Robert Swiecki [Tue, 10 Aug 2021 22:31:31 +0000 (00:31 +0200)]
configs: firefox+wayland example
Robert Swiecki [Tue, 10 Aug 2021 17:17:33 +0000 (19:17 +0200)]
config.proto: renumerate fields
Robert Swiecki [Tue, 10 Aug 2021 15:46:44 +0000 (17:46 +0200)]
configs/imagemagick: alternative file conversion command
Wiktor Garbacz [Wed, 4 Aug 2021 08:25:38 +0000 (10:25 +0200)]
Fix duplicate field number
Wiktor Garbacz [Tue, 3 Aug 2021 15:46:08 +0000 (17:46 +0200)]
Fix formatting
Wiktor Garbacz [Tue, 3 Aug 2021 15:44:57 +0000 (17:44 +0200)]
Merge branch 'use_switchroot'
Wiktor Garbacz [Mon, 2 Aug 2021 17:45:32 +0000 (19:45 +0200)]
Update kafel - x86 build fixes
happyCoder92 [Thu, 22 Jul 2021 13:47:09 +0000 (15:47 +0200)]
Merge pull request #179 from ginkoid/master
write CPU CFS period before quota in cgroup1
happyCoder92 [Thu, 22 Jul 2021 13:43:16 +0000 (15:43 +0200)]
Merge pull request #177 from eli-zr/_rlimits
Added rtpr, memlock & msgq rlimits
Philip Papurt [Wed, 21 Jul 2021 15:54:12 +0000 (11:54 -0400)]
cgroup: write period before quota
Eli Zrihen [Tue, 20 Jul 2021 13:00:13 +0000 (16:00 +0300)]
rtprio, msgqueue - defaulting to 'soft'
Eli Zrihen [Tue, 20 Jul 2021 12:45:58 +0000 (15:45 +0300)]
Renaming use_switchroot option with no_pivotroot
Eli Zrihen [Tue, 20 Jul 2021 12:20:47 +0000 (15:20 +0300)]
Consistentency with RLIMIT_* constant name
Eli Zrihen [Tue, 20 Jul 2021 07:35:36 +0000 (10:35 +0300)]
Merge branch 'master' into _rlimits
Eli Zrihen [Tue, 20 Jul 2021 07:20:23 +0000 (10:20 +0300)]
Adding a warning when switchroot is used
Eli Zrihen [Tue, 20 Jul 2021 06:31:03 +0000 (09:31 +0300)]
Eli Zrihen [Mon, 19 Jul 2021 14:21:34 +0000 (17:21 +0300)]
Added rt, memlock & msgq limits
Robert Swiecki [Fri, 16 Jul 2021 20:53:40 +0000 (22:53 +0200)]
subproc: warn about CLONE_NEWTIME and clone(), and remove notice about CLONE_NEWCGROUP as the kernel versions should be now new enough for its support
Robert Swiecki [Fri, 16 Jul 2021 20:47:18 +0000 (22:47 +0200)]
subproc: debug log for unshare()
Eli Zrihen [Tue, 13 Jul 2021 12:40:21 +0000 (15:40 +0300)]
Merge branch '_test_switchroot_alternative'
Eli Zrihen [Tue, 13 Jul 2021 08:13:35 +0000 (11:13 +0300)]
Merge remote-tracking branch 'origin/HEAD' into _use_switchroot
Eli Zrihen [Thu, 8 Jul 2021 18:47:13 +0000 (21:47 +0300)]
No Yoda
Robert Swiecki [Wed, 7 Jul 2021 09:55:17 +0000 (11:55 +0200)]
cmdline: clone_newcgroup -> true by default; clone_newtime should be false
Eli Zrihen [Wed, 23 Jun 2021 11:51:34 +0000 (14:51 +0300)]
Comment fix
Eli Zrihen [Thu, 17 Jun 2021 11:57:01 +0000 (14:57 +0300)]
Added use_switchroot option
Robert Swiecki [Wed, 16 Jun 2021 15:44:07 +0000 (17:44 +0200)]
make indent
robertswiecki [Wed, 16 Jun 2021 15:43:31 +0000 (17:43 +0200)]
Merge pull request #172 from eli-zr/_macvlan_mode
MACVLAN modes support
Eli Zrihen [Wed, 16 Jun 2021 13:59:12 +0000 (16:59 +0300)]
MACVLAN modes support
Robert Swiecki [Tue, 18 May 2021 12:38:01 +0000 (14:38 +0200)]
Enable support for clone3() and for CLONE_NEWTIME
robertswiecki [Wed, 12 May 2021 07:51:35 +0000 (09:51 +0200)]
Merge pull request #170 from infiniteregrets/fix-macro
Fixed macro in subproc.cc
