commit: af672fbde6c6fe9b778f557f7b2b2ec149b02dc5
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 21 05:18:53 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Oct 21 05:18:53 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=af672fbd
namespaces: add support for cgroup & time
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
etc/sandbox.conf | 2 ++
src/namespaces.c | 8 ++++++++
src/options.c | 28 ++++++++++++++++++++--------
src/sandbox.h | 2 ++
4 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/etc/sandbox.conf b/etc/sandbox.conf
index 0d29a64..d8a6550 100644
--- a/etc/sandbox.conf
+++ b/etc/sandbox.conf
@@ -50,11 +50,13 @@
# particular type, it will be automatically skipped. Default to off as these
# are currently experimental.
# For more details on each type, see the namespaces(7) manpage.
+#NAMESPACE_CGROUP_ENABLE="no"
#NAMESPACE_IPC_ENABLE="no"
#NAMESPACE_MNT_ENABLE="no"
#NAMESPACE_NET_ENABLE="no"
#NAMESPACE_PID_ENABLE="no"
#NAMESPACE_SYSV_ENABLE="no"
+#NAMESPACE_TIME_ENABLE="no"
#NAMESPACE_USER_ENABLE="no"
#NAMESPACE_UTS_ENABLE="no"
diff --git a/src/namespaces.c b/src/namespaces.c
index 5be42f6..1f93b60 100644
--- a/src/namespaces.c
+++ b/src/namespaces.c
@@ -182,6 +182,10 @@ pid_t setup_namespaces(void)
if (opt_use_ns_user)
ns_user_switch(uid, gid, 0, 0);
+#ifdef CLONE_NEWCGROUP
+ if (opt_use_ns_cgroup)
+ unshare(CLONE_NEWCGROUP);
+#endif
#ifdef CLONE_NEWIPC
if (opt_use_ns_ipc)
unshare(CLONE_NEWIPC);
@@ -190,6 +194,10 @@ pid_t setup_namespaces(void)
if (opt_use_ns_sysv)
unshare(CLONE_SYSVSEM);
#endif
+#ifdef CLONE_NEWTIME
+ if (opt_use_ns_time)
+ unshare(CLONE_NEWTIME);
+#endif
#ifdef CLONE_NEWUTS
if (opt_use_ns_uts && unshare(CLONE_NEWUTS) == 0) {
diff --git a/src/options.c b/src/options.c
index 295ee75..ad019b0 100644
--- a/src/options.c
+++ b/src/options.c
@@ -11,11 +11,13 @@
/* Setting to -1 will load defaults from the config file. */
int opt_use_namespaces = -1;
+int opt_use_ns_cgroup = -1;
int opt_use_ns_ipc = -1;
int opt_use_ns_mnt = -1;
int opt_use_ns_net = -1;
int opt_use_ns_pid = -1;
int opt_use_ns_sysv = -1;
+int opt_use_ns_time = -1;
int opt_use_ns_user = -1;
int opt_use_ns_uts = -1;
@@ -25,14 +27,16 @@ static const struct {
int default_val;
} config_opts[] = {
/* Default these to off until they can get more testing. */
- { "NAMESPACES_ENABLE", &opt_use_namespaces, false, },
- { "NAMESPACE_IPC_ENABLE", &opt_use_ns_ipc, false, },
- { "NAMESPACE_MNT_ENABLE", &opt_use_ns_mnt, false, },
- { "NAMESPACE_NET_ENABLE", &opt_use_ns_net, false, },
- { "NAMESPACE_PID_ENABLE", &opt_use_ns_pid, false, },
- { "NAMESPACE_SYSV_ENABLE", &opt_use_ns_sysv, false, },
- { "NAMESPACE_USER_ENABLE", &opt_use_ns_user, false, },
- { "NAMESPACE_UTS_ENABLE", &opt_use_ns_uts, false, },
+ { "NAMESPACES_ENABLE", &opt_use_namespaces, false, },
+ { "NAMESPACE_CGROUP_ENABLE", &opt_use_ns_cgroup, false, },
+ { "NAMESPACE_IPC_ENABLE", &opt_use_ns_ipc, false, },
+ { "NAMESPACE_MNT_ENABLE", &opt_use_ns_mnt, false, },
+ { "NAMESPACE_NET_ENABLE", &opt_use_ns_net, false, },
+ { "NAMESPACE_PID_ENABLE", &opt_use_ns_pid, false, },
+ { "NAMESPACE_SYSV_ENABLE", &opt_use_ns_sysv, false, },
+ { "NAMESPACE_TIME_ENABLE", &opt_use_ns_time, false, },
+ { "NAMESPACE_USER_ENABLE", &opt_use_ns_user, false, },
+ { "NAMESPACE_UTS_ENABLE", &opt_use_ns_uts, false, },
};
static void read_config(void)
@@ -75,6 +79,8 @@ static void show_version(void)
static struct option const long_opts[] = {
{"ns-on", no_argument, &opt_use_namespaces, true},
{"ns-off", no_argument, &opt_use_namespaces, false},
+ {"ns-cgroup-on", no_argument, &opt_use_ns_cgroup, true},
+ {"ns-cgroup-off", no_argument, &opt_use_ns_cgroup, false},
{"ns-ipc-on", no_argument, &opt_use_ns_ipc, true},
{"ns-ipc-off", no_argument, &opt_use_ns_ipc, false},
{"ns-mnt-on", no_argument, &opt_use_ns_mnt, true},
@@ -85,6 +91,8 @@ static struct option const long_opts[] = {
{"ns-pid-off", no_argument, &opt_use_ns_pid, false},
{"ns-sysv-on", no_argument, &opt_use_ns_sysv, true},
{"ns-sysv-off", no_argument, &opt_use_ns_sysv, false},
+ {"ns-time-on", no_argument, &opt_use_ns_time, true},
+ {"ns-time-off", no_argument, &opt_use_ns_time, false},
{"ns-user-on", no_argument, &opt_use_ns_user, true},
{"ns-user-off", no_argument, &opt_use_ns_user, false},
{"ns-uts-on", no_argument, &opt_use_ns_uts, true},
@@ -96,6 +104,8 @@ static struct option const long_opts[] = {
static const char * const opts_help[] = {
"Enable the use of namespaces",
"Disable the use of namespaces",
+ "Enable the use of cgroup namespaces",
+ "Disable the use of cgroup namespaces",
"Enable the use of IPC (and System V) namespaces",
"Disable the use of IPC (and System V) namespaces",
"Enable the use of mount namespaces",
@@ -106,6 +116,8 @@ static const char * const opts_help[] = {
"Disable the use of process (pid) namespaces",
"Enable the use of System V namespaces",
"Disable the use of System V namespaces",
+ "Enable the use of time namespaces",
+ "Disable the use of time namespaces",
"Enable the use of user namespaces",
"Disable the use of user namespaces",
"Enable the use of UTS (hostname/uname) namespaces",
diff --git a/src/sandbox.h b/src/sandbox.h
index 303dac4..7e5b575 100644
--- a/src/sandbox.h
+++ b/src/sandbox.h
@@ -43,11 +43,13 @@ extern pid_t setup_namespaces(void);
/* Option parsing related code */
extern void parseargs(int argc, char *argv[]);
extern int opt_use_namespaces;
+extern int opt_use_ns_cgroup;
extern int opt_use_ns_ipc;
extern int opt_use_ns_mnt;
extern int opt_use_ns_net;
extern int opt_use_ns_pid;
extern int opt_use_ns_sysv;
+extern int opt_use_ns_time;
extern int opt_use_ns_user;
extern int opt_use_ns_uts;
