Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nsjail: 2.1 -> 2.2 #31257

Merged
merged 2 commits into from Nov 4, 2017
Merged

nsjail: 2.1 -> 2.2 #31257

merged 2 commits into from Nov 4, 2017

Conversation

c0bw3b
Copy link
Contributor

@c0bw3b c0bw3b commented Nov 4, 2017

Motivation for this change

Fixed the meta.license information
Version bump contains:

Works correctly with some archs which need aligned stack for clone (e.g. aarch64)
Enable CLONE_NEWCGROUP by default (can be disabled)
Added CTRL+\ (SIGQUIT) handler to show all connections
Create new dirs in /run/user/ first (instead of /tmp)
Unblock all signals prior to execve
Don't start new ns-init if CLONE_NEWPID is not requested
Support cgroup net_cls subsystem
Mount: better statvfs -> mount flags mapping

BTW, NixOS is the one distro providing a recent version of this tool 馃樄
https://repology.org/metapackage/nsjail/versions

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@c0bw3b
stdenv.lib.maintainers: add c0bw3b
27114d4
@c0bw3b
nsjail: 2.1 -> 2.2
9754503 
plus fixed meta.license which should be Apache License 2.0
@c0bw3b
Copy link
Contributor Author

c0bw3b commented Nov 4, 2017 

$ ./result/bin/nsjail -Me --chroot / --disable_proc -- $(which echo) "Nope"
[2017-11-04T20:00:34+0100] Mode: STANDALONE_EXECVE
[2017-11-04T20:00:34+0100] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/run/current-system/sw/bin/echo', bind:[::]:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:true, keep_caps:false, tmpfs_size:4194304, disable_no_new_privs:false, max_cpus:0
[2017-11-04T20:00:34+0100] Mount point: src:'/' dst:'/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE|0 options:'' isDir:true
[2017-11-04T20:00:34+0100] Uid map: inside_uid:1000 outside_uid:1000 count:1 newuidmap:false
[2017-11-04T20:00:34+0100] Gid map: inside_gid:100 outside_gid:100 count:1 newgidmap:false
[2017-11-04T20:00:34+0100] Executing '/run/current-system/sw/bin/echo' for '[STANDALONE_MODE]'
Nope

@7c6f434c 7c6f434c merged commit 53d4649 into NixOS:master Nov 4, 2017
@c0bw3b c0bw3b deleted the pkg/nsjail branch November 7, 2017 22:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edolstra edolstra Awaiting requested review from edolstra

@nbp nbp Awaiting requested review from nbp

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@c0bw3b @7c6f434c @GrahamcOfBorg