diff options
| author | Robert Swiecki <robert@swiecki.net> | 2023-09-19 20:31:57 +0200 |
|---|---|---|
| committer | Robert Swiecki <robert@swiecki.net> | 2023-09-19 20:31:57 +0200 |
| commit | 439606be70e2f9d8732636c88ba4cff690ec5e0f (patch) | |
| tree | f1b711d359bd54b730fcfaafbe3ebe4962cd3e56 | |
| parent | 2e275934821017590b90ed56558b68d4c02a15a4 (diff) | |
| download | nsjail-439606be70e2f9d8732636c88ba4cff690ec5e0f.tar.gz | |
Makefile/indent: add AlwaysBreakBeforeMultilineStrings:false
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | cmdline.cc | 58 | ||||
| -rw-r--r-- | contain.cc | 5 | ||||
| -rw-r--r-- | cpu.cc | 10 | ||||
| -rw-r--r-- | mnt.cc | 12 | ||||
| -rw-r--r-- | net.cc | 5 | ||||
| -rw-r--r-- | sandbox.cc | 10 | ||||
| -rw-r--r-- | subproc.cc | 38 | ||||
| -rw-r--r-- | util.cc | 5 |
9 files changed, 62 insertions, 83 deletions
@@ -100,7 +100,7 @@ depend: all .PHONY: indent indent: - clang-format -style="{BasedOnStyle: google, IndentWidth: 8, UseTab: Always, IndentCaseLabels: false, ColumnLimit: 100, AlignAfterOpenBracket: false, AllowShortFunctionsOnASingleLine: false}" -i -sort-includes $(SRCS_H) $(SRCS_CXX) + clang-format -style="{BasedOnStyle: google, IndentWidth: 8, UseTab: Always, IndentCaseLabels: false, ColumnLimit: 100, AlignAfterOpenBracket: false, AllowShortFunctionsOnASingleLine: false, AlwaysBreakBeforeMultilineStrings: false}" -i -sort-includes $(SRCS_H) $(SRCS_CXX) clang-format -style="{BasedOnStyle: google, IndentWidth: 4, UseTab: Always, ColumnLimit: 100}" -i $(SRCS_PROTO) # DO NOT DELETE THIS LINE -- make depend depends on it. @@ -281,16 +281,15 @@ void logParams(nsjconf_t *nsjconf) { break; } - LOG_I( - "Jail parameters: hostname:'%s', chroot:%s, process:'%s', " - "bind:[%s]:%d, " - "max_conns:%u, max_conns_per_ip:%u, time_limit:%" PRId64 - ", personality:%#lx, daemonize:%s, clone_newnet:%s, " - "clone_newuser:%s, clone_newns:%s, clone_newpid:%s, clone_newipc:%s, " - "clone_newuts:%s, " - "clone_newcgroup:%s, clone_newtime:%s, keep_caps:%s, " - "disable_no_new_privs:%s, " - "max_cpus:%zu", + LOG_I("Jail parameters: hostname:'%s', chroot:%s, process:'%s', " + "bind:[%s]:%d, " + "max_conns:%u, max_conns_per_ip:%u, time_limit:%" PRId64 + ", personality:%#lx, daemonize:%s, clone_newnet:%s, " + "clone_newuser:%s, clone_newns:%s, clone_newpid:%s, clone_newipc:%s, " + "clone_newuts:%s, " + "clone_newcgroup:%s, clone_newtime:%s, keep_caps:%s, " + "disable_no_new_privs:%s, " + "max_cpus:%zu", nsjconf->hostname.c_str(), QC(nsjconf->chroot), nsjconf->exec_file.empty() ? nsjconf->argv[0].c_str() : nsjconf->exec_file.c_str(), nsjconf->bindhost.c_str(), nsjconf->port, nsjconf->max_conns, nsjconf->max_conns_per_ip, @@ -311,10 +310,9 @@ void logParams(nsjconf_t *nsjconf) { (unsigned long)uid.inside_id, (unsigned long)uid.outside_id, uid.count, uid.is_newidmap ? "true" : "false"); if (uid.outside_id == 0 && nsjconf->clone_newuser) { - LOG_W( - "Process will be UID/EUID=0 in the global user namespace, and " - "will " - "have user root-level access to files"); + LOG_W("Process will be UID/EUID=0 in the global user namespace, and " + "will " + "have user root-level