diff options
| author | Robert Swiecki <robert@swiecki.net> | 2023-10-20 14:15:36 +0200 |
|---|---|---|
| committer | Robert Swiecki <robert@swiecki.net> | 2023-10-20 18:01:36 +0200 |
| commit | 98ec95ca85b18bdae6238019b52ed06ca9bb2542 (patch) | |
| tree | f7700f91efd2a01b51c27d3240506759eab13ed5 | |
| parent | 94b022fece31fe28e0dc9348d2e443cc40ec8d11 (diff) | |
| download | nsjail-98ec95ca85b18bdae6238019b52ed06ca9bb2542.tar.gz | |
Use nullptr where appropriate
| -rw-r--r-- | caps.cc | 4 | ||||
| -rw-r--r-- | cmdline.cc | 196 | ||||
| -rw-r--r-- | contain.cc | 6 | ||||
| -rw-r--r-- | mnt.cc | 6 | ||||
| -rw-r--r-- | net.cc | 8 | ||||
| -rw-r--r-- | user.cc | 4 | ||||
| -rw-r--r-- | util.cc | 2 |
7 files changed, 113 insertions, 113 deletions
@@ -127,7 +127,7 @@ static cap_user_data_t getCaps() { }; if (util::syscall(__NR_capget, (uintptr_t)&cap_hdr, (uintptr_t)&cap_data) == -1) { PLOG_W("capget() failed"); - return NULL; + return nullptr; } return cap_data; } @@ -214,7 +214,7 @@ static bool initNsKeepCaps(cap_user_data_t cap_data) { bool initNs(nsjconf_t* nsjconf) { cap_user_data_t cap_data = getCaps(); - if (cap_data == NULL) { + if (cap_data == nullptr) { return false; } @@ -67,109 +67,109 @@ struct custom_option { // clang-format off static const struct custom_option custom_opts[] = { - { { "help", no_argument, NULL, 'h' }, "Help plz.." }, - { { "mode", required_argument, NULL, 'M' }, + { { "help", no_argument, nullptr, 'h' }, "Help plz.." }, + { { "mode", required_argument, nullptr, 'M' }, "Execution mode (default: 'o' [MODE_STANDALONE_ONCE]):\n" " l: [MODE_LISTEN_TCP]\n\tWait for connections on a TCP port (specified with --port)\n" " o: [MODE_STANDALONE_ONCE]\n\tLaunch a single process on the console using clone/execve\n" " e: [MODE_STANDALONE_EXECVE]\n\tLaunch a single process on the console using execve\n" " r: [MODE_STANDALONE_RERUN]\n\tLaunch a single process on the console with clone/execve, keep doing it forever" }, - { { "config", required_argument, NULL, 'C' }, "Configuration file in the config.proto ProtoBuf format (see configs/ directory for examples)" }, - { { "exec_file", required_argument, NULL, 'x' }, "File to exec (default: argv[0])" }, - { { "execute_fd", no_argument, NULL, 0x0607 }, "Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing" }, - { { "chroot", required_argument, NULL, 'c' }, "Directory containing / of the jail (default: none)" }, - { { "no_pivotroot", no_argument, NULL, 0x600 }, "When creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" }, - { { "rw", no_argument, NULL, 0x601 }, "Mount chroot dir (/) R/W (default: R/O)" }, - { { "user", required_argument, NULL, 'u' }, "Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times" }, - { { "group", required_argument, NULL, 'g' }, "Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times" }, - { { "hostname", required_argument, NULL, 'H' }, "UTS name (hostname) of the jail (default: 'NSJAIL')" }, - { { "cwd", required_argument, NULL, 'D' }, "Directory in the namespace the process will run (default: '/')" }, - { { "port", required_argument, NULL, 'p' }, "TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)" }, - { { "bindhost", required_argument, NULL, 0x604 }, "IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')" }, - { { "max_conns", required_argument, NULL, 0x608 }, "Maximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" }, - { { "max_conns_per_ip", required_argument, NULL, 'i' }, "Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" }, - { { "log", required_argument, NULL, 'l' }, "Log file (default: use log_fd)" }, - { { "log_fd", required_argument, NULL, 'L' }, "Log FD (default: 2)" }, - { { "time_limit", required_argument, NULL, 't' }, "Maximum time that a jail can exist, in seconds (default: 600)" }, - { { "max_cpus", required_argument, NULL, 0x508 }, "Maximum number of CPUs a single jailed process can use (default: 0 'no limit')" }, - { { "daemon", no_argument, NULL, 'd' }, "Daemonize after start" }, - { { "verbose", no_argument, NULL, 'v' }, "Verbose output" }, - { { "quiet", no_argument, NULL, 'q' }, "Log warning and more important messages only" }, - { { "really_quiet", no_argument, NULL, 'Q' }, "Log fatal messages only" }, - { { "keep_env", no_argument, NULL, 'e' }, "Pass all environment variables to the child process (default: all envars are cleared)" }, - { { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times). If the envar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envar value will be used" }, - { { "keep_caps", no_argument, NULL, 0x0501 }, "Don't drop any capabilities" }, - { { "cap", required_argument, NULL, 0x0509 }, "Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)" }, - { { "silent", no_argument, NULL, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" }, - { { "stderr_to_null", no_argument, NULL, 0x0503 }, "Redirect child process' fd:2 (STDERR_FILENO) to /dev/null" }, - { { "skip_setsid", no_argument, NULL, 0x0504 }, "Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous" }, - { { "pass_fd", required_argument, NULL, 0x0505 }, "Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open" }, - { { "disable_no_new_privs", no_argument, NULL, 0x0507 }, "Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)" }, - { { "rlimit_as", required_argument, NULL, 0x0201 }, "RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 4096)" }, - { { "rlimit_core", required_argument, NULL, 0x0202 }, "RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)" }, - { { "rlimit_cpu", required_argument, NULL, 0x0203 }, "RLIMIT_CPU, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 600)" }, - { { "rlimit_fsize", required_argument, NULL, 0x0204 }, "RLIMIT_FSIZE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 1)" }, - { { "rlimit_nofile", required_argument, NULL, 0x0205 }, "RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 32)" }, - { { "rlimit_nproc", required_argument, NULL, 0x0206 }, "RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, - { { "rlimit_stack", required_argument, NULL, 0x0207 }, "RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, - { { "rlimit_memlock", required_argument, NULL, 0x0209 }, "RLIMIT_MEMLOCK in KB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, - { { "rlimit_rtprio", required_argument, NULL, 0x0210 }, "RLIMIT_RTPRIO, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, - { { "rlimit_msgqueue", required_argument, NULL, 0x0211 }, "RLIMIT_MSGQUEUE in bytes, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, - { { "disable_rlimits", no_argument, NULL, 0x0208 }, "Disable all rlimits, default to limits set by parent" }, - { { "persona_addr_compat_layout", no_argument, NULL, 0x0301 }, "personality(ADDR_COMPAT_LAYOUT)" }, - { { "persona_mmap_page_zero", no_argument, NULL, 0x0302 }, "personality(MMAP_PAGE_ZERO)" }, - { { "persona_read_implies_exec", no_argument, NULL, 0x0303 }, "personality(READ_IMPLIES_EXEC)" }, - { { "persona_addr_limit_3gb", no_argument, NULL, 0x0304 }, "personality(ADDR_LIMIT_3GB)" }, - { { "persona_addr_no_randomize", no_argument, NULL, 0x0305 }, "personality(ADDR_NO_RANDOMIZE)" }, - { { "disable_clone_newnet", no_argument, NULL, 'N' }, "Don't use CLONE_NEWNET. Enable global networking inside the jail" }, - { { "disable_clone_newuser", no_argument, NULL, 0x0402 }, "Don't use CLONE_NEWUSER. Requires euid==0" }, - { { "disable_clone_newns", no_argument, NULL, 0x0403 }, "Don't use CLONE_NEWNS" }, - { { "disable_clone_newpid", no_argument, NULL, 0x0404 }, "Don't use CLONE_NEWPID" }, - { { "disable_clone_newipc", no_argument, NULL, 0x0405 }, "Don't use CLONE_NEWIPC" }, - { { "disable_clone_newuts", no_argument, NULL, 0x0406 }, "Don't use CLONE_NEWUTS" }, - { { "disable_clone_newcgroup", no_argument, NULL, 0x0407 }, "Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6" }, - { { "enable_clone_newtime", no_argument, NULL, 0x0408 }, "Use