mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
more on disable cgroups
This commit is contained in:
netblue30
parent
73b089092d
commit
95544a17fa
10 changed files with 6 additions and 141 deletions
|
|
@ -49,7 +49,6 @@ static char *usage_str =
|
|||
#ifdef HAVE_FILE_TRANSFER
|
||||
" --cat=name|pid filename - print content of file from sandbox container.\n"
|
||||
#endif
|
||||
" --cgroup=tasks-file - place the sandbox in the specified control group.\n"
|
||||
#ifdef HAVE_CHROOT
|
||||
" --chroot=dirname - chroot into directory.\n"
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -1,63 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2022 Firejail Authors
|
||||
*
|
||||
* This file is part of firejail project
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#include "firemon.h"
|
||||
#define MAXBUF 4098
|
||||
|
||||
static void print_cgroup(int pid) {
|
||||
char *file;
|
||||
if (asprintf(&file, "/proc/%d/cgroup", pid) == -1) {
|
||||
errExit("asprintf");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
FILE *fp = fopen(file, "r");
|
||||
if (!fp) {
|
||||
printf(" Error: cannot open %s\n", file);
|
||||
free(file);
|
||||
return;
|
||||
}
|
||||
|
||||
char buf[MAXBUF];
|
||||
if (fgets(buf, MAXBUF, fp)) {
|
||||
printf(" %s", buf);
|
||||
fflush(0);
|
||||
}
|
||||
|
||||
fclose(fp);
|
||||
free(file);
|
||||
}
|
||||
|
||||
void cgroup(pid_t pid, int print_procs) {
|
||||
pid_read(pid);
|
||||
|
||||
// print processes
|
||||
printf(" cgroup: ");
|
||||
int i;
|
||||
for (i = 0; i < max_pids; i++) {
|
||||
if (pids[i].level == 1) {
|
||||
if (print_procs || pid == 0)
|
||||
pid_print_list(i, arg_wrap);
|
||||
int child = find_child(i);
|
||||
if (child != -1)
|
||||
print_cgroup(child);
|
||||
}
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
|
|
@ -34,7 +34,6 @@ static int arg_interface = 0;
|
|||
static int arg_seccomp = 0;
|
||||
static int arg_caps = 0;
|
||||
static int arg_cpu = 0;
|
||||
static int arg_cgroup = 0;
|
||||
static int arg_x11 = 0;
|
||||
static int arg_top = 0;
|
||||
static int arg_list = 0;
|
||||
|
|
@ -173,8 +172,6 @@ int main(int argc, char **argv) {
|
|||
// cumulative options with or without a pid argument
|
||||
else if (strcmp(argv[i], "--x11") == 0)
|
||||
arg_x11 = 1;
|
||||
else if (strcmp(argv[i], "--cgroup") == 0)
|
||||
arg_cgroup = 1;
|
||||
else if (strcmp(argv[i], "--cpu") == 0)
|
||||
arg_cpu = 1;
|
||||
else if (strcmp(argv[i], "--seccomp") == 0)
|
||||
|
|
@ -264,12 +261,11 @@ int main(int argc, char **argv) {
|
|||
|
||||
// if --name requested without other options, print all data
|
||||
if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
|
||||
!arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
|
||||
!arg_x11 && !arg_interface && !arg_route && !arg_arp) {
|
||||
arg_tree = 1;
|
||||
arg_cpu = 1;
|
||||
arg_seccomp = 1;
|
||||
arg_caps = 1;
|
||||
arg_cgroup = 1;
|
||||
arg_x11 = 1;
|
||||
arg_interface = 1;
|
||||
arg_route = 1;
|
||||
|
|
@ -295,10 +291,6 @@ int main(int argc, char **argv) {
|
|||
apparmor((pid_t) pid, print_procs);
|
||||
print_procs = 0;
|
||||
}
|
||||
if (arg_cgroup) {
|
||||
cgroup((pid_t) pid, print_procs);
|
||||
print_procs = 0;
|
||||
}
|
||||
if (arg_x11) {
|
||||
x11((pid_t) pid, print_procs);
|
||||
print_procs = 0;
|
||||
|
|
|
|||
|
|
@ -75,9 +75,6 @@ void seccomp(pid_t pid, int print_procs);
|
|||
// cpu.c
|
||||
void cpu(pid_t pid, int print_procs);
|
||||
|
||||
// cgroup.c
|
||||
void cgroup(pid_t pid, int print_procs);
|
||||
|
||||
// tree.c
|
||||
void tree(pid_t pid);
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@ static char *help_str =
|
|||
"\t--apparmor - print AppArmor confinement status for each sandbox.\n\n"
|
||||
"\t--arp - print ARP table for each sandbox.\n\n"
|
||||
"\t--caps - print capabilities configuration for each sandbox.\n\n"
|
||||
"\t--cgroup - print control group information for each sandbox.\n\n"
|
||||
"\t--cpu - print CPU affinity for each sandbox.\n\n"
|
||||
"\t--debug - print debug messages.\n\n"
|
||||
"\t--help, -? - this help screen.\n\n"
|
||||
|
|
|
|||
|
|
@ -683,17 +683,13 @@ ignore dbus-user.talk org.freedesktop.Notifications
|
|||
.br
|
||||
[...]
