google
diff --git a/‎Makefile‎
Lines changed: 3 additions & 0 deletions b/‎Makefile‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎caps.cc‎
Lines changed: 4 additions & 4 deletions b/‎caps.cc‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎caps.h‎
Lines changed: 1 addition & 1 deletion b/‎caps.h‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cgroup.cc‎
Lines changed: 50 additions & 43 deletions b/‎cgroup.cc‎
Lines changed: 50 additions & 43 deletions
diff --git a/‎cgroup.h‎
Lines changed: 3 additions & 2 deletions b/‎cgroup.h‎
Lines changed: 3 additions & 2 deletions
@@ -127,3 +127,6 @@ uts.o: uts.h nsjail.h logs.h
 user.o: user.h nsjail.h logs.h macros.h subproc.h util.h
 util.o: util.h nsjail.h logs.h macros.h
 config.pb.o: config.pb.h
+
+# Ensure protobuf header is generated before any object compilation
+$(OBJS): $(SRCS_PB_H)
@@ -212,7 +212,7 @@ static bool initNsKeepCaps(cap_user_data_t cap_data) {
 	return true;
 }
 
-bool initNs(nsjconf_t* nsjconf) {
+bool initNs(nsj_t* nsj) {
 	cap_user_data_t cap_data = getCaps();
 	if (cap_data == nullptr) {
 		return false;
@@ -228,14 +228,14 @@ bool initNs(nsjconf_t* nsjconf) {
 		PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL)");
 	}
 
-	if (nsjconf->keep_caps) {
+	if (nsj->njc.keep_caps()) {
 		return initNsKeepCaps(cap_data);
 	}
 
 	/* Set all requested caps in the inheritable set if these are present in the permitted set
 	 */
 	std::string dbgmsg;
-	for (const auto& cap : nsjconf->caps) {
+	for (const auto& cap : nsj->caps) {
 		if (!getPermitted(cap_data, cap)) {
 			LOG_W("Capability %s is not permitted in the namespace",
 			    capToStr(cap).c_str());
@@ -277,7 +277,7 @@ bool initNs(nsjconf_t* nsjconf) {
 
 	/* Make sure inheritable set is preserved across execve via the modified ambient set */
 	dbgmsg.clear();
-	for (const auto& cap : nsjconf->caps) {
+	for (const auto& cap : nsj->caps) {
 		if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)cap, 0UL, 0UL) ==
 		    -1) {
 			PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
 
@@ -30,7 +30,7 @@
 namespace caps {
 
 int nameToVal(const char* name);
-bool initNs(nsjconf_t* nsjconf);
+bool initNs(nsj_t* nsj);
 
 }  // namespace caps
 
 
@@ -64,18 +64,19 @@ static bool addPidToTaskList(const std::string& cgroup_path, pid_t pid) {
 	return writeToCgroup(tasks_path, pid_str, "'" + tasks_path + "' task list");
 }
 
-static bool initNsFromParentMem(nsjconf_t* nsjconf, pid_t pid) {
-	size_t memsw_max = nsjconf->cgroup_mem_memsw_max;
-	if (nsjconf->cgroup_mem_swap_max >= (ssize_t)0) {
-		memsw_max = nsjconf->cgroup_mem_swap_max + nsjconf->cgroup_mem_max;
+static bool initNsFromParentMem(nsj_t* nsj, pid_t pid) {
+	size_t memsw_max = nsj->njc.cgroup_mem_memsw_max();
+	if (nsj->njc.cgroup_mem_swap_max() >= (ssize_t)0) {
+		memsw_max = nsj->njc.cgroup_mem_swap_max() + nsj->njc.cgroup_mem_max();
 	}
 
-	if (nsjconf->cgroup_mem_max == (size_t)0 && memsw_max == (size_t)0) {
+	if (nsj->njc.cgroup_mem_max() == (size_t)0 && memsw_max == (size_t)0) {
 		return true;
 	}
 
-	std::string mem_cgroup_path = nsjconf->cgroup_mem_mount + '/' + nsjconf->cgroup_mem_parent +
-				      "/NSJAIL." + std::to_string(pid);
+	std::string mem_cgroup_path = nsj->njc.cgroup_mem_mount() + '/' +
+				      nsj->njc.cgroup_mem_parent() + "/NSJAIL." +
+				      std::to_string(pid);
 	RETURN_ON_FAILURE(createCgroup(mem_cgroup_path, pid));
 
 	/*
@@ -84,8 +85,8 @@ static bool initNsFromParentMem(nsjconf_t* nsjconf, pid_t pid) {
 	RETURN_ON_FAILURE(writeToCgroup(
 	    mem_cgroup_path + "/memory.oom_control", "0", "memory cgroup oom control"));
 