Mehul Arora [Wed, 12 May 2021 06:43:06 +0000 (12:13 +0530)]
Fixed macro in subproc.cc
Robert Swiecki [Tue, 11 May 2021 12:48:45 +0000 (14:48 +0200)]
Initial support for CLONE_NEWTIME
Wiktor Garbacz [Fri, 7 May 2021 15:50:31 +0000 (17:50 +0200)]
Update kafel to include bugfixes
Robert Swiecki [Wed, 5 May 2021 11:50:51 +0000 (13:50 +0200)]
configs/ - add comments to config files using #
robertswiecki [Tue, 4 May 2021 19:41:17 +0000 (21:41 +0200)]
Merge pull request #164 from ziqin/master
Fix a typo in command line description
Wiktor Garbacz [Wed, 28 Apr 2021 14:32:09 +0000 (16:32 +0200)]
Bump kafel
Wiktor Garbacz [Thu, 22 Apr 2021 09:01:04 +0000 (11:01 +0200)]
Yet another bugfix Kafel version bump
Wiktor Garbacz [Wed, 21 Apr 2021 07:47:20 +0000 (09:47 +0200)]
update kafel again to include a bugfix.
Wiktor Garbacz [Fri, 16 Apr 2021 12:22:30 +0000 (14:22 +0200)]
Update kafel
WANG Ziqin [Sat, 3 Apr 2021 15:59:35 +0000 (23:59 +0800)]
Fix default value of cgroup_cpu_mount in README
Ziqin Wang [Sat, 3 Apr 2021 15:31:56 +0000 (23:31 +0800)]
Fix typo in command line description
happyCoder92 [Wed, 10 Feb 2021 07:47:34 +0000 (08:47 +0100)]
Merge pull request #160 from ginkoid/master
net: add support for max_conns
Philip Papurt [Tue, 9 Feb 2021 22:13:35 +0000 (17:13 -0500)]
net: add support for max_conns
Robert Swiecki [Mon, 1 Feb 2021 22:22:43 +0000 (23:22 +0100)]
subproc: refer users to dmesg in case si_syscall==31 (SIGSYS)
Wiktor Garbacz [Thu, 28 Jan 2021 08:47:31 +0000 (09:47 +0100)]
Fix build
Wiktor Garbacz [Wed, 27 Jan 2021 13:37:12 +0000 (14:37 +0100)]
Add new capabilities, ignore unsupported caps for bounding set
Robert Swiecki [Sun, 30 Aug 2020 21:22:22 +0000 (23:22 +0200)]
nsjail: don't add connections to the proxy map if launching a new process failed
Robert Swiecki [Sun, 30 Aug 2020 20:02:08 +0000 (22:02 +0200)]
subproc: kill a process once in the -Ml mode once the TCP connection has ended
robertswiecki [Wed, 26 Aug 2020 15:02:02 +0000 (17:02 +0200)]
Merge pull request #150 from joemiller/patch-1
remove build dependency on which
Robert Swiecki [Wed, 26 Aug 2020 14:09:55 +0000 (16:09 +0200)]
make indent
joe miller [Sat, 15 Aug 2020 00:07:30 +0000 (17:07 -0700)]
remove build dependency on which
robertswiecki [Mon, 3 Aug 2020 20:42:28 +0000 (22:42 +0200)]
Merge pull request #148 from boryspoplawski/master
Fix compilation errors on old gcc (5.4.0)
Robert Swiecki [Mon, 3 Aug 2020 18:43:08 +0000 (20:43 +0200)]
Makefile: compile kafel with -fPIE (maybe fixes #149)
borysp [Wed, 29 Jul 2020 13:18:10 +0000 (15:18 +0200)]
Fix compilation errors on old gcc (5.4.0)
Robert Swiecki [Tue, 28 Jul 2020 12:03:27 +0000 (14:03 +0200)]
config.proto: make indent
Robert Swiecki [Tue, 28 Jul 2020 12:02:34 +0000 (14:02 +0200)]
config.proto: renumerate config fields
robertswiecki [Wed, 22 Jul 2020 22:09:23 +0000 (00:09 +0200)]
Merge pull request #147 from disconnect3d/patch-2
Fixes #146: cgroups_mem_max unit in config.proto
Disconnect3d [Thu, 16 Jul 2020 12:43:43 +0000 (14:43 +0200)]
Fixes #146: cgroups_mem_max unit in config.proto
This commit fixes the incorrect cgroups_mem_max unit described in a config.proto comment.