CLONE_NEWTIME. Supported with kernel versions >= 5.3" }, - { { "uid_mapping", required_argument, NULL, 'U' }, "Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present" }, - { { "gid_mapping", required_argument, NULL, 'G' }, "Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present" }, - { { "bindmount_ro", required_argument, NULL, 'R' }, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" }, - { { "bindmount", required_argument, NULL, 'B' }, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" }, - { { "tmpfsmount", required_argument, NULL, 'T' }, "List of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'" }, - { { "mount", required_argument, NULL, 'm' }, "Arbitrary mount, format src:dst:fs_type:options" }, - { { "symlink", required_argument, NULL, 's' }, "Symlink, format src:dst" }, - { { "disable_proc", no_argument, NULL, 0x0603 }, "Disable mounting procfs in the jail" }, - { { "proc_path", required_argument, NULL, 0x0605 }, "Path used to mount procfs (default: '/proc')" }, - { { "proc_rw", no_argument, NULL, 0x0606 }, "Is procfs mounted as R/W (default: R/O)" }, - { { "seccomp_policy", required_argument, NULL, 'P' }, "Path to file containing seccomp-bpf policy (see kafel/)" }, - { { "seccomp_string", required_argument, NULL, 0x0901 }, "String with kafel seccomp-bpf policy (see kafel/)" }, - { { "seccomp_log", no_argument, NULL, 0x0902 }, "Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14" }, - { { "nice_level", required_argument, NULL, 0x0903 }, "Set jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19" }, - { { "cgroup_mem_max", required_argument, NULL, 0x0801 }, "Maximum number of bytes to use in the group (default: '0' - disabled)" }, - { { "cgroup_mem_memsw_max", required_argument, NULL, 0x0804 }, "Maximum number of memory+swap bytes to use (default: '0' - disabled)" }, - { { "cgroup_mem_swap_max", required_argument, NULL, 0x0805 }, "Maximum number of swap bytes to use (default: '-1' - disabled)" }, - { { "cgroup_mem_mount", required_argument, NULL, 0x0802 }, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')" }, - { { "cgroup_mem_parent", required_argument, NULL, 0x0803 }, "Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')" }, - { { "cgroup_pids_max", required_argument, NULL, 0x0811 }, "Maximum number of pids in a cgroup (default: '0' - disabled)" }, - { { "cgroup_pids_mount", required_argument, NULL, 0x0812 }, "Location of pids cgroup FS (default: '/sys/fs/cgroup/pids')" }, - { { "cgroup_pids_parent", required_argument, NULL, 0x0813 }, "Which pre-existing pids cgroup to use as a parent (default: 'NSJAIL')" }, - { { "cgroup_net_cls_classid", required_argument, NULL, 0x0821 }, "Class identifier of network packets in the group (default: '0' - disabled)" }, - { { "cgroup_net_cls_mount", required_argument, NULL, 0x0822 }, "Location of net_cls cgroup FS (default: '/sys/fs/cgroup/net_cls')" }, - { { "cgroup_net_cls_parent", required_argument, NULL, 0x0823 }, "Which pre-existing net_cls cgroup to use as a parent (default: 'NSJAIL')" }, - { { "cgroup_cpu_ms_per_sec", required_argument, NULL, 0x0831 }, "Number of milliseconds of CPU time per second that the process group can use (default: '0' - no limit)" }, - { { "cgroup_cpu_mount", required_argument, NULL, 0x0832 }, "Location of cpu cgroup FS (default: '/sys/fs/cgroup/cpu')" }, - { { "cgroup_cpu_parent", required_argument, NULL, 0x0833 }, "Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')" }, - { { "cgroupv2_mount", required_argument, NULL, 0x0834}, "Location of cgroupv2 directory (default: '/sys/fs/cgroup')"}, - { { "use_cgroupv2", no_argument, NULL, 0x0835}, "Use cgroup v2"}, - { { "detect_cgroupv2", no_argument, NULL, 0x0836}, "Use cgroupv2, if it is available. (Specify instead of use_cgroupv2)"}, - { { "iface_no_lo", no_argument, NULL, 0x700 }, "Don't bring the 'lo' interface up" }, - { { "iface_own", required_argument, NULL, 0x704 }, "Move this existing network interface into the