-	if (nsjconf->cgroup_mem_max > (size_t)0) {
-		std::string mem_max_str = std::to_string(nsjconf->cgroup_mem_max);
+	if (nsj->njc.cgroup_mem_max() > (size_t)0) {
+		std::string mem_max_str = std::to_string(nsj->njc.cgroup_mem_max());
 		RETURN_ON_FAILURE(writeToCgroup(mem_cgroup_path + "/memory.limit_in_bytes",
 		    mem_max_str, "memory cgroup max limit"));
 	}
@@ -99,37 +100,37 @@ static bool initNsFromParentMem(nsjconf_t* nsjconf, pid_t pid) {
 	return addPidToTaskList(mem_cgroup_path, pid);
 }
 
-static bool initNsFromParentPids(nsjconf_t* nsjconf, pid_t pid) {
-	if (nsjconf->cgroup_pids_max == 0U) {
+static bool initNsFromParentPids(nsj_t* nsj, pid_t pid) {
+	if (nsj->njc.cgroup_pids_max() == 0U) {
 		return true;
 	}
 
-	std::string pids_cgroup_path = nsjconf->cgroup_pids_mount + '/' +
-				       nsjconf->cgroup_pids_parent + "/NSJAIL." +
+	std::string pids_cgroup_path = nsj->njc.cgroup_pids_mount() + '/' +
+				       nsj->njc.cgroup_pids_parent() + "/NSJAIL." +
 				       std::to_string(pid);
 	RETURN_ON_FAILURE(createCgroup(pids_cgroup_path, pid));
 
-	std::string pids_max_str = std::to_string(nsjconf->cgroup_pids_max);
+	std::string pids_max_str = std::to_string(nsj->njc.cgroup_pids_max());
 	RETURN_ON_FAILURE(
 	    writeToCgroup(pids_cgroup_path + "/pids.max", pids_max_str, "pids cgroup max limit"));
 
 	return addPidToTaskList(pids_cgroup_path, pid);
 }
 
-static bool initNsFromParentNetCls(nsjconf_t* nsjconf, pid_t pid) {
-	if (nsjconf->cgroup_net_cls_classid == 0U) {
+static bool initNsFromParentNetCls(nsj_t* nsj, pid_t pid) {
+	if (nsj->njc.cgroup_net_cls_classid() == 0U) {
 		return true;
 	}
 
-	std::string net_cls_cgroup_path = nsjconf->cgroup_net_cls_mount + '/' +
-					  nsjconf->cgroup_net_cls_parent + "/NSJAIL." +
+	std::string net_cls_cgroup_path = nsj->njc.cgroup_net_cls_mount() + '/' +
+					  nsj->njc.cgroup_net_cls_parent() + "/NSJAIL." +
 					  std::to_string(pid);
 	RETURN_ON_FAILURE(createCgroup(net_cls_cgroup_path, pid));
 
 	std::string net_cls_classid_str;
 	{
 		std::stringstream ss;
-		ss << "0x" << std::hex << nsjconf->cgroup_net_cls_classid;
+		ss << "0x" << std::hex << nsj->njc.cgroup_net_cls_classid();
 		net_cls_classid_str = ss.str();
 	}
 	RETURN_ON_FAILURE(writeToCgroup(net_cls_cgroup_path + "/net_cls.classid",
@@ -138,30 +139,31 @@ static bool initNsFromParentNetCls(nsjconf_t* nsjconf, pid_t pid) {
 	return addPidToTaskList(net_cls_cgroup_path, pid);
 }
 
-static bool initNsFromParentCpu(nsjconf_t* nsjconf, pid_t pid) {
-	if (nsjconf->cgroup_cpu_ms_per_sec == 0U) {
+static bool initNsFromParentCpu(nsj_t* nsj, pid_t pid) {
+	if (nsj->njc.cgroup_cpu_ms_per_sec() == 0U) {
 		return true;
 	}
 
-	std::string cpu_cgroup_path = nsjconf->cgroup_cpu_mount + '/' + nsjconf->cgroup_cpu_parent +
-				      "/NSJAIL." + std::to_string(pid);
+	std::string cpu_cgroup_path = nsj->njc.cgroup_cpu_mount() + '/' +
+				      nsj->njc.cgroup_cpu_parent() + "/NSJAIL." +
+				      std::to_string(pid);
 	RETURN_ON_FAILURE(createCgroup(cpu_cgroup_path, pid));
 
 	RETURN_ON_FAILURE(
 	    writeToCgroup(cpu_cgroup_path + "/cpu.cfs_period_us", "1000000", "cpu period"));
 
