provide mount prgoram because some targets cannot use mount program freely.
Kunhoon Baik [Fri, 3 Sep 2021 00:55:02 +0000 (09:55 +0900)]
Fix "-Werror=shadow" Error of open source nsjail
The arg env of systemExe function shadows global env variable.
- Local Function : int systemExe(const std::vector<std::string>& args, char** env);
- Global : static __thread jmp_buf env;
-Werror=shadow options catches the issue.
Thus, the arg env of systemExe is changed to exec_env to avoid the compiler issue.
cf) This patch is not yet contributed to nsjail open source.
Kunhoon Baik [Tue, 31 Aug 2021 01:31:40 +0000 (10:31 +0900)]
Exit test program in case of malloc fail
Kunhoon Baik [Wed, 25 Aug 2021 10:19:07 +0000 (19:19 +0900)]
x86 build fixes
Recent x86 build problem of kafel was solved.
- https://github.com/google/nsjail/commit/
87af69bea4a2ec3cc8ba0866bed55cb00b1b565c
Instead of disabling x86 build, apply the patch.
Kunhoon Baik [Wed, 25 Aug 2021 08:35:24 +0000 (17:35 +0900)]
Add definition for building Kafel in ARM and AARCH64
Tizen support linux kernel header include files in the linux-glibc-devel package.
Unfortunately, it supports old definition.
Thus, to build Kafel correctly, following definition should be defined.
(Original Kafel does not include such definition)
This patche includes the modification in kafel/src/common.h
Kunhoon Baik [Wed, 25 Aug 2021 05:24:45 +0000 (14:24 +0900)]
Add nsjail upstream url
Please keep the latest upstream source code in the upstream-git by using the url in "#X-Vcs-Url"
You can update the upstream manually. Following commands can be used to keep the latest upstream source code.
$ git remote add upstream https://github.com/google/nsjail.git
$ git fetch --all
$ git checkout upstream-git
$ git rebase upstream/master
$ git push origin upstream-git:upstream-git
Kunhoon Baik [Tue, 24 Aug 2021 01:38:36 +0000 (10:38 +0900)]
Clean up Kafel source code
Cleanup object files and bison/flex generated files
Kunhoon Baik [Mon, 23 Aug 2021 07:53:47 +0000 (16:53 +0900)]
Disable Net NS feature for Tizen
Tizen does not support libnl3 net namespace officially because libnl3 version is 3.2.22.
At this moment, malort project does not require network virtualization.
Thus, at this moment, it is ok to disable Tizen.
In the future, when libnl3 is upgraded to over 3.2.24, net namespace feature will be enabled.
Kunhoon Baik [Mon, 23 Aug 2021 07:20:38 +0000 (16:20 +0900)]
Disable MACVLAN feature for Tizen
Tizen does not support libnl3 macvlan officially because libnl3 version is 3.2.22.
In addition, MACVLAN feature was not tested in Tizen.
At this moment, malort project does not require network virtualization.
Thus, at this moment, it is ok to disable Tizen.
In the future, when MACVLAN supports in Tizen, MACVLAN feature will be enabled.
Kunhoon Baik [Thu, 29 Jul 2021 10:55:33 +0000 (19:55 +0900)]
Change test configuration - log path and cpu conf
- malort project will use "/var/log/malort" instead of "/tmp"
- malort project does not create child cgroup node of each "NSJAIL" process.
Kunhoon Baik [Wed, 21 Jul 2021 08:44:08 +0000 (17:44 +0900)]
Add /dev and /tmp for Testing
- some program may access to /dev/random by using random function
For that, add /dev bind mount until finding better way
- Tizen application cannot write some volatile data to /opt/var
For that, provide /tmp mount until finding better way
Kunhoon Baik [Wed, 21 Jul 2021 00:27:33 +0000 (09:27 +0900)]
Change cgroup node from NSJAIL to malort
As default, NSJAIL uses "NSJAIL" folder to create nsjail controller cgroup.
However, ST-hub uses the folder as "malort" which is internal project name.
At this moment, to reduce not-hurried code clean-up tasks, change nsjail root folder as "malort"
Kunhoon Baik [Mon, 19 Jul 2021 04:27:18 +0000 (13:27 +0900)]
Add nsjail test Tizen application
This is an application to execute nsjail for testing nsjail in Tizen application Environment.
Use build script "build_test_runner.sh" to build. You need to install Tizen CLI to build.
You can execute the app like following.
- $> aul_test launch test_runner execute /usr/bin/nsjail_test/jail_mem_syscall_test
Kunhoon Baik [Mon, 19 Jul 2021 03:14:39 +0000 (12:14 +0900)]
Add nsjail service for Tizen distribution
Tizen will use nsjail as application container by using USER Namespeace.
If creating new user namespace, the new user can get admin(root) privilege in the namespace,
and can use several kernel resource by creating other namespaces.
