-
Notifications
You must be signed in to change notification settings - Fork 333
Expand file tree
/
Copy pathnsjail.h
More file actions
106 lines (87 loc) · 2.19 KB
/
Copy pathnsjail.h
File metadata and controls
106 lines (87 loc) · 2.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
/*
nsjail
-----------------------------------------
Copyright 2014 Google Inc. All Rights Reserved.
Copyright 2016 Sergiusz Bazanski. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef NS_NSJAIL_H
#define NS_NSJAIL_H
#include <linux/filter.h>
#include <netinet/ip6.h>
#include <signal.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <map>
#include <string>
#include <thread>
#include <vector>
#include "config.pb.h"
static const int nssigs[] = {
SIGINT,
SIGQUIT,
SIGUSR1,
SIGALRM,
SIGCHLD,
SIGTERM,
SIGTTIN,
SIGTTOU,
SIGPIPE,
};
struct pids_t {
pid_t pid;
time_t start;
int pidfd;
std::string remote_txt;
struct sockaddr_in6 remote_addr;
pid_t pasta_pid;
std::thread thread;
};
struct idmap_t {
uid_t inside_id;
uid_t outside_id;
size_t count;
bool is_newidmap;
};
struct nsj_t {
nsjail::NsJailConfig njc;
int exec_fd;
std::vector<std::string> argv;
uid_t orig_uid;
uid_t orig_euid;
/*
* Map of active child processes.
* Thread-safety: Mutated exclusively by the main thread.
* Monitor threads receive required context by-value at startup and do not access this map.
* See "The Data Isolation Law" in goal.md.
*/
std::map<pid_t, pids_t> pids;
std::vector<idmap_t> uids;
std::vector<idmap_t> gids;
std::vector<int> openfds;
int exit_status;
std::string chroot;
std::string proc_path;
bool is_root_rw;
bool mnt_newapi;
bool is_proc_rw;
struct sock_fprog seccomp_fprog;
struct sock_fprog seccomp_unotify_fprog;
};
namespace nsjail {
int getSigFatal();
bool shouldShowProc();
void clearShowProc();
} // namespace nsjail
#endif /* NS_NSJAIL_H */