access to files"); } } for (const auto &gid : nsjconf->gids) { @@ -322,10 +320,9 @@ void logParams(nsjconf_t *nsjconf) { (unsigned long)gid.inside_id, (unsigned long)gid.outside_id, gid.count, gid.is_newidmap ? "true" : "false"); if (gid.outside_id == 0 && nsjconf->clone_newuser) { - LOG_W( - "Process will be GID/EGID=0 in the global user namespace, and " - "will " - "have group root-level access to files"); + LOG_W("Process will be GID/EGID=0 in the global user namespace, and " + "will " + "have group root-level access to files"); } } } @@ -345,11 +342,10 @@ uint64_t parseRLimit(int res, const char *optarg, unsigned long mul) { return cur.rlim_max; } if (!util::isANumber(optarg)) { - LOG_F( - "RLIMIT %d needs a numeric or 'max'/'hard'/'def'/'soft'/'inf' " - "value " - "('%s' " - "provided)", + LOG_F("RLIMIT %d needs a numeric or 'max'/'hard'/'def'/'soft'/'inf' " + "value " + "('%s' " + "provided)", res, optarg); } errno = 0; @@ -389,11 +385,10 @@ static bool setupArgv(nsjconf_t *nsjconf, int argc, char **argv, int optind) { if (nsjconf->use_execveat) { #if !defined(__NR_execveat) - LOG_E( - "Your nsjail is compiled without support for the execveat() " - "syscall, " - "yet you " - "specified the --execute_fd flag"); + LOG_E("Your nsjail is compiled without support for the execveat() " + "syscall, " + "yet you " + "specified the --execute_fd flag"); return false; #endif /* !defined(__NR_execveat) */ if ((nsjconf->exec_fd = TEMP_FAILURE_RETRY( @@ -462,10 +457,9 @@ void setupUsers(nsjconf_t *nsjconf) { std::string parseMACVlanMode(const char *optarg) { if (strcasecmp(optarg, "private") != 0 && strcasecmp(optarg, "vepa") != 0 && strcasecmp(optarg, "bridge") != 0 && strcasecmp(optarg, "passthru") != 0) { - LOG_F( - "macvlan mode can only be one of the values: " - "'private'/'vepa'/'bridge'/'passthru' ('%s' " - "provided).", + LOG_F("macvlan mode can only be one of the values: " + "'private'/'vepa'/'bridge'/'passthru' ('%s' " + "provided).", optarg); } return std::string(optarg); @@ -127,9 +127,8 @@ static bool containTSC(nsjconf_t* nsjconf) { return false; } #else /* defined(__x86_64__) || defined(__i386__) */ - LOG_W( - "prctl(PR_SET_TSC, PR_TSC_SIGSEGV) requested, but it's supported under " - "x86/x86-64 CPU architectures only. Ignoring it!"); + LOG_W("prctl(PR_SET_TSC, PR_TSC_SIGSEGV) requested, but it's supported under " + "x86/x86-64 CPU architectures only. Ignoring it!"); #endif /* defined(__x86_64__) || defined(__i386__) */ } return true; @@ -70,9 +70,8 @@ static void setRandomCpu(cpu_set_t* orig_mask, cpu_set_t* new_mask, size_t avail n = getNthOnlineCpu(orig_mask, n); CPU_SET(n, new_mask); - LOG_D( - "Add CPU #%zu from the original mask=[%s] (size=%zu, available_cpus=%zu), new " - "mask=[%s] (size=%zu)", + LOG_D("Add CPU #%zu from the original mask=[%s] (size=%zu, available_cpus=%zu), new " + "mask=[%s] (size=%zu)", n, listCpusInSet(orig_mask).c_str(), (size_t)CPU_COUNT(orig_mask), available_cpus, listCpusInSet(new_mask).c_str(), (size_t)CPU_COUNT(new_mask)); CPU_CLR(n, orig_mask); @@ -121,9 +120,8 @@ bool initCpu(nsjconf_t* nsjconf) { available_cpus--; } - LOG_D( - "Setting new CPU