|
||||
#endif
|
||||
.SH Resource limits, CPU affinity, Control Groups
|
||||
.SH Resource limits, CPU affinity
|
||||
These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
|
||||
The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command
|
||||
configures the CPU cores available, and \fBcgroup\fR command
|
||||
place the sandbox in an existing control group.
|
||||
configures the CPU cores available.
|
||||
|
||||
Examples:
|
||||
|
||||
.TP
|
||||
\fBcgroup /sys/fs/cgroup/g1/tasks
|
||||
The sandbox is placed in g1 control group.
|
||||
.TP
|
||||
\fBcpu 0,1,2
|
||||
Use only CPU cores 0, 1 and 2.
|
||||
|
|
|
|||
|
|
@ -289,15 +289,6 @@ $ firejail \-\-caps.print=3272
|
|||
\fB\-\-cat=name|pid filename
|
||||
Print content of file from sandbox container, see FILE TRANSFER section for more details.
|
||||
#endif
|
||||
.TP
|
||||
\fB\-\-cgroup=file
|
||||
Place the sandbox in the specified control group. file is the full path of a tasks or cgroup.procs file.
|
||||
.br
|
||||
|
||||
.br
|
||||
Example:
|
||||
.br
|
||||
# firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks
|
||||
#ifdef HAVE_CHROOT
|
||||
.TP
|
||||
\fB\-\-chroot=dirname
|
||||
|
|
@ -994,7 +985,7 @@ $ firejail \-\-ipc-namespace firefox
|
|||
Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
|
||||
If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
|
||||
all security filters are configured for the new process the same they are configured in the sandbox.
|
||||
If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
|
||||
If \-\-join command is issued as root, the security filters and cpus configurations are not applied
|
||||
to the process joining the sandbox.
|
||||
.br
|
||||
|
||||
|
|
@ -1019,13 +1010,13 @@ $ firejail \-\-join=3272
|
|||
\fB\-\-join-filesystem=name|pid
|
||||
Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
|
||||
If a program is specified, the program is run in the sandbox. This command is available only to root user.
|
||||
Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
|
||||
Security filters and cpus configurations are not applied to the process joining the sandbox.
|
||||
#ifdef HAVE_NETWORK
|
||||
.TP
|
||||
\fB\-\-join-network=name|pid
|
||||
Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
|
||||
If a program is specified, the program is run in the sandbox. This command is available only to root user.
|
||||
Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example:
|
||||
Security filters and cpus configurations are not applied to the process joining the sandbox. Example:
|
||||
.br
|
||||
|
||||
.br
|
||||
|
|
|
|||
|
|
@ -21,9 +21,6 @@ Print ARP table for each sandbox.
|
|||
\fB\-\-caps
|
||||
Print capabilities configuration for each sandbox.
|
||||
.TP
|
||||
\fB\-\-cgroup
|
||||
Print control group information for each sandbox.
|
||||
.TP
|
||||
\fB\-\-cpu
|
||||
Print CPU affinity for each sandbox.
|
||||
.TP
|
||||
|
|
|
|||
|
|
@ -1,40 +0,0 @@
|
|||
#!/usr/bin/expect -f
|
||||
# This file is part of Firejail project
|
||||
# Copyright (C) 2014-2022 Firejail Authors
|
||||
# License GPL v2
|
||||
|
||||
set timeout 10
|
||||
spawn $env(SHELL)
|
||||
match_max 100000
|
||||
|
||||
send -- "firejail --name=test1\r"
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 0\n";exit}
|
||||
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
|
||||
}
|
||||
sleep 1
|
||||
|
||||
spawn $env(SHELL)
|
||||
send -- "firejail --name=test2\r"
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 1\n";exit}
|
||||
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
|
||||
}
|
||||
sleep 1
|
||||
|
||||
spawn $env(SHELL)
|
||||
send -- "firemon --cgroup\r"
|
||||
sleep 4
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 2\n";exit}
|
||||
"need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
|
||||
"name=test1"
|
||||
}
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 3\n";exit}
|
||||
"name=test2"
|
||||
}
|
||||
|
||||
after 100
|
||||
|
||||
puts "\nall done\n"
|
||||
|
|
@ -129,9 +129,6 @@ fi
|
|||
echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)"
|
||||
./firemon-cpu.exp
|
||||
|
||||
echo "TESTING: firemon cgroup (test/utils/firemon-cgroup.exp)"
|
||||
./firemon-cgroup.exp
|
||||
|
||||
echo "TESTING: firemon version (test/utils/firemon-version.exp)"
|
||||
./firemon-version.exp
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue