forked from google/nsjail
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnsjail.h
More file actions
116 lines (97 loc) · 2.42 KB
/
nsjail.h
File metadata and controls
116 lines (97 loc) · 2.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
/*
nsjail
-----------------------------------------
Copyright 2014 Google Inc. All Rights Reserved.
Copyright 2016 Sergiusz Bazanski. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef NS_NSJAIL_H
#define NS_NSJAIL_H
#include <linux/filter.h>
#include <netinet/ip6.h>
#include <signal.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <map>
#include <string>
#include <vector>
#include "config.pb.h"
static const int nssigs[] = {
SIGINT,
SIGQUIT,
SIGUSR1,
SIGALRM,
SIGCHLD,
SIGTERM,
SIGTTIN,
SIGTTOU,
SIGPIPE,
};
struct pids_t {
pid_t pid;
time_t start;
int pidfd;
std::string remote_txt;
struct sockaddr_in6 remote_addr;
int pid_syscall_fd;
pid_t pasta_pid;
pthread_t monitor_tid;
};
struct idmap_t {
uid_t inside_id;
uid_t outside_id;
size_t count;
bool is_newidmap;
};
struct pipemap_t {
int sock_fd;
int pipe_in;
int pipe_out;
pid_t pid;
bool operator==(const pipemap_t& o) {
return sock_fd == o.sock_fd && pipe_in == o.pipe_in && pipe_out == o.pipe_out;
}
};
struct nsj_t {
nsjail::NsJailConfig njc;
int exec_fd;
std::vector<std::string> argv;
uid_t orig_uid;
uid_t orig_euid;
/*
* Map of active child processes.
* Thread-safety: Mutated exclusively by the main thread.
* Monitor threads receive required context by-value at startup and do not access this map.
* See "The Data Isolation Law" in goal.md.
*/
std::map<pid_t, pids_t> pids;
std::vector<idmap_t> uids;
std::vector<idmap_t> gids;
std::vector<int> openfds;
std::vector<pipemap_t> pipes;
int exit_status;
std::string chroot;
std::string proc_path;
bool is_root_rw;
bool mnt_newapi;
bool is_proc_rw;
struct sock_fprog seccomp_fprog;
struct sock_fprog seccomp_unotify_fprog;
};
namespace nsjail {
int getSigFatal();
bool shouldShowProc();
void clearShowProc();
} // namespace nsjail
#endif /* NS_NSJAIL_H */