new NET namespace. Can be specified multiple times" }, - { { "macvlan_iface", required_argument, NULL, 'I' }, "Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'" }, - { { "macvlan_vs_ip", required_argument, NULL, 0x701 }, "IP of the 'vs' interface (e.g. \"192.168.0.1\")" }, - { { "macvlan_vs_nm", required_argument, NULL, 0x702 }, "Netmask of the 'vs' interface (e.g. \"255.255.255.0\")" }, - { { "macvlan_vs_gw", required_argument, NULL, 0x703 }, "Default GW for the 'vs' interface (e.g. \"192.168.0.1\")" }, - { { "macvlan_vs_ma", required_argument, NULL, 0x705 }, "MAC-address of the 'vs' interface (e.g. \"ba:ad:ba:be:45:00\")" }, - { { "macvlan_vs_mo", required_argument, NULL, 0x706 }, "Mode of the 'vs' interface. Can be either 'private', 'vepa', 'bridge' or 'passthru' (default: 'private')" }, - { { "disable_tsc", no_argument, NULL, 0x707 }, "Disable rdtsc and rdtscp instructions. WARNING: To make it effective, you also need to forbid `prctl(PR_SET_TSC, PR_TSC_ENABLE, ...)` in seccomp rules! (x86 and x86_64 only). Dynamic binaries produced by GCC seem to rely on RDTSC, but static ones should work." }, - { { "forward_signals", no_argument, NULL, 0x708 }, "Forward fatal signals to the child process instead of always using SIKGILL." }, + { { "config", required_argument, nullptr, 'C' }, "Configuration file in the config.proto ProtoBuf format (see configs/ directory for examples)" }, + { { "exec_file", required_argument, nullptr, 'x' }, "File to exec (default: argv[0])" }, + { { "execute_fd", no_argument, nullptr, 0x0607 }, "Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing" }, + { { "chroot", required_argument, nullptr, 'c' }, "Directory containing / of the jail (default: none)" }, + { { "no_pivotroot", no_argument, nullptr, 0x600 }, "When creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" }, + { { "rw", no_argument, nullptr, 0x601 }, "Mount chroot dir (/) R/W (default: R/O)" }, + { { "user", required_argument, nullptr, 'u' }, "Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times" }, + { { "group", required_argument, nullptr, 'g' }, "Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times" }, + { { "hostname", required_argument, nullptr, 'H' }, "UTS name (hostname) of the jail (default: 'NSJAIL')" }, + { { "cwd", required_argument, nullptr, 'D' }, "Directory in the namespace the process will run (default: '/')" }, + { { "port", required_argument, nullptr, 'p' }, "TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)" }, + { { "bindhost", required_argument, nullptr, 0x604 }, "IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')" }, + { { "max_conns", required_argument, nullptr, 0x608 }, "Maximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" }, + { { "max_conns_per_ip", required_argument, nullptr, 'i' }, "Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" }, + { { "log", required_argument, nullptr, 'l' }, "Log file (default: use log_fd)" }, + { { "log_fd", required_argument, nullptr, 'L' }, "Log FD (default: 2)" }, + { { "time_limit", required_argument, nullptr, 't' }, "Maximum time that a jail can exist, in seconds (default: 600)" }, + { { "max_cpus", required_argument, nullptr, 0x508 }, "Maximum number of CPUs a single jailed process can use (default: 0 'no limit')" }, + { { "daemon", no_argument, nullptr, 'd' }, "Daemonize after start" }, + { { "verbose", no_argument, nullptr, 'v' }, "Verbose output" }, + { { "quiet", no_argument, nullptr, 'q' }, "Log warning and more important messages only" }, + { { "really_quiet", no_argument, nullptr, 'Q' }, "Log fatal messages only" }, + { { "keep_env", no_argument, nullptr, 'e' }, "Pass all environment variables to the child process (default: all envars are cleared)" }, + { { "env", required_argument, nullptr, 'E' }, "Additional environment variable (can be used multiple times). If the envar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envar value will be used" }, + { { "keep_caps", no_argument, nullptr, 