However, the new user namesapce cannot access unprivilged resource in original namespace.
For that, Tizen nsjail service creates some resources (directories for cgroup, and bind mount tmp directories) for the new user namespace.
cf) Each Tizen App has each smack label.
Unfortunatly, nsjail does not consider such issue for bind mount.
For that, at this moment, we create new user's uid based folder name for each application.
In the future, the folder name should be created on basis of Tizen package name.
Kunhoon Baik [Fri, 16 Jul 2021 09:10:46 +0000 (18:10 +0900)]
Add runner-sandbox.cfg for Tizen nsjail test
Nsjail uses a specific configuration file for jailing.
For testing nsjail in Tizen, sthub script engine runner sandbox.cfg is added.
You can test it like following.
nsjail -v --config /usr/share/runner-sandbox.cfg -- /usr/bin/nsjail_test/jail_mem_syscall_test
Kunhoon Baik [Thu, 15 Jul 2021 09:19:35 +0000 (18:19 +0900)]
Add Simple test program for Tizen nsjail
- memory limit test
- syscall(getuid) violation test
The more test programs should be created
Kunhoon Baik [Thu, 15 Jul 2021 05:16:27 +0000 (14:16 +0900)]
Adjust cgroup cpu for Tizen
Latest public Tizen does not support cfs_period_us or cfs_quota_us because CONFIG_FAIR_GROUP_SCHED, CONFIG_CFS_BANDWIDTH are not enabled.
Thus, instead of strict cpu limitation using cfs_quota, use cpu_shares.
The cpu_shares of each NSJAIL process will be assigned according to ratio (cfs_quota/cfs_period)
This is temporary patch and is not well validated.
Tizen will consider to enable the kernel option for cfs_quota_us.
Kunhoon Baik [Mon, 12 Jul 2021 09:07:35 +0000 (18:07 +0900)]
Creating nsjail RPM specification and build patch based on upstream-git branch
Upstream git was created with "nsjail 2021-07-07 version"
For Tizen RPM, additional patches were created based on the open source version
1) Linking to upstream-git branch - .gbs.conf
: You can check the Tizen open source updating guide at https://wiki.tizen.org/Updating_packages
2) Creating kafel.tar.gz
: Unfortunately, Tizen does not provide git tool at build time. (git-core package is required)
: Thus, instead of using git submodule command, create kafel.tar.gz from the git submodule.
: For your information, following patch is added for the kafel for fixing build error (TODO)
+// Fix for Linux <3.12
+#ifndef EM_ARM
+#define EM_ARM 40
+#endif
+
3) NSJail requires 3.2.24 over libnl3 vesion.
Unfortunately, current Tizen libnl3 version 3.2.22. (TODO)
Robert Swiecki [Wed, 7 Jul 2021 09:55:17 +0000 (11:55 +0200)]
cmdline: clone_newcgroup -> true by default; clone_newtime should be false
Robert Swiecki [Wed, 16 Jun 2021 15:44:07 +0000 (17:44 +0200)]
make indent
robertswiecki [Wed, 16 Jun 2021 15:43:31 +0000 (17:43 +0200)]
Merge pull request #172 from eli-zr/_macvlan_mode
MACVLAN modes support
Eli Zrihen [Wed, 16 Jun 2021 13:59:12 +0000 (16:59 +0300)]
MACVLAN modes support
Robert Swiecki [Tue, 18 May 2021 12:38:01 +0000 (14:38 +0200)]
Enable support for clone3() and for CLONE_NEWTIME
robertswiecki [Wed, 12 May 2021 07:51:35 +0000 (09:51 +0200)]
Merge pull request #170 from infiniteregrets/fix-macro
Fixed macro in subproc.cc
Mehul Arora [Wed, 12 May 2021 06:43:06 +0000 (12:13 +0530)]
Fixed macro in subproc.cc
Robert Swiecki [Tue, 11 May 2021 12:48:45 +0000 (14:48 +0200)]
Initial support for CLONE_NEWTIME
Wiktor Garbacz [Fri, 7 May 2021 15:50:31 +0000 (17:50 +0200)]
Update kafel to include bugfixes
Robert Swiecki [Wed, 5 May 2021 11:50:51 +0000 (13:50 +0200)]
configs/ - add comments to config files using #
robertswiecki [Tue, 4 May 2021 19:41:17 +0000 (21:41 +0200)]
Merge pull request #164 from ziqin/master
Fix a typo in command line description
Wiktor Garbacz [Wed, 28 Apr 2021 14:32:09 +0000 (16:32 +0200)]
Bump kafel
Wiktor Garbacz [Thu, 22 Apr 2021 09:01:04 +0000 (11:01 +0200)]
Yet another bugfix Kafel version bump
Wiktor Garbacz [Wed, 21 Apr 2021 07:47:20 +0000 (09:47 +0200)]
update kafel again to include a bugfix.
