aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorToni Uhlig <matzeton@googlemail.com>2018-06-06 18:16:33 +0200
committerToni Uhlig <matzeton@googlemail.com>2018-06-06 18:16:33 +0200
commit019e585ada9b6c1eeeaeee6f29ce312e7e1f993f (patch)
tree1e6580671f4bb733bdbb4a30c5f03b061f273837
parent2348bccbde4409c0cb76ba299552bbfb4206f988 (diff)
POTD sekelton #96.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat
-rw-r--r--src/pseccomp.c3
-rw-r--r--src/utils.c10
2 files changed, 10 insertions, 3 deletions
diff --git a/src/pseccomp.c b/src/pseccomp.c
index 4ffe572..0e77494 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -39,7 +39,8 @@ static const int default_allowed_syscalls[] = {
/* operations on files */
SCMP_SYS(open), SCMP_SYS(openat),
SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(access),
- SCMP_SYS(_llseek), SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd),
+ SCMP_SYS(_llseek), SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(stat64),
+ SCMP_SYS(readlink), SCMP_SYS(getcwd),
SCMP_SYS(lstat), SCMP_SYS(sysinfo),
/* operations on user/group */
SCMP_SYS(setuid), SCMP_SYS(setuid32), SCMP_SYS(setgid), SCMP_SYS(setgid32),
diff --git a/src/utils.c b/src/utils.c
index 5c95b7c..6bf281f 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -339,8 +339,7 @@ void chk_chroot(void)
return;
}
- E("%s", "Can not mount filesystem as slave");
- exit(EXIT_FAILURE);
+ W2("%s", "Can not mount filesystem as slave/private");
}
void mount_root(void)
@@ -348,6 +347,8 @@ void mount_root(void)
int s;
s = mount("none", "/", "", MS_SLAVE|MS_REC, NULL);
if (s)
+ s = mount("none", "/", "", MS_PRIVATE|MS_REC, NULL);
+ if (s)
chk_chroot();
}
@@ -488,6 +489,8 @@ int cgroups_set(void)
const char *rt_period_limit = cfs_period_limit;
const char rt_runtime[] = "cpu.rt_runtime_us";
const char *rt_runtime_limit = cfs_quota_limit;
+ const char ccpus[] = "cpuset.cpus";
+ const char cmems[] = "cpuset.mems";
if (remove(cgmem) && errno != ENOENT)
return 1;
@@ -521,6 +524,9 @@ int cgroups_set(void)
if (s)
return 1;
+ s |= cgroups_write_file(cgdef, ccpus, "0", 1);
+ s |= cgroups_write_file(cgdef, cmems, "0", 1);
+
_cgmem = cgdef;
_cgcpu = cgdef;
_cgpid = cgdef;
Powered by cgit, Themed by Ted Yin.