mask=[%s] with %zu allowed CPUs (max_cpus=%zu), %zu CPUs " - "(CPU_COUNT=%zu) left mask=[%s]", + LOG_D("Setting new CPU mask=[%s] with %zu allowed CPUs (max_cpus=%zu), %zu CPUs " + "(CPU_COUNT=%zu) left mask=[%s]", listCpusInSet(new_mask.get()).c_str(), nsjconf->max_cpus, (size_t)CPU_COUNT(new_mask.get()), available_cpus, (size_t)CPU_COUNT(orig_mask.get()), listCpusInSet(orig_mask.get()).c_str()); @@ -214,10 +214,9 @@ static bool mountPt(mount_t* mpt, const char* newroot, const char* tmpdir) { */ if (mountRWIfPossible(mpt, srcpath, dstpath) == -1) { if (errno == EACCES) { - PLOG_W( - "mount('%s') src:'%s' dstpath:'%s' failed. " - "Try fixing this problem by applying 'chmod o+x' to the '%s' " - "directory and its ancestors", + PLOG_W("mount('%s') src:'%s' dstpath:'%s' failed. " + "Try fixing this problem by applying 'chmod o+x' to the '%s' " + "directory and its ancestors", describeMountPt(*mpt).c_str(), srcpath, dstpath, srcpath); } else { PLOG_W("mount('%s') src:'%s' dstpath:'%s' failed", @@ -457,9 +456,8 @@ static bool initCloneNs(nsjconf_t* nsjconf) { * proper capabilities are kept in the user namespace. It can be acheived by * unmounting the new root and using setns to re-enter the mount namespace. */ - LOG_W( - "Using no_pivotroot is escapable when user posseses relevant capabilities, " - "Use it with care!"); + LOG_W("Using no_pivotroot is escapable when user posseses relevant capabilities, " + "Use it with care!"); if (chdir(destdir->c_str()) == -1) { PLOG_E("chdir(%s)", QC(*destdir)); @@ -219,9 +219,8 @@ bool limitConns(nsjconf_t* nsjconf, int connsock) { int getRecvSocket(const char* bindhost, int port) { if (port < 0 || port > 65535) { - LOG_F( - "TCP port %d out of bounds (0 <= port <= 65535), specify one with --port " - "<port>", + LOG_F("TCP port %d out of bounds (0 <= port <= 65535), specify one with --port " + "<port>", port); } @@ -60,17 +60,15 @@ static bool prepareAndCommit(nsjconf_t* nsjconf) { } if (nsjconf->seccomp_log) { #ifndef __NR_seccomp - LOG_E( - "The __NR_seccomp is not defined with this kernel's header files (kernel " - "headers too old?)"); + LOG_E("The __NR_seccomp is not defined with this kernel's header files (kernel " + "headers too old?)"); return false; #else if (util::syscall(__NR_seccomp, (uintptr_t)SECCOMP_SET_MODE_FILTER, (uintptr_t)(SECCOMP_FILTER_FLAG_TSYNC | SECCOMP_FILTER_FLAG_LOG), (uintptr_t)&nsjconf->seccomp_fprog) == -1) { - PLOG_E( - "seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC | " - "SECCOMP_FILTER_FLAG_LOG) failed"); + PLOG_E("seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC | " + "SECCOMP_FILTER_FLAG_LOG) failed"); return false; } return true; @@ -287,10 +287,9 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) { const auto& p = nsjconf->pids.find(si->si_pid); if (p == nsjconf->pids.end()) { - LOG_W( - "pid=%d SiStatus:%d SiUid:%d SiUtime:%ld SiStime:%ld (If " - "SiStatus==31 (SIGSYS), then see 'dmesg' or 'journalctl -ek' for possible " - "auditd report with more data)", + LOG_W("pid=%d SiStatus:%d SiUid:%d SiUtime:%ld SiStime:%ld (If " + "SiStatus==31 (SIGSYS), then see 'dmesg' or 'journalctl -ek' for possible " + "auditd report with more data)", (int)si->si_pid, si->si_status, si->si_uid, (long)si->si_utime, (long)si->si_stime); LOG_E("Couldn't find pid element in the subproc list for pid=%d", (int)si->si_pid); @@ -300,10 +299,9 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) { char buf[4096]; ssize_t rdsize = util::readFromFd(p->second.pid_syscall_fd, buf, sizeof(buf) - 1); if (rdsize < 1) { - LOG_W( - "pid=%d SiStatus:%d SiUid:%d SiUtime:%ld SiStime:%ld (If " - "SiStatus==31 (SIGSYS), then see 'dmesg' or 'journalctl -ek' for possible " - "auditd report with more data)", + LOG_W("pid=%d SiStatus:%d SiUid:%d SiUtime:%ld SiStime:%ld (If " + "SiStatus==31 (SIGSYS), then see 'dmesg' or 'journalctl -ek' for possible " + "auditd report with more data)", (int)si->si_pid, si->si_status, si->si_uid, (long)si->si_utime, (long)si->si_stime); return; @@ -315,23 +313,20 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) { int ret = sscanf(buf, "%td %tx %tx %tx %tx %tx %tx %tx %tx", &sc, &arg1, &arg2, &arg3, &arg4, &arg5, &arg6, &sp, &pc); if (ret == 9) { - LOG_W( - "pid=%d, Syscall number:%td, Arguments:%#tx, %#tx, %#tx, %#tx, %#tx, %#tx, " - "SP:%#tx, PC:%#tx, si_status:%d", + LOG_W("pid=%d, Syscall number:%td, Arguments:%#tx, %#tx, %#tx, %#tx, %#tx, %#tx, " + "SP:%#tx, PC:%#tx, si_status:%d", (int)si->si_pid, sc, arg1, arg2, arg3, arg4, arg5, arg6, sp, pc, si->si_status); } else if (ret == 3) { - LOG_W( - "pid=%d SiStatus:%d SiUid:%d SiUtime:%ld SiStime:%ld SP:%#tx, PC:%#tx (If " - "SiStatus==31 (SIGSYS), then see 'dmesg' or 'journalctl -ek' for possible " - "auditd report with more data)", + LOG_W("pid=%d SiStatus:%d SiUid:%d SiUtime:%ld SiStime:%ld SP:%#tx, PC:%#tx (If " + "SiStatus==31 (SIGSYS), then see 'dmesg' or 'journalctl -ek' for possible " + "auditd report with more data)", (int)si->si_pid, si->si_status, si->si_uid, (long)si->si_utime, (long)si->si_stime, arg1, arg2); return; } else { - LOG_W( - "pid=%d SiStatus:%d SiUid:%d SiUtime:%ld SiStime:%ld (If " - "SiStatus==31 (SIGSYS), then see 'dmesg' or 'journalctl -ek' for possible " - "auditd report with more data)", + LOG_W("pid=%d SiStatus:%d SiUid:%d SiUtime:%ld SiStime:%ld (If " + "SiStatus==31 (SIGSYS), then see 'dmesg' or 'journalctl -ek' for possible " + "auditd report with more data)", (int)si->si_pid, si->si_status, si->si_uid, (long)si->si_utime, (long)si->si_stime); } @@ -545,9 +540,8 @@ pid_t cloneProc(uint64_t flags, int exit_signal) { } if (flags & CLONE_NEWTIME) { - LOG_W( - "CLONE_NEWTIME reuqested, but it's only supported with the unshare() mode " - "(-Me)"); + LOG_W("CLONE_NEWTIME reuqested, but it's only supported with the unshare() mode " + "(-Me)"); } #if defined(__NR_clone3) @@ -231,9 +231,8 @@ static void rndInitThread(void) { #endif /* defined(__NR_getrandom) */ int fd = TEMP_FAILURE_RETRY(open("/dev/urandom", O_RDONLY | O_CLOEXEC)); if (fd == -1) { - PLOG_D( - "Couldn't open /dev/urandom for reading. Using gettimeofday " - "fall-back"); + PLOG_D("Couldn't open /dev/urandom for reading. Using gettimeofday " + "fall-back"); struct timeval tv; gettimeofday(&tv, NULL); rndX = tv.tv_usec + ((uint64_t)tv.tv_sec << 32); |