Wiktor Garbacz [Fri, 16 Apr 2021 12:22:30 +0000 (14:22 +0200)]
Update kafel
WANG Ziqin [Sat, 3 Apr 2021 15:59:35 +0000 (23:59 +0800)]
Fix default value of cgroup_cpu_mount in README
Ziqin Wang [Sat, 3 Apr 2021 15:31:56 +0000 (23:31 +0800)]
Fix typo in command line description
happyCoder92 [Wed, 10 Feb 2021 07:47:34 +0000 (08:47 +0100)]
Merge pull request #160 from ginkoid/master
net: add support for max_conns
Philip Papurt [Tue, 9 Feb 2021 22:13:35 +0000 (17:13 -0500)]
net: add support for max_conns
Robert Swiecki [Mon, 1 Feb 2021 22:22:43 +0000 (23:22 +0100)]
subproc: refer users to dmesg in case si_syscall==31 (SIGSYS)
Wiktor Garbacz [Thu, 28 Jan 2021 08:47:31 +0000 (09:47 +0100)]
Fix build
Wiktor Garbacz [Wed, 27 Jan 2021 13:37:12 +0000 (14:37 +0100)]
Add new capabilities, ignore unsupported caps for bounding set
Robert Swiecki [Sun, 30 Aug 2020 21:22:22 +0000 (23:22 +0200)]
nsjail: don't add connections to the proxy map if launching a new process failed
Robert Swiecki [Sun, 30 Aug 2020 20:02:08 +0000 (22:02 +0200)]
subproc: kill a process once in the -Ml mode once the TCP connection has ended
robertswiecki [Wed, 26 Aug 2020 15:02:02 +0000 (17:02 +0200)]
Merge pull request #150 from joemiller/patch-1
remove build dependency on which
Robert Swiecki [Wed, 26 Aug 2020 14:09:55 +0000 (16:09 +0200)]
make indent
joe miller [Sat, 15 Aug 2020 00:07:30 +0000 (17:07 -0700)]
remove build dependency on which
robertswiecki [Mon, 3 Aug 2020 20:42:28 +0000 (22:42 +0200)]
Merge pull request #148 from boryspoplawski/master
Fix compilation errors on old gcc (5.4.0)
Robert Swiecki [Mon, 3 Aug 2020 18:43:08 +0000 (20:43 +0200)]
Makefile: compile kafel with -fPIE (maybe fixes #149)
borysp [Wed, 29 Jul 2020 13:18:10 +0000 (15:18 +0200)]
Fix compilation errors on old gcc (5.4.0)
Robert Swiecki [Tue, 28 Jul 2020 12:03:27 +0000 (14:03 +0200)]
config.proto: make indent
Robert Swiecki [Tue, 28 Jul 2020 12:02:34 +0000 (14:02 +0200)]
config.proto: renumerate config fields
robertswiecki [Wed, 22 Jul 2020 22:09:23 +0000 (00:09 +0200)]
Merge pull request #147 from disconnect3d/patch-2
Fixes #146: cgroups_mem_max unit in config.proto
Disconnect3d [Thu, 16 Jul 2020 12:43:43 +0000 (14:43 +0200)]
Fixes #146: cgroups_mem_max unit in config.proto
This commit fixes the incorrect cgroups_mem_max unit described in a config.proto comment.
We do not perform any calculations on this value and we don't specify the values unit (k/M/G) when writing to memory cgroup controller files, so the value is specified in bytes.
Robert Swiecki [Thu, 9 Jul 2020 15:29:02 +0000 (17:29 +0200)]
make indent
Robert Swiecki [Thu, 9 Jul 2020 15:28:56 +0000 (17:28 +0200)]
config: remove deprecated config options
robertswiecki [Tue, 7 Jul 2020 14:52:21 +0000 (16:52 +0200)]
Merge pull request #145 from cblichmann/master
Fix a few typos.
Christian Blichmann [Tue, 7 Jul 2020 12:07:22 +0000 (14:07 +0200)]
Fix a few typos.
These were found by external tooling while preparing the Debian package.