-	std::string cpu_ms_per_sec_str = std::to_string(nsjconf->cgroup_cpu_ms_per_sec * 1000U);
+	std::string cpu_ms_per_sec_str = std::to_string(nsj->njc.cgroup_cpu_ms_per_sec() * 1000U);
 	RETURN_ON_FAILURE(
 	    writeToCgroup(cpu_cgroup_path + "/cpu.cfs_quota_us", cpu_ms_per_sec_str, "cpu quota"));
 
 	return addPidToTaskList(cpu_cgroup_path, pid);
 }
 
-bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid) {
-	RETURN_ON_FAILURE(initNsFromParentMem(nsjconf, pid));
-	RETURN_ON_FAILURE(initNsFromParentPids(nsjconf, pid));
-	RETURN_ON_FAILURE(initNsFromParentNetCls(nsjconf, pid));
-	return initNsFromParentCpu(nsjconf, pid);
+bool initNsFromParent(nsj_t* nsj, pid_t pid) {
+	RETURN_ON_FAILURE(initNsFromParentMem(nsj, pid));
+	RETURN_ON_FAILURE(initNsFromParentPids(nsj, pid));
+	RETURN_ON_FAILURE(initNsFromParentNetCls(nsj, pid));
+	return initNsFromParentCpu(nsj, pid);
 }
 
 static void removeCgroup(const std::string& cgroup_path) {
@@ -171,34 +173,39 @@ static void removeCgroup(const std::string& cgroup_path) {
 	}
 }
 
-void finishFromParent(nsjconf_t* nsjconf, pid_t pid) {
-	if (nsjconf->cgroup_mem_max != (size_t)0 || nsjconf->cgroup_mem_memsw_max != (size_t)0) {
-		std::string mem_cgroup_path = nsjconf->cgroup_mem_mount + '/' +
-					      nsjconf->cgroup_mem_parent + "/NSJAIL." +
+void finishFromParent(nsj_t* nsj, pid_t pid) {
+	if (nsj->njc.cgroup_mem_max() != (size_t)0 ||
+	    nsj->njc.cgroup_mem_memsw_max() != (size_t)0) {
+		std::string mem_cgroup_path = nsj->njc.cgroup_mem_mount() + '/' +
+					      nsj->njc.cgroup_mem_parent() + "/NSJAIL." +
 					      std::to_string(pid);
 		removeCgroup(mem_cgroup_path);
 	}
-	if (nsjconf->cgroup_pids_max != 0U) {
-		std::string pids_cgroup_path = nsjconf->cgroup_pids_mount + '/' +
-					       nsjconf->cgroup_pids_parent + "/NSJAIL." +
+	if (nsj->njc.cgroup_pids_max() != 0U) {
+		std::string pids_cgroup_path = nsj->njc.cgroup_pids_mount() + '/' +
+					       nsj->njc.cgroup_pids_parent() + "/NSJAIL." +
 					       std::to_string(pid);
 		removeCgroup(pids_cgroup_path);
 	}
-	if (nsjconf->cgroup_net_cls_classid != 0U) {
-		std::string net_cls_cgroup_path = nsjconf->cgroup_net_cls_mount + '/' +
-						  nsjconf->cgroup_net_cls_parent + "/NSJAIL." +
+	if (nsj->njc.cgroup_net_cls_classid() != 0U) {
+		std::string net_cls_cgroup_path = nsj->njc.cgroup_net_cls_mount() + '/' +
+						  nsj->njc.cgroup_net_cls_parent() + "/NSJAIL." +
 						  std::to_string(pid);
 		removeCgroup(net_cls_cgroup_path);
 	}
-	if (nsjconf->cgroup_cpu_ms_per_sec != 0U) {
-		std::string cpu_cgroup_path = nsjconf->cgroup_cpu_mount + '/' +
-					      nsjconf->cgroup_cpu_parent + "/NSJAIL." +
+	if (nsj->njc.cgroup_cpu_ms_per_sec() != 0U) {
+		std::string cpu_cgroup_path = nsj->njc.cgroup_cpu_mount() + '/' +
+					      nsj->njc.cgroup_cpu_parent() + "/NSJAIL." +
 					      std::to_string(pid);
 		removeCgroup(cpu_cgroup_path);
 	}
 }
 
-bool initNs(void) {
+bool initUser(nsj_t* nsj) {
+	return true;
+}
+
+bool initNs() {
 	return true;
 }
 
 
@@ -29,9 +29,10 @@
 
 namespace cgroup {
 
-bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid);
+bool initNsFromParent(nsj_t* nsj, pid_t pid);
 bool initNs(void);
-void finishFromParent(nsjconf_t* nsjconf, pid_t pid);
+bool initUser(nsj_t* nsj);
+void finishFromParent(nsj_t* nsj, pid_t pid);
 
 }  // namespace cgroup