forked from google/nsjail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnsjail.h
185 lines (168 loc) · 3.91 KB
/
nsjail.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
/*
nsjail
-----------------------------------------
Copyright 2014 Google Inc. All Rights Reserved.
Copyright 2016 Sergiusz Bazanski. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef NS_NSJAIL_H
#define NS_NSJAIL_H
#include <linux/filter.h>
#include <netinet/ip6.h>
#include <signal.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <map>
#include <string>
#include <vector>
static const int nssigs[] = {
SIGINT,
SIGQUIT,
SIGUSR1,
SIGALRM,
SIGCHLD,
SIGTERM,
SIGTTIN,
SIGTTOU,
SIGPIPE,
};
struct pids_t {
time_t start;
std::string remote_txt;
struct sockaddr_in6 remote_addr;
int pid_syscall_fd;
};
struct mount_t {
std::string src;
std::string src_content;
std::string dst;
std::string fs_type;
std::string options;
uintptr_t flags;
bool is_dir;
bool is_symlink;
bool is_mandatory;
bool mounted;
};
struct idmap_t {
uid_t inside_id;
uid_t outside_id;
size_t count;
bool is_newidmap;
};
enum ns_mode_t {
MODE_LISTEN_TCP = 0,
MODE_STANDALONE_ONCE,
MODE_STANDALONE_EXECVE,
MODE_STANDALONE_RERUN
};
struct pipemap_t {
int sock_fd;
int pipe_in;
int pipe_out;
pid_t pid;
bool operator==(const pipemap_t& o) {
return sock_fd == o.sock_fd && pipe_in == o.pipe_in && pipe_out == o.pipe_out;
}
};
struct nsjconf_t {
std::string exec_file;
bool use_execveat;
int exec_fd;
std::vector<std::string> argv;
std::string hostname;
std::string cwd;
std::string chroot;
int port;
std::string bindhost;
bool daemonize;
uint64_t tlimit;
size_t max_cpus;
bool keep_env;
bool keep_caps;
bool disable_no_new_privs;
uint64_t rl_as;
uint64_t rl_core;
uint64_t rl_cpu;
uint64_t rl_fsize;
uint64_t rl_nofile;
uint64_t rl_nproc;
uint64_t rl_stack;
uint64_t rl_mlock;
uint64_t rl_rtpr;
uint64_t rl_msgq;
bool disable_rl;
unsigned long personality;
bool clone_newnet;
bool clone_newuser;
bool clone_newns;
bool no_pivotroot;
bool clone_newpid;
bool clone_newipc;
bool clone_newuts;
bool clone_newcgroup;
bool clone_newtime;
enum ns_mode_t mode;
bool is_root_rw;
bool is_silent;
bool stderr_to_null;
bool skip_setsid;
unsigned int max_conns;
unsigned int max_conns_per_ip;
std::string proc_path;
bool is_proc_rw;
bool iface_lo;
std::string iface_vs;
std::string iface_vs_ip;
std::string iface_vs_nm;
std::string iface_vs_gw;
std::string iface_vs_ma;
std::string iface_vs_mo;
bool disable_tsc;
bool forward_signals;
std::string cgroup_mem_mount;
std::string cgroup_mem_parent;
size_t cgroup_mem_max;
size_t cgroup_mem_memsw_max;
ssize_t cgroup_mem_swap_max;
std::string cgroup_pids_mount;
std::string cgroup_pids_parent;
unsigned int cgroup_pids_max;
std::string cgroup_net_cls_mount;
std::string cgroup_net_cls_parent;
unsigned int cgroup_net_cls_classid;
std::string cgroup_cpu_mount;
std::string cgroup_cpu_parent;
unsigned int cgroup_cpu_ms_per_sec;
std::string cgroupv2_mount;
bool use_cgroupv2;
bool detect_cgroupv2;
std::string kafel_file_path;
std::string kafel_string;
struct sock_fprog seccomp_fprog;
bool seccomp_log;
int nice_level;
uid_t orig_uid;
uid_t orig_euid;
std::vector<mount_t> mountpts;
std::map<pid_t, pids_t> pids;
std::vector<idmap_t> uids;
std::vector<idmap_t> gids;
std::vector<std::string> envs;
std::vector<int> openfds;
std::vector<int> caps;
std::vector<std::string> ifaces;
std::vector<pipemap_t> pipes;
};
#endif /* _NSJAIL_H */