| 1 |
commit: af672fbde6c6fe9b778f557f7b2b2ec149b02dc5 |
| 2 |
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Thu Oct 21 05:18:53 2021 +0000 |
| 4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Oct 21 05:18:53 2021 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=af672fbd |
| 7 |
|
| 8 |
namespaces: add support for cgroup & time |
| 9 |
|
| 10 |
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org> |
| 11 |
|
| 12 |
etc/sandbox.conf | 2 ++ |
| 13 |
src/namespaces.c | 8 ++++++++ |
| 14 |
src/options.c | 28 ++++++++++++++++++++-------- |
| 15 |
src/sandbox.h | 2 ++ |
| 16 |
4 files changed, 32 insertions(+), 8 deletions(-) |
| 17 |
|
| 18 |
diff --git a/etc/sandbox.conf b/etc/sandbox.conf |
| 19 |
index 0d29a64..d8a6550 100644 |
| 20 |
--- a/etc/sandbox.conf |
| 21 |
+++ b/etc/sandbox.conf |
| 22 |
@@ -50,11 +50,13 @@ |
| 23 |
# particular type, it will be automatically skipped. Default to off as these |
| 24 |
# are currently experimental. |
| 25 |
# For more details on each type, see the namespaces(7) manpage. |
| 26 |
+#NAMESPACE_CGROUP_ENABLE="no" |
| 27 |
#NAMESPACE_IPC_ENABLE="no" |
| 28 |
#NAMESPACE_MNT_ENABLE="no" |
| 29 |
#NAMESPACE_NET_ENABLE="no" |
| 30 |
#NAMESPACE_PID_ENABLE="no" |
| 31 |
#NAMESPACE_SYSV_ENABLE="no" |
| 32 |
+#NAMESPACE_TIME_ENABLE="no" |
| 33 |
#NAMESPACE_USER_ENABLE="no" |
| 34 |
#NAMESPACE_UTS_ENABLE="no" |
| 35 |
|
| 36 |
|
| 37 |
diff --git a/src/namespaces.c b/src/namespaces.c |
| 38 |
index 5be42f6..1f93b60 100644 |
| 39 |
--- a/src/namespaces.c |
| 40 |
+++ b/src/namespaces.c |
| 41 |
@@ -182,6 +182,10 @@ pid_t setup_namespaces(void) |
| 42 |
if (opt_use_ns_user) |
| 43 |
ns_user_switch(uid, gid, 0, 0); |
| 44 |
|
| 45 |
+#ifdef CLONE_NEWCGROUP |
| 46 |
+ if (opt_use_ns_cgroup) |
| 47 |
+ unshare(CLONE_NEWCGROUP); |
| 48 |
+#endif |
| 49 |
#ifdef CLONE_NEWIPC |
| 50 |
if (opt_use_ns_ipc) |
| 51 |
unshare(CLONE_NEWIPC); |
| 52 |
@@ -190,6 +194,10 @@ pid_t setup_namespaces(void) |
| 53 |
if (opt_use_ns_sysv) |
| 54 |
unshare(CLONE_SYSVSEM); |
| 55 |
#endif |
| 56 |
+#ifdef CLONE_NEWTIME |
| 57 |
+ if (opt_use_ns_time) |
| 58 |
+ unshare(CLONE_NEWTIME); |
| 59 |
+#endif |
| 60 |
|
| 61 |
#ifdef CLONE_NEWUTS |
| 62 |
if (opt_use_ns_uts && unshare(CLONE_NEWUTS) == 0) { |
| 63 |
|
| 64 |
diff --git a/src/options.c b/src/options.c |
| 65 |
index 295ee75..ad019b0 100644 |
| 66 |
--- a/src/options.c |
| 67 |
+++ b/src/options.c |
| 68 |
@@ -11,11 +11,13 @@ |
| 69 |
|
| 70 |
/* Setting to -1 will load defaults from the config file. */ |
| 71 |
int opt_use_namespaces = -1; |
| 72 |
+int opt_use_ns_cgroup = -1; |
| 73 |
int opt_use_ns_ipc = -1; |
| 74 |
int opt_use_ns_mnt = -1; |
| 75 |
int opt_use_ns_net = -1; |
| 76 |
int opt_use_ns_pid = -1; |
| 77 |
int opt_use_ns_sysv = -1; |
| 78 |
+int opt_use_ns_time = -1; |
| 79 |
int opt_use_ns_user = -1; |
| 80 |
int opt_use_ns_uts = -1; |
| 81 |
|
| 82 |
@@ -25,14 +27,16 @@ static const struct { |
| 83 |
int default_val; |
| 84 |
} config_opts[] = { |
| 85 |
/* Default these to off until they can get more testing. */ |
| 86 |
- { "NAMESPACES_ENABLE", &opt_use_namespaces, false, }, |
| 87 |
- { "NAMESPACE_IPC_ENABLE", &opt_use_ns_ipc, false, }, |
| 88 |
- { "NAMESPACE_MNT_ENABLE", &opt_use_ns_mnt, false, }, |
| 89 |
- { "NAMESPACE_NET_ENABLE", &opt_use_ns_net, false, }, |
| 90 |
- { "NAMESPACE_PID_ENABLE", &opt_use_ns_pid, false, }, |
| 91 |
- { "NAMESPACE_SYSV_ENABLE", &opt_use_ns_sysv, false, }, |
| 92 |
- { "NAMESPACE_USER_ENABLE", &opt_use_ns_user, false, }, |
| 93 |
- { "NAMESPACE_UTS_ENABLE", &opt_use_ns_uts, false, }, |
