Merge branch 'master' of https://github.com/google/nsjail

Author: koki-develop

Makefile

@@ -132,6 +132,30 @@ install: $(BIN)
 	install -m 755 -d $(DESTDIR)$(MANDIR)
 	install -m 644 nsjail.1 $(DESTDIR)$(MANDIR)
 
+define run_test
+	@echo "Testing: $(1) (expecting exit code $(2))"; \
+	($(1)); ret=$$?; \
+	if [ "$$ret" -ne "$(2)" ]; then \
+		echo "❌ FAIL: '$(1)' returned $$ret, expected $(2)"; \
+		exit 1; \
+	else \
+		echo "✅ PASS: '$(1)' returned $$ret"; \
+	fi
+endef
+
+.PHONY: test
+test: $(BIN)
+	$(call run_test, ./nsjail -q -Mo --rw --chroot / --user 99999 --group 99999 -- /bin/bash -c 'touch $(HOME)/nsjail_test && exit 77', 77)
+	$(call run_test, ./nsjail -q -Mo --chroot / --user 99999 --group 99999 -- /bin/bash -c 'touch $(HOME)/nsjail_test || exit 77', 77)
+	$(call run_test, rm -f $(HOME)/nsjail_test, 0)
+	$(call run_test, ./nsjail --config configs/bash-with-fake-geteuid.cfg -q -t 1, 137)
+	$(call run_test, ./nsjail --config configs/bash-with-fake-geteuid.json -q -t 1, 137)
+	$(call run_test, ./nsjail --config configs/static-busybox-with-execveat.cfg -q -t 1, 137)
+	$(call run_test, ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -q -- /bin/true, 0)
+	$(call run_test, ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -q -- /bin/false, 1)
+	$(call run_test, ./nsjail --config configs/firefox-with-net-wayland.cfg -q -t 3, 137)
+	$(call run_test, ./nsjail --config configs/chromium-with-net-wayland.cfg -q -t 3, 137)
+
 # Dependencies (Generated by makedepend)
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
@@ -150,7 +174,7 @@ mnt.o: mnt.h nsjail.h config.pb.h logs.h macros.h mnt_legacy.h mnt_newapi.h
 mnt.o: subproc.h util.h
 mnt_legacy.o: mnt_legacy.h mnt.h nsjail.h config.pb.h logs.h macros.h util.h
 mnt_newapi.o: mnt_newapi.h mnt.h nsjail.h config.pb.h logs.h util.h
-net.o: net.h nsjail.h config.pb.h logs.h util.h
+net.o: net.h nsjail.h config.pb.h logs.h macros.h util.h
 nsjail.o: nsjail.h config.pb.h cgroup2.h cmdline.h logs.h macros.h net.h
 nsjail.o: sandbox.h subproc.h util.h
 pid.o: pid.h nsjail.h config.pb.h logs.h subproc.h

mnt_legacy.cc

@@ -333,9 +333,9 @@ std::unique_ptr<std::string> buildMountTree(nsj_t* nsj, std::vector<mnt::mount_t
 	}
 
 	if (!nsj->is_root_rw) {
-		if (mount(destdir->c_str(), destdir->c_str(), nullptr, MS_REMOUNT | MS_RDONLY,
-			nullptr) == -1) {
-			PLOG_E("mount('%s', MS_REMOUNT|MS_RDONLY)", destdir->c_str());
+		if (mount(destdir->c_str(), destdir->c_str(), nullptr,
+			MS_REMOUNT | MS_BIND | MS_RDONLY, nullptr) == -1) {
+			PLOG_E("mount('%s', MS_REMOUNT|MS_BIND|MS_RDONLY)", destdir->c_str());
 			return nullptr;
 		}
 	}

net.cc

@@ -24,7 +24,6 @@
 #include <arpa/inet.h>
 #include <errno.h>
 #include <fcntl.h>
-#include <linux/prctl.h>
 #include <net/if.h>
 #include <net/route.h>
 #include <netinet/in.h>
@@ -49,16 +48,20 @@
 #include <string>
 
 #include "logs.h"
+#include "macros.h"
 #include "util.h"
 
+#define STR_(x) #x
+#define STR(x) STR_(x)
+
 /* Embed pasta inside this binary */
 __asm__("\n"
 	"   .section .rodata\n"
 	"   .local pasta_start\n"
 	"   .local pasta_end\n"
 	"pasta_start:\n"
 #if defined(PASTA_BIN_PATH)
-	"   .incbin \"" PASTA_BIN_PATH "\"\n"
+	"   .incbin " STR(PASTA_BIN_PATH) "\n"
 #endif	// defined(PASTA_BIN_PATH)
 	"pasta_end:\n"
 	"\n");
@@ -70,8 +73,8 @@ static int getPastaFd() {
 	extern uint8_t* pasta_start;
 	extern uint8_t* pasta_end;
 	ptrdiff_t len = (uintptr_t)&pasta_end - (uintptr_t)&pasta_start;
-	if (len <= 8) { /* Some reasonably safe value accounting for alignment */
-		LOG_D("'pasta' is not embedded in this file");
+	if (len <= 16) { /* Some reasonably safe value accounting for alignment */
+		LOG_D("'pasta' is not embedded in this file, len=%td (<=16)", len);
 		return -1;
 	}