We do not perform any calculations on this value and we don't specify the values unit (k/M/G) when writing to memory cgroup controller files, so the value is specified in bytes.
Robert Swiecki [Thu, 9 Jul 2020 15:29:02 +0000 (17:29 +0200)]
make indent
Robert Swiecki [Thu, 9 Jul 2020 15:28:56 +0000 (17:28 +0200)]
config: remove deprecated config options
robertswiecki [Tue, 7 Jul 2020 14:52:21 +0000 (16:52 +0200)]
Merge pull request #145 from cblichmann/master
Fix a few typos.
Christian Blichmann [Tue, 7 Jul 2020 12:07:22 +0000 (14:07 +0200)]
Fix a few typos.
These were found by external tooling while preparing the Debian package.
* Uknown -> Unknown
* Writting -> Writing
* commited -> committed
* processess -> processes
Signed-off-by: Christian Blichmann <mail@blichmann.eu>
happyCoder92 [Tue, 7 Jul 2020 09:55:11 +0000 (11:55 +0200)]
Merge pull request #144 from arcz/config-deps-paths
Build-time config of newuidmap and newgidmap paths
Artur Cygan [Mon, 6 Jul 2020 12:38:11 +0000 (14:38 +0200)]
Stringify CLI-passed paths
Artur Cygan [Mon, 22 Jun 2020 11:42:22 +0000 (13:42 +0200)]
Build-time config of newuidmap and newgidmap paths
Robert Swiecki [Tue, 21 Apr 2020 09:25:06 +0000 (11:25 +0200)]
nsjail: don't change cwd during daemon()
Wiktor Garbacz [Fri, 27 Mar 2020 09:19:40 +0000 (10:19 +0100)]
Fix format specifier for size_t
happyCoder92 [Thu, 19 Mar 2020 12:50:35 +0000 (13:50 +0100)]
Merge pull request #136 from c7f-m0d3/master
fix non-functional max_conns_per_ip
Piotr Krysiuk [Thu, 19 Mar 2020 00:13:28 +0000 (00:13 +0000)]
fix non-functional max_conns_per_ip
Starting with nsjail::listenMode update to pipe socket traffic [commit
273ce6bc846b7325c7f0915067c54bf8cf6f5654], a pipe file descriptor is passed as connsock parameter when calling net::limitConns and also as sock parameter when calling addProc in subproc::runChild.
This breaks net::limitConns because pid.remote_addr and also local variable addr are left uninitialized despite net::connToText calls when counting number of existing network connections from the same peer.
The subsequent correction to fetch remote address [commit
2cf562160d308f9b5cca767a2459332f2041b41c] made the bug even more interesting, since the loop in net::limitConns now compares unsanitized content of stack with network addresses of already connected clients.