0x0501 }, "Don't drop any capabilities" }, + { { "cap", required_argument, nullptr, 0x0509 }, "Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)" }, + { { "silent", no_argument, nullptr, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" }, + { { "stderr_to_null", no_argument, nullptr, 0x0503 }, "Redirect child process' fd:2 (STDERR_FILENO) to /dev/null" }, + { { "skip_setsid", no_argument, nullptr, 0x0504 }, "Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous" }, + { { "pass_fd", required_argument, nullptr, 0x0505 }, "Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open" }, + { { "disable_no_new_privs", no_argument, nullptr, 0x0507 }, "Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)" }, + { { "rlimit_as", required_argument, nullptr, 0x0201 }, "RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 4096)" }, + { { "rlimit_core", required_argument, nullptr, 0x0202 }, "RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)" }, + { { "rlimit_cpu", required_argument, nullptr, 0x0203 }, "RLIMIT_CPU, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 600)" }, + { { "rlimit_fsize", required_argument, nullptr, 0x0204 }, "RLIMIT_FSIZE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 1)" }, + { { "rlimit_nofile", required_argument, nullptr, 0x0205 }, "RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 32)" }, + { { "rlimit_nproc", required_argument, nullptr, 0x0206 }, "RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, + { { "rlimit_stack", required_argument, nullptr, 0x0207 }, "RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, + { { "rlimit_memlock", required_argument, nullptr, 0x0209 }, "RLIMIT_MEMLOCK in KB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, + { { "rlimit_rtprio", required_argument, nullptr, 0x0210 }, "RLIMIT_RTPRIO, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, + { { "rlimit_msgqueue", required_argument, nullptr, 0x0211 }, "RLIMIT_MSGQUEUE in bytes, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" }, + { { "disable_rlimits", no_argument, nullptr, 0x0208 }, "Disable all rlimits, default to limits set by parent" }, + { { "persona_addr_compat_layout", no_argument, nullptr, 0x0301 }, "personality(ADDR_COMPAT_LAYOUT)" }, + { { "persona_mmap_page_zero", no_argument, nullptr, 0x0302 }, "personality(MMAP_PAGE_ZERO)" }, + { { "persona_read_implies_exec", no_argument, nullptr, 0x0303 }, "personality(READ_IMPLIES_EXEC)" }, + { { "persona_addr_limit_3gb", no_argument, nullptr, 0x0304 }, "personality(ADDR_LIMIT_3GB)" }, + { { "persona_addr_no_randomize", no_argument, nullptr, 0x0305 }, "personality(ADDR_NO_RANDOMIZE)" }, + { { "disable_clone_newnet", no_argument, nullptr, 'N' }, "Don't use CLONE_NEWNET. Enable global networking inside the jail" }, + { { "disable_clone_newuser", no_argument, nullptr, 0x0402 }, "Don't use CLONE_NEWUSER. Requires euid==0" }, + { { "disable_clone_newns", no_argument, nullptr, 0x0403 }, "Don't use CLONE_NEWNS" }, + { { "disable_clone_newpid", no_argument, nullptr, 0x0404 }, "Don't use CLONE_NEWPID" }, + { { "disable_clone_newipc", no_argument, nullptr, 0x0405 }, "Don't use CLONE_NEWIPC" }, + { { "disable_clone_newuts", no_argument, nullptr, 0x0406 }, "Don't use CLONE_NEWUTS" }, + { { "disable_clone_newcgroup", no_argument, nullptr, 0x0407 }, "Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6" }, + { { "enable_clone_newtime", no_argument, nullptr, 0x0408 }, "Use CLONE_NEWTIME. Supported with kernel versions >= 5.3" }, + { { "uid_mapping", required_argument, nullptr, 'U' }, "Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present" }, + { { "gid_mapping", required_argument, nullptr, 'G' }, "Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present" }, + { { "bindmount_ro", required_argument, nullptr, 'R' }, "List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" }, + { { "bindmount", required_argument, nullptr, 