Commit 895b9143 authored by godog's avatar godog
Browse files

Optionally run with new namespaces

New namespaces are not allowed within unprivileged docker containers,
thus skip it.
parent aa01a932
......@@ -437,6 +437,7 @@ int sandbox_start(struct sandbox_config *config) {
#define STACK_SIZE (1024 * 1024)
char *stack = 0;
int flags = SIGCHLD;
if (!(stack = malloc(STACK_SIZE))) {
log_println("out of memory");
goto error;
......@@ -445,10 +446,12 @@ int sandbox_start(struct sandbox_config *config) {
err = -1;
goto clear_resources;
}
int flags = CLONE_NEWNS | CLONE_NEWCGROUP | CLONE_NEWPID | CLONE_NEWIPC |
CLONE_NEWNET | CLONE_NEWUTS;
if (config->enable_namespaces) {
flags |= CLONE_NEWNS | CLONE_NEWCGROUP | CLONE_NEWPID | CLONE_NEWIPC |
CLONE_NEWNET | CLONE_NEWUTS;
}
if ((child_pid =
clone(child, stack + STACK_SIZE, flags | SIGCHLD, config)) == -1) {
clone(child, stack + STACK_SIZE, flags, config)) == -1) {
log_println_errno("clone failed");
err = -1;
goto clear_resources;
......
......@@ -16,6 +16,7 @@ struct sandbox_config {
char **argv;
char *new_root_dir;
int enable_cgroups;
int enable_namespaces;
};
int sandbox_config_init(struct sandbox_config *, uid_t, gid_t, int, char *, char **);
......
......@@ -41,6 +41,7 @@ struct config {
int min_uid;
int min_gid;
int enable_cgroups;
int enable_namespaces;
};
// Convert string to int, with syntax checking.
......@@ -171,6 +172,8 @@ static int read_config(const char *path, struct config *config) {
r = config_set_min_gid(config, value);
} else if (!strcmp(key, "enable_cgroups")) {
r = s2b(value, &(config->enable_cgroups));
} else if (!strcmp(key, "enable_namespaces")) {
r = s2b(value, &(config->enable_namespaces));
} else {
log_printf("Syntax error at %s:%d: unknown directive '%s'", path, lineno,
key);
......@@ -429,6 +432,7 @@ int main(int argc, char **argv) {
exit(106);
sandbox_config.enable_cgroups = config.enable_cgroups;
sandbox_config.enable_namespaces = config.enable_namespaces;
if (config.root)
sandbox_config.new_root_dir = config.root;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment