Switch branches/tags
Commits on Sep 10, 2018
  1. Released as version 1.7

    gollux committed Sep 10, 2018
Commits on Aug 27, 2018
  1. Support for "tmp" rules

    gollux committed Aug 27, 2018
    We introduce a new kind of a directory rule, which binds a freshly
    created temporary directory, writeable by the sandbox user. By default,
    we install such a rule for "/tmp".
    I also cleaned up checking of correctness of directory rules.
Commits on Aug 18, 2018
Commits on Aug 16, 2018
  1. Released as version 1.6

    gollux committed Aug 16, 2018
Commits on Mar 27, 2018
  1. Non-existence of /proc/$PID/stat should not be fatal

    gollux committed Mar 27, 2018
    With the proxy, it is possible that the inside process just
    disappears under the keeper's hands.
Commits on Mar 26, 2018
  1. Let --cg-timing be turned on by default

    gollux committed Mar 26, 2018
    Using cgroups without --cg-timing makes little sense and it is too
    easy to forget to ask for --cg-timing explicitly.
    Whoever wishes to use the single-process time limit mechanism with CG,
    he can make his wish explicit by --no-cg-timing.
    For more background, see cms-dev/cms#913.
Commits on Mar 24, 2018
  1. Added cg-oom-killed meta entry

    gollux committed Mar 24, 2018
    It is hard to judge solely from the meta output whether a program has
    been SIGKILL by the OOM killer or something else.
    Since Linux 4.15, the cgroup API provides us with a memory.oom_control
    file that contains a key "oom_kill" with the number of times the cgroup
    has received an OOM kill. If this value is greater than 0, we report that
    there was an OOM kill in the meta file with the cg-oom-killed entry.
    Based on work by Antoine Pietri.
  2. Fixed time limits in non-cg mode

    gollux committed Mar 24, 2018
    Introduction of the proxy process broke time limits in non-cg mode.
    The box master is periodically polling the time spend by the child,
    but the child is the proxy, not the inside process.
    Now, we distinguish between box_pid and proxy_pid. Obtaining the box_pid
    turned out to be tricky, but I hope it is correct.
    Should fix #52, but needs testing.
Commits on Mar 16, 2018
  1. When calling nftw(), return 0 from the callback

    gollux committed Mar 16, 2018
    Since the FTW_ACTIONRETVAL flag is not used, the callback should
    simply return zero/non-zero.
    Closes #48.
Commits on Feb 22, 2018
  1. Released as version 1.5

    gollux committed Feb 22, 2018
  2. Security: Create destination directores before all mounts

    gollux committed Feb 22, 2018
    Otherwise, it is possible to bind-mount a directory accessible only to
    root and then bind-mount something else on its sub-directory. If the
    sub-directory did not exist, isolate happily creates it, even though
    the calling user has no permission to do that.
  3. Security: Sanitize paths used in directory rules

    gollux committed Feb 22, 2018
    Otherwise, you can use ".." to escape the box directory and have
    an empty directory created anywhere in the filesystem.
  4. Mount /proc with hidepid=2

    gollux committed Feb 22, 2018
    Otherwise, the sandboxed process can see the proxy process in /proc
    and read its cmdline, which is the original cmdline of isolate.
  5. Merge branch 'proxy'

    gollux committed Feb 22, 2018
  6. Added --stderr-to-stdout

    gollux committed Feb 22, 2018
    It turned out that the suggestion to use --stderr=/dev/