From 019e585ada9b6c1eeeaeee6f29ce312e7e1f993f Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Wed, 6 Jun 2018 18:16:33 +0200 Subject: POTD sekelton #96. Signed-off-by: Toni Uhlig --- src/pseccomp.c | 3 ++- src/utils.c | 10 ++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/pseccomp.c b/src/pseccomp.c index 4ffe572..0e77494 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -39,7 +39,8 @@ static const int default_allowed_syscalls[] = { /* operations on files */ SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(access), - SCMP_SYS(_llseek), SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd), + SCMP_SYS(_llseek), SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(stat64), + SCMP_SYS(readlink), SCMP_SYS(getcwd), SCMP_SYS(lstat), SCMP_SYS(sysinfo), /* operations on user/group */ SCMP_SYS(setuid), SCMP_SYS(setuid32), SCMP_SYS(setgid), SCMP_SYS(setgid32), diff --git a/src/utils.c b/src/utils.c index 5c95b7c..6bf281f 100644 --- a/src/utils.c +++ b/src/utils.c @@ -339,14 +339,15 @@ void chk_chroot(void) return; } - E("%s", "Can not mount filesystem as slave"); - exit(EXIT_FAILURE); + W2("%s", "Can not mount filesystem as slave/private"); } void mount_root(void) { int s; s = mount("none", "/", "", MS_SLAVE|MS_REC, NULL); + if (s) + s = mount("none", "/", "", MS_PRIVATE|MS_REC, NULL); if (s) chk_chroot(); } @@ -488,6 +489,8 @@ int cgroups_set(void) const char *rt_period_limit = cfs_period_limit; const char rt_runtime[] = "cpu.rt_runtime_us"; const char *rt_runtime_limit = cfs_quota_limit; + const char ccpus[] = "cpuset.cpus"; + const char cmems[] = "cpuset.mems"; if (remove(cgmem) && errno != ENOENT) return 1; @@ -521,6 +524,9 @@ int cgroups_set(void) if (s) return 1; + s |= cgroups_write_file(cgdef, ccpus, "0", 1); + s |= cgroups_write_file(cgdef, cmems, "0", 1); + _cgmem = cgdef; _cgcpu = cgdef; _cgpid = cgdef; -- cgit v1.2.3