| 94 |
+ { "NAMESPACES_ENABLE", &opt_use_namespaces, false, }, |
| 95 |
+ { "NAMESPACE_CGROUP_ENABLE", &opt_use_ns_cgroup, false, }, |
| 96 |
+ { "NAMESPACE_IPC_ENABLE", &opt_use_ns_ipc, false, }, |
| 97 |
+ { "NAMESPACE_MNT_ENABLE", &opt_use_ns_mnt, false, }, |
| 98 |
+ { "NAMESPACE_NET_ENABLE", &opt_use_ns_net, false, }, |
| 99 |
+ { "NAMESPACE_PID_ENABLE", &opt_use_ns_pid, false, }, |
| 100 |
+ { "NAMESPACE_SYSV_ENABLE", &opt_use_ns_sysv, false, }, |
| 101 |
+ { "NAMESPACE_TIME_ENABLE", &opt_use_ns_time, false, }, |
| 102 |
+ { "NAMESPACE_USER_ENABLE", &opt_use_ns_user, false, }, |
| 103 |
+ { "NAMESPACE_UTS_ENABLE", &opt_use_ns_uts, false, }, |
| 104 |
}; |
| 105 |
|
| 106 |
static void read_config(void) |
| 107 |
@@ -75,6 +79,8 @@ static void show_version(void) |
| 108 |
static struct option const long_opts[] = { |
| 109 |
{"ns-on", no_argument, &opt_use_namespaces, true}, |
| 110 |
{"ns-off", no_argument, &opt_use_namespaces, false}, |
| 111 |
+ {"ns-cgroup-on", no_argument, &opt_use_ns_cgroup, true}, |
| 112 |
+ {"ns-cgroup-off", no_argument, &opt_use_ns_cgroup, false}, |
| 113 |
{"ns-ipc-on", no_argument, &opt_use_ns_ipc, true}, |
| 114 |
{"ns-ipc-off", no_argument, &opt_use_ns_ipc, false}, |
| 115 |
{"ns-mnt-on", no_argument, &opt_use_ns_mnt, true}, |
| 116 |
@@ -85,6 +91,8 @@ static struct option const long_opts[] = { |
| 117 |
{"ns-pid-off", no_argument, &opt_use_ns_pid, false}, |
| 118 |
{"ns-sysv-on", no_argument, &opt_use_ns_sysv, true}, |
| 119 |
{"ns-sysv-off", no_argument, &opt_use_ns_sysv, false}, |
| 120 |
+ {"ns-time-on", no_argument, &opt_use_ns_time, true}, |
| 121 |
+ {"ns-time-off", no_argument, &opt_use_ns_time, false}, |
| 122 |
{"ns-user-on", no_argument, &opt_use_ns_user, true}, |
| 123 |
{"ns-user-off", no_argument, &opt_use_ns_user, false}, |
| 124 |
{"ns-uts-on", no_argument, &opt_use_ns_uts, true}, |
| 125 |
@@ -96,6 +104,8 @@ static struct option const long_opts[] = { |
| 126 |
static const char * const opts_help[] = { |
| 127 |
"Enable the use of namespaces", |
| 128 |
"Disable the use of namespaces", |
| 129 |
+ "Enable the use of cgroup namespaces", |
| 130 |
+ "Disable the use of cgroup namespaces", |
| 131 |
"Enable the use of IPC (and System V) namespaces", |
| 132 |
"Disable the use of IPC (and System V) namespaces", |
| 133 |
"Enable the use of mount namespaces", |
| 134 |
@@ -106,6 +116,8 @@ static const char * const opts_help[] = { |
| 135 |
"Disable the use of process (pid) namespaces", |
| 136 |
"Enable the use of System V namespaces", |
| 137 |
"Disable the use of System V namespaces", |
| 138 |
+ "Enable the use of time namespaces", |
| 139 |
+ "Disable the use of time namespaces", |
| 140 |
"Enable the use of user namespaces", |
| 141 |
"Disable the use of user namespaces", |
| 142 |
"Enable the use of UTS (hostname/uname) namespaces", |
| 143 |
|
| 144 |
diff --git a/src/sandbox.h b/src/sandbox.h |
| 145 |
index 303dac4..7e5b575 100644 |
| 146 |
--- a/src/sandbox.h |
| 147 |
+++ b/src/sandbox.h |
| 148 |
@@ -43,11 +43,13 @@ extern pid_t setup_namespaces(void); |
| 149 |
/* Option parsing related code */ |
| 150 |
extern void parseargs(int argc, char *argv[]); |
| 151 |
extern int opt_use_namespaces; |
| 152 |
+extern int opt_use_ns_cgroup; |
| 153 |
extern int opt_use_ns_ipc; |
| 154 |
extern int opt_use_ns_mnt; |
| 155 |
extern int opt_use_ns_net; |
| 156 |
extern int opt_use_ns_pid; |
| 157 |
extern int opt_use_ns_sysv; |
| 158 |
+extern int opt_use_ns_time; |
| 159 |
extern int opt_use_ns_user; |
| 160 |
extern int opt_use_ns_uts; |
Archives