Optionally run with new namespaces

New namespaces are not allowed within unprivileged docker containers, thus skip it.

Optionally run with new namespaces
New namespaces are not allowed within unprivileged docker containers, thus skip it.
895b9143 · godog · aa01a932 · 895b9143 · 895b9143 · 895b9143
Commit 895b9143 authored Jan 08, 2018 by godog
--- a/sandbox.c
+++ b/sandbox.c
@@ -437,6 +437,7 @@ int sandbox_start(struct sandbox_config *config) {
 #define STACK_SIZE (1024 * 1024)

  char *stack = 0;
+  int flags = SIGCHLD;
  if (!(stack = malloc(STACK_SIZE))) {
    log_println("out of memory");
    goto error;
@@ -445,10 +446,12 @@ int sandbox_start(struct sandbox_config *config) {
    err = -1;
    goto clear_resources;
  }
-  int flags = CLONE_NEWNS | CLONE_NEWCGROUP | CLONE_NEWPID | CLONE_NEWIPC |
-              CLONE_NEWNET | CLONE_NEWUTS;
+  if (config->enable_namespaces) {
+    flags |= CLONE_NEWNS | CLONE_NEWCGROUP | CLONE_NEWPID | CLONE_NEWIPC |
+             CLONE_NEWNET | CLONE_NEWUTS;
+  }
  if ((child_pid =
-           clone(child, stack + STACK_SIZE, flags | SIGCHLD, config)) == -1) {
+           clone(child, stack + STACK_SIZE, flags, config)) == -1) {
    log_println_errno("clone failed");
    err = -1;
    goto clear_resources;

--- a/sandbox.h
+++ b/sandbox.h
@@ -16,6 +16,7 @@ struct sandbox_config {
  char **argv;
  char *new_root_dir;
  int enable_cgroups;
+  int enable_namespaces;
 };

 int sandbox_config_init(struct sandbox_config *, uid_t, gid_t, int, char *, char **);

--- a/suexec.c
+++ b/suexec.c
@@ -41,6 +41,7 @@ struct config {
  int min_uid;
  int min_gid;
  int enable_cgroups;
+  int enable_namespaces;
 };

 // Convert string to int, with syntax checking.
@@ -171,6 +172,8 @@ static int read_config(const char *path, struct config *config) {
      r = config_set_min_gid(config, value);
    } else if (!strcmp(key, "enable_cgroups")) {
      r = s2b(value, &(config->enable_cgroups));
+    } else if (!strcmp(key, "enable_namespaces")) {
+      r = s2b(value, &(config->enable_namespaces));
    } else {
      log_printf("Syntax error at %s:%d: unknown directive '%s'", path, lineno,
                 key);
@@ -429,6 +432,7 @@ int main(int argc, char **argv) {
    exit(106);

  sandbox_config.enable_cgroups = config.enable_cgroups;
+  sandbox_config.enable_namespaces = config.enable_namespaces;
  if (config.root)
    sandbox_config.new_root_dir = config.root;