diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2021-10-21 01:18:53 -0400 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2021-10-21 01:18:53 -0400 |
| commit | af672fbde6c6fe9b778f557f7b2b2ec149b02dc5 (patch) | |
| tree | 845133f26e0d23d831a4d80dd860a60816250a91 | |
| parent | tests: handle fd leakage from GNU make jobservers (diff) | |
| download | sandbox-af672fbde6c6fe9b778f557f7b2b2ec149b02dc5.tar.gz sandbox-af672fbde6c6fe9b778f557f7b2b2ec149b02dc5.tar.bz2 sandbox-af672fbde6c6fe9b778f557f7b2b2ec149b02dc5.zip | |
namespaces: add support for cgroup & time
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
| -rw-r--r-- | etc/sandbox.conf | 2 | ||||
| -rw-r--r-- | src/namespaces.c | 8 | ||||
| -rw-r--r-- | src/options.c | 28 | ||||
| -rw-r--r-- | src/sandbox.h | 2 |
4 files changed, 32 insertions, 8 deletions
diff --git a/etc/sandbox.conf b/etc/sandbox.conf index 0d29a64..d8a6550 100644 --- a/etc/sandbox.conf +++ b/etc/sandbox.conf @@ -50,11 +50,13 @@ # particular type, it will be automatically skipped. Default to off as these # are currently experimental. # For more details on each type, see the namespaces(7) manpage. +#NAMESPACE_CGROUP_ENABLE="no" #NAMESPACE_IPC_ENABLE="no" #NAMESPACE_MNT_ENABLE="no" #NAMESPACE_NET_ENABLE="no" #NAMESPACE_PID_ENABLE="no" #NAMESPACE_SYSV_ENABLE="no" +#NAMESPACE_TIME_ENABLE="no" #NAMESPACE_USER_ENABLE="no" #NAMESPACE_UTS_ENABLE="no" diff --git a/src/namespaces.c b/src/namespaces.c index 5be42f6..1f93b60 100644 --- a/src/namespaces.c +++ b/src/namespaces.c @@ -182,6 +182,10 @@ pid_t setup_namespaces(void) if (opt_use_ns_user) ns_user_switch(uid, gid, 0, 0); +#ifdef CLONE_NEWCGROUP + if (opt_use_ns_cgroup) + unshare(CLONE_NEWCGROUP); +#endif #ifdef CLONE_NEWIPC if (opt_use_ns_ipc) unshare(CLONE_NEWIPC); @@ -190,6 +194,10 @@ pid_t setup_namespaces(void) if (opt_use_ns_sysv) unshare(CLONE_SYSVSEM); #endif +#ifdef CLONE_NEWTIME + if (opt_use_ns_time) + unshare(CLONE_NEWTIME); +#endif #ifdef CLONE_NEWUTS if (opt_use_ns_uts && unshare(CLONE_NEWUTS) == 0) { diff --git a/src/options.c b/src/options.c index 295ee75..ad019b0 100644 --- a/src/options.c +++ b/src/options.c @@ -11,11 +11,13 @@ /* Setting to -1 will load defaults from the config file. */ int opt_use_namespaces = -1; +int opt_use_ns_cgroup = -1; int opt_use_ns_ipc = -1; int opt_use_ns_mnt = -1; int opt_use_ns_net = -1; int opt_use_ns_pid = -1; int opt_use_ns_sysv = -1; +int opt_use_ns_time = -1; int opt_use_ns_user = -1; int opt_use_ns_uts = -1; @@ -25,14 +27,16 @@ static const struct { int default_val; } config_opts[] = { /* Default these to off until they can get more testing. */ - { "NAMESPACES_ENABLE", &opt_use_namespaces, false, }, - { "NAMESPACE_IPC_ENABLE", &opt_use_ns_ipc, false, }, - { "NAMESPACE_MNT_ENABLE", &opt_use_ns_mnt, false, }, - { "NAMESPACE_NET_ENABLE", &opt_use_ns_net, false, }, - { "NAMESPACE_PID_ENABLE", &opt_use_ns_pid, false, }, - { "NAMESPACE_SYSV_ENABLE", &opt_use_ns_sysv, false, }, - { "NAMESPACE_USER_ENABLE", &opt_use_ns_user, false, }, - { "NAMESPACE_UTS_ENABLE", &opt_use_ns_uts, false, }, + { "NAMESPACES_ENABLE", &opt_use_namespaces, false, }, + { "NAMESPACE_CGROUP_ENABLE", &opt_use_ns_cgroup, false, }, + { "NAMESPACE_IPC_ENABLE", &opt_use_ns_ipc, false, }, + { "NAMESPACE_MNT_ENABLE", &opt_use_ns_mnt, false, }, + { "NAMESPACE_NET_ENABLE", &opt_use_ns_net, false, }, + { "NAMESPACE_PID_ENABLE", &opt_use_ns_pid, false, }, + { "NAMESPACE_SYSV_ENABLE", &opt_use_ns_sysv, false, }, + { "NAMESPACE_TIME_ENABLE", &opt_use_ns_time, false, }, + { "NAMESPACE_USER_ENABLE", &opt_use_ns_user, false, }, + { "NAMESPACE_UTS_ENABLE", &opt_use_ns_uts, false, }, }; static void read_config(void) @@ -75,6 +79,8 @@ static void show_version(void) static struct option const long_opts[] = { {"ns-on", no_argument, &opt_use_namespaces, true}, {"ns-off", no_argument, &opt_use_namespaces, false}, + {"ns-cgroup-on", no_argument, &opt_use_ns_cgroup, true}, + {"ns-cgroup-off", no_argument, &opt_use_ns_cgroup, false}, {"ns-ipc-on", no_argument, &opt_use_ns_ipc, true}, {"ns-ipc-off", no_argument, &opt_use_ns_ipc, false}, {"ns-mnt-on", no_argument, &opt_use_ns_mnt, true}, @@ -85,6 +91,8 @@ static struct option const long_opts[] = { {"ns-pid-off", no_argument, &opt_use_ns_pid, false}, {"ns-sysv-on", no_argument, &opt_use_ns_sysv, true}, {"ns-sysv-off", no_argument, &opt_use_ns_sysv, false}, + {"ns-time-on", no_argument, &opt_use_ns_time, true}, + {"ns-time-off", no_argument, &opt_use_ns_time, false}, {"ns-user-on", no_argument, &opt_use_ns_user, true}, {"ns-user-off", no_argument, &opt_use_ns_user, false}, {"ns-uts-on", no_argument, &opt_use_ns_uts, true}, @@ -96,6 +104,8 @@ static struct option const long_opts[] = { static const char * const opts_help[] = { "Enable the use of namespaces", "Disable the use of namespaces", + "Enable the use of cgroup namespaces", + "Disable the use of cgroup namespaces", "Enable the use of IPC (and System V) namespaces", "Disable the use of IPC (and System V) namespaces", "Enable the use of mount namespaces", @@ -106,6 +116,8 @@ static const char * const opts_help[] = { "Disable the use of process (pid) namespaces", "Enable the use of System V namespaces", "Disable the use of System V namespaces", + "Enable the use of time namespaces", + "Disable the use of time namespaces", "Enable the use of user namespaces", "Disable the use of user namespaces", "Enable the use of UTS (hostname/uname) namespaces", diff --git a/src/sandbox.h b/src/sandbox.h index 303dac4..7e5b575 100644 --- a/src/sandbox.h +++ b/src/sandbox.h @@ -43,11 +43,13 @@ extern pid_t setup_namespaces(void); /* Option parsing related code */ extern void parseargs(int argc, char *argv[]); extern int opt_use_namespaces; +extern int opt_use_ns_cgroup; extern int opt_use_ns_ipc; extern int opt_use_ns_mnt; extern int opt_use_ns_net; extern int opt_use_ns_pid; extern int opt_use_ns_sysv; +extern int opt_use_ns_time; extern int opt_use_ns_user; extern int opt_use_ns_uts; |