* Uknown -> Unknown
* Writting -> Writing
* commited -> committed
* processess -> processes
Signed-off-by: Christian Blichmann <mail@blichmann.eu>
happyCoder92 [Tue, 7 Jul 2020 09:55:11 +0000 (11:55 +0200)]
Merge pull request #144 from arcz/config-deps-paths
Build-time config of newuidmap and newgidmap paths
Artur Cygan [Mon, 6 Jul 2020 12:38:11 +0000 (14:38 +0200)]
Stringify CLI-passed paths
Artur Cygan [Mon, 22 Jun 2020 11:42:22 +0000 (13:42 +0200)]
Build-time config of newuidmap and newgidmap paths
Robert Swiecki [Tue, 21 Apr 2020 09:25:06 +0000 (11:25 +0200)]
nsjail: don't change cwd during daemon()
Wiktor Garbacz [Fri, 27 Mar 2020 09:19:40 +0000 (10:19 +0100)]
Fix format specifier for size_t
happyCoder92 [Thu, 19 Mar 2020 12:50:35 +0000 (13:50 +0100)]
Merge pull request #136 from c7f-m0d3/master
fix non-functional max_conns_per_ip
Piotr Krysiuk [Thu, 19 Mar 2020 00:13:28 +0000 (00:13 +0000)]
fix non-functional max_conns_per_ip
Starting with nsjail::listenMode update to pipe socket traffic [commit
273ce6bc846b7325c7f0915067c54bf8cf6f5654], a pipe file descriptor is passed as connsock parameter when calling net::limitConns and also as sock parameter when calling addProc in subproc::runChild.
This breaks net::limitConns because pid.remote_addr and also local variable addr are left uninitialized despite net::connToText calls when counting number of existing network connections from the same peer.
The subsequent correction to fetch remote address [commit
2cf562160d308f9b5cca767a2459332f2041b41c] made the bug even more interesting, since the loop in net::limitConns now compares unsanitized content of stack with network addresses of already connected clients.
happyCoder92 [Mon, 2 Mar 2020 14:31:37 +0000 (15:31 +0100)]
Merge pull request #133 from sirdarckcat/master
Create dockerpush.yml
Eduardo' Vela" Nava (sirdarckcat) [Sun, 1 Mar 2020 06:56:34 +0000 (07:56 +0100)]
Create dockerpush.yml
Robert Swiecki [Mon, 17 Feb 2020 19:33:45 +0000 (20:33 +0100)]
make indent
Wiktor Garbacz [Mon, 17 Feb 2020 14:55:08 +0000 (15:55 +0100)]
fix POLLNVAL in pipeTraffic
Wiktor Garbacz [Mon, 17 Feb 2020 13:16:40 +0000 (14:16 +0100)]
fix infinite loop in pipeTraffic
Robert Swiecki [Mon, 17 Feb 2020 13:13:17 +0000 (14:13 +0100)]
subproc: debug log when hotting SIHQUIT (Ctrl+\) #2 - better check
Robert Swiecki [Mon, 17 Feb 2020 13:11:58 +0000 (14:11 +0100)]
subproc: debug log when hotting SIHQUIT (Ctrl+\)
Robert Swiecki [Mon, 17 Feb 2020 13:07:25 +0000 (14:07 +0100)]
subproc: verify that a pid in a pid map doesn't exist before inserting
Robert Swiecki [Sun, 16 Feb 2020 21:34:19 +0000 (22:34 +0100)]
nsjail/pid/subproc: a). keep childrens' PIDs in a map indexed by pid b). correctly fetch remote IPv6 address text
robertswiecki [Fri, 14 Feb 2020 16:08:41 +0000 (17:08 +0100)]
Merge pull request #130 from happyCoder92/proxy
pipe socket traffic in and out of sandboxee
robertswiecki [Fri, 14 Feb 2020 16:08:07 +0000 (17:08 +0100)]
Merge pull request #128 from disconnect3d/patch-2
Update Dockerfile to use ubuntu:18.04 image
Wiktor Garbacz [Thu, 13 Feb 2020 11:24:28 +0000 (12:24 +0100)]
pipe socket traffic in and out of sandboxee
Wiktor Garbacz [Mon, 27 Jan 2020 09:32:10 +0000 (10:32 +0100)]
Makefile: fix kafel submodule init for parallel build
Robert Swiecki [Tue, 10 Dec 2019 10:09:14 +0000 (11:09 +0100)]
subproc: recognize CLONE_PIDFD
robertswiecki [Sat, 7 Dec 2019 16:24:29 +0000 (17:24 +0100)]
Merge pull request #129 from disconnect3d/patch-3
Fix default rlimit_stack value
Disconnect3d [Sat, 7 Dec 2019 16:05:45 +0000 (17:05 +0100)]
Fix default rlimit_stack value
The default `rlimit_stack` value was set to
1048576. However, this value is in MiB and so is later multiplied by 1024*1024 in https://github.com/google/nsjail/blob/
b3d544d155f5d1543dce1bd3e5327ef41583815a/config.cc#L161-L162 and it ends up as a limit of 1 TB for the stack size.
This PR changes it to 8 MB which is a more sane default or, at least I took it from my virtual machine's ulimits:
```
$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 31175
max locked memory (kbytes, -l) 16384
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 31175
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
```
Disconnect3d [Sat, 7 Dec 2019 13:24:32 +0000 (14:24 +0100)]
Update Dockerfile to use ubuntu:18.04 image
projects / platform / upstream / nsjail.git / log