happyCoder92 [Mon, 2 Mar 2020 14:31:37 +0000 (15:31 +0100)]
Merge pull request #133 from sirdarckcat/master
Create dockerpush.yml
Eduardo' Vela" Nava (sirdarckcat) [Sun, 1 Mar 2020 06:56:34 +0000 (07:56 +0100)]
Create dockerpush.yml
Robert Swiecki [Mon, 17 Feb 2020 19:33:45 +0000 (20:33 +0100)]
make indent
Wiktor Garbacz [Mon, 17 Feb 2020 14:55:08 +0000 (15:55 +0100)]
fix POLLNVAL in pipeTraffic
Wiktor Garbacz [Mon, 17 Feb 2020 13:16:40 +0000 (14:16 +0100)]
fix infinite loop in pipeTraffic
Robert Swiecki [Mon, 17 Feb 2020 13:13:17 +0000 (14:13 +0100)]
subproc: debug log when hotting SIHQUIT (Ctrl+\) #2 - better check
Robert Swiecki [Mon, 17 Feb 2020 13:11:58 +0000 (14:11 +0100)]
subproc: debug log when hotting SIHQUIT (Ctrl+\)
Robert Swiecki [Mon, 17 Feb 2020 13:07:25 +0000 (14:07 +0100)]
subproc: verify that a pid in a pid map doesn't exist before inserting
Robert Swiecki [Sun, 16 Feb 2020 21:34:19 +0000 (22:34 +0100)]
nsjail/pid/subproc: a). keep childrens' PIDs in a map indexed by pid b). correctly fetch remote IPv6 address text
robertswiecki [Fri, 14 Feb 2020 16:08:41 +0000 (17:08 +0100)]
Merge pull request #130 from happyCoder92/proxy
pipe socket traffic in and out of sandboxee
robertswiecki [Fri, 14 Feb 2020 16:08:07 +0000 (17:08 +0100)]
Merge pull request #128 from disconnect3d/patch-2
Update Dockerfile to use ubuntu:18.04 image
Wiktor Garbacz [Thu, 13 Feb 2020 11:24:28 +0000 (12:24 +0100)]
pipe socket traffic in and out of sandboxee
Wiktor Garbacz [Mon, 27 Jan 2020 09:32:10 +0000 (10:32 +0100)]
Makefile: fix kafel submodule init for parallel build
Robert Swiecki [Tue, 10 Dec 2019 10:09:14 +0000 (11:09 +0100)]
subproc: recognize CLONE_PIDFD
robertswiecki [Sat, 7 Dec 2019 16:24:29 +0000 (17:24 +0100)]
Merge pull request #129 from disconnect3d/patch-3
Fix default rlimit_stack value
Disconnect3d [Sat, 7 Dec 2019 16:05:45 +0000 (17:05 +0100)]
Fix default rlimit_stack value
The default `rlimit_stack` value was set to
1048576. However, this value is in MiB and so is later multiplied by 1024*1024 in https://github.com/google/nsjail/blob/
b3d544d155f5d1543dce1bd3e5327ef41583815a/config.cc#L161-L162 and it ends up as a limit of 1 TB for the stack size.
This PR changes it to 8 MB which is a more sane default or, at least I took it from my virtual machine's ulimits:
```
$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 31175
max locked memory (kbytes, -l) 16384
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 31175
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
```
Disconnect3d [Sat, 7 Dec 2019 13:24:32 +0000 (14:24 +0100)]
Update Dockerfile to use ubuntu:18.04 image
Wiktor Garbacz [Fri, 1 Nov 2019 12:40:25 +0000 (13:40 +0100)]
allow setgroups when using exclusively newgid
Robert Swiecki [Tue, 29 Oct 2019 00:40:52 +0000 (01:40 +0100)]
configs/: indent
Robert Swiecki [Thu, 3 Oct 2019 22:35:36 +0000 (00:35 +0200)]
configs/znc: remove a problematic quote
Robert Swiecki [Thu, 3 Oct 2019 22:33:29 +0000 (00:33 +0200)]
nsjail: don't restore console if nsjail runs in background
Robert Swiecki [Wed, 2 Oct 2019 17:43:58 +0000 (19:43 +0200)]
config: simplify log/logfd setting
Robert Swiecki [Wed, 2 Oct 2019 06:28:23 +0000 (08:28 +0200)]
configs: new config for znc - remove log_fd
Robert Swiecki [Tue, 1 Oct 2019 06:27:17 +0000 (08:27 +0200)]
configs: new config for znc
Robert Swiecki [Sat, 28 Sep 2019 21:00:21 +0000 (23:00 +0200)]
configs/xchat: daemonize by default
Robert Swiecki [Thu, 12 Sep 2019 20:22:04 +0000 (22:22 +0200)]
Merge branch 'master' of ssh://github.com/google/nsjail
Robert Swiecki [Thu, 12 Sep 2019 20:21:49 +0000 (22:21 +0200)]
user: better formatting directives for printf'like functions
robertswiecki [Sat, 7 Sep 2019 00:04:39 +0000 (02:04 +0200)]
Merge pull request #123 from LMMilewski/master
Fix typo in config.proto: s/lofs/logs/
Lukasz Milewski [Fri, 6 Sep 2019 22:08:30 +0000 (15:08 -0700)]
Fix typo in config.proto: s/lofs/logs/
Robert Swiecki [Mon, 2 Sep 2019 14:10:28 +0000 (16:10 +0200)]
Merge branch 'master' of github.com:google/nsjail
Robert Swiecki [Mon, 2 Sep 2019 14:10:19 +0000 (16:10 +0200)]
subproc: fix invalid conversions from util::syscall to syscall
projects / platform / upstream / nsjail.git / log