'B' }, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'" }, + { { "tmpfsmount", required_argument, nullptr, 'T' }, "List of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'" }, + { { "mount", required_argument, nullptr, 'm' }, "Arbitrary mount, format src:dst:fs_type:options" }, + { { "symlink", required_argument, nullptr, 's' }, "Symlink, format src:dst" }, + { { "disable_proc", no_argument, nullptr, 0x0603 }, "Disable mounting procfs in the jail" }, + { { "proc_path", required_argument, nullptr, 0x0605 }, "Path used to mount procfs (default: '/proc')" }, + { { "proc_rw", no_argument, nullptr, 0x0606 }, "Is procfs mounted as R/W (default: R/O)" }, + { { "seccomp_policy", required_argument, nullptr, 'P' }, "Path to file containing seccomp-bpf policy (see kafel/)" }, + { { "seccomp_string", required_argument, nullptr, 0x0901 }, "String with kafel seccomp-bpf policy (see kafel/)" }, + { { "seccomp_log", no_argument, nullptr, 0x0902 }, "Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14" }, + { { "nice_level", required_argument, nullptr, 0x0903 }, "Set jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19" }, + { { "cgroup_mem_max", required_argument, nullptr, 0x0801 }, "Maximum number of bytes to use in the group (default: '0' - disabled)" }, + { { "cgroup_mem_memsw_max", required_argument, nullptr, 0x0804 }, "Maximum number of memory+swap bytes to use (default: '0' - disabled)" }, + { { "cgroup_mem_swap_max", required_argument, nullptr, 0x0805 }, "Maximum number of swap bytes to use (default: '-1' - disabled)" }, + { { "cgroup_mem_mount", required_argument, nullptr, 0x0802 }, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')" }, + { { "cgroup_mem_parent", required_argument, nullptr, 0x0803 }, "Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')" }, + { { "cgroup_pids_max", required_argument, nullptr, 0x0811 }, "Maximum number of pids in a cgroup (default: '0' - disabled)" }, + { { "cgroup_pids_mount", required_argument, nullptr, 0x0812 }, "Location of pids cgroup FS (default: '/sys/fs/cgroup/pids')" }, + { { "cgroup_pids_parent", required_argument, nullptr, 0x0813 }, "Which pre-existing pids cgroup to use as a parent (default: 'NSJAIL')" }, + { { "cgroup_net_cls_classid", required_argument, nullptr, 0x0821 }, "Class identifier of network packets in the group (default: '0' - disabled)" }, + { { "cgroup_net_cls_mount", required_argument, nullptr, 0x0822 }, "Location of net_cls cgroup FS (default: '/sys/fs/cgroup/net_cls')" }, + { { "cgroup_net_cls_parent", required_argument, nullptr, 0x0823 }, "Which pre-existing net_cls cgroup to use as a parent (default: 'NSJAIL')" }, + { { "cgroup_cpu_ms_per_sec", required_argument, nullptr, 0x0831 }, "Number of milliseconds of CPU time per second that the process group can use (default: '0' - no limit)" }, + { { "cgroup_cpu_mount", required_argument, nullptr, 0x0832 }, "Location of cpu cgroup FS (default: '/sys/fs/cgroup/cpu')" }, + { { "cgroup_cpu_parent", required_argument, nullptr, 0x0833 }, "Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')" }, + { { "cgroupv2_mount", required_argument, nullptr, 0x0834}, "Location of cgroupv2 directory (default: '/sys/fs/cgroup')"}, + { { "use_cgroupv2", no_argument, nullptr, 0x0835}, "Use cgroup v2"}, + { { "detect_cgroupv2", no_argument, nullptr, 0x0836}, "Use cgroupv2, if it is available. (Specify instead of use_cgroupv2)"}, + { { "iface_no_lo", no_argument, nullptr, 0x700 }, "Don't bring the 'lo' interface up" }, + { { "iface_own", required_argument, nullptr, 0x704 }, "Move this existing network interface into the new NET namespace. Can be specified multiple times" }, + { { "macvlan_iface", required_argument, nullptr, 'I' }, "Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'" }, + { { "macvlan_vs_ip", required_argument, nullptr, 0x701 }, "IP of the 'vs' interface (e.g. \"192.168.0.1\")" }, + { { "macvlan_vs_nm", required_argument, nullptr, 0x702 }, "Netmask of the 'vs' interface (e.g. \"255.255.255.0\")" }, + { { "macvlan_vs_gw", required_argument, nullptr, 0x703 }, "Default GW for the 'vs' interface (e.g. \"192.168.0.1\")" }, + { { "macvlan_vs_ma", required_argument, nullptr, 0x705 }, "MAC-address of the 'vs' interface (e.g. \"ba:ad:ba:be:45:00\")" }, + { { "macvlan_vs_mo", required_argument, nullptr, 0x706 }, "Mode of the 'vs' interface. Can be either 'private', 'vepa', 'bridge' or 'passthru' (default: 'private')" }, + { { "disable_tsc", no_argument, nullptr, 0x707 }, "Disable rdtsc and rdtscp instructions. WARNING: To make it effective, you also need to forbid `prctl(PR_SET_TSC, PR_TSC_ENABLE, ...)` in seccomp rules! (x86 and x86_64 only). Dynamic binaries produced by GCC seem to rely on RDTSC, but static ones should work." }, + { { "forward_signals", no_argument, nullptr, 0x708 }, "Forward fatal signals to the child process instead of always using SIKGILL." }, }; // clang-format on @@ -236,7 +236,7 @@ static bool containMakeFdsCOEProc(nsjconf_t* nsjconf) { return false; } DIR* dir = fdopendir(dirfd); - if (dir == NULL) { + if (dir == nullptr) { PLOG_W("fdopendir(fd=%d)", dirfd); close(dirfd); return false; @@ -245,12 +245,12 @@ static bool containMakeFdsCOEProc(nsjconf_t* nsjconf) { for (;;) { errno = 0; struct dirent* entry = readdir(dir); - if (entry == NULL && errno != 0) { + if (entry == nullptr && errno != 0) { PLOG_D("readdir('/proc/self/fd')"); closedir(dir); return false; } - if (entry == NULL) { + if (entry == nullptr) { break; } if (strcmp(".", entry->d_name) == 0) { @@ -114,7 +114,7 @@ static bool isDir(const char* path) { /* * If the source dir is NULL, we assume it's a dir (for /proc and tmpfs) */ - if (path == NULL) { + if (path == nullptr) { return true; } struct stat st; @@ -535,7 +535,7 @@ static bool addMountPt(mount_t* mnt, const std::string& src, const std::string& const std::string& src_content, bool is_symlink) { if (!src_env.empty()) { const char* e = getenv(src_env.c_str()); - if (e == NULL) { + if (e == nullptr) { LOG_W("No such envar:%s", QC(src_env)); return false; } @@ -545,7 +545,7 @@ static bool addMountPt(mount_t* mnt, const std::string& src, const std::string& if (!dst_env.empty()) { const char* e = getenv(dst_env.c_str()); - if (e == NULL) { + if (e == nullptr) { LOG_W("No such envar:%s", QC(dst_env)); return false; } @@ -57,7 +57,7 @@ namespace net { static bool cloneIface( nsjconf_t* nsjconf, struct nl_sock* sk, struct nl_cache* link_cache, int pid) { struct rtnl_link* rmv = rtnl_link_macvlan_alloc(); - if (rmv == NULL) { + if (rmv == nullptr) { LOG_E("rtnl_link_macvlan_alloc()"); return false; } @@ -271,7 +271,7 @@ int getRecvSocket(const char* bindhost, int port) { return -1; } - auto connstr = connToText(sockfd, false /* remote */, NULL); + auto connstr = connToText(sockfd, false /* remote */, nullptr); LOG_I("Listening on %s", connstr.c_str()); return sockfd; @@ -288,8 +288,8 @@ int acceptConn(int listenfd) { return -1; } - auto connremotestr = connToText(connfd, true /* remote */, NULL); - auto connlocalstr = connToText(connfd, false /* remote */, NULL); + auto connremotestr = connToText(connfd, true /* remote */, nullptr); + auto connlocalstr = connToText(connfd, false /* remote */, nullptr); LOG_I("New connection from: %s on: %s", connremotestr.c_str(), connlocalstr.c_str()); return connfd; @@ -319,7 +319,7 @@ static uid_t parseUid(const std::string& id) { return getuid(); } struct passwd* pw = getpwnam(id.c_str()); - if (pw != NULL) { + if (pw != nullptr) { return pw->pw_uid; } if (util::isANumber(id.c_str())) { @@ -333,7 +333,7 @@ static gid_t parseGid(const std::string& id) { return getgid(); } struct group* gr = getgrnam(id.c_str()); - if (gr != NULL) { + if (gr != nullptr) { return gr->gr_gid; } if (util::isANumber(id.c_str())) { @@ -139,7 +139,7 @@ bool createDirRecursively(const char* dir) { } char* next = strchr(curr, '/'); - if (next == NULL) { + if (next == nullptr) { close(prev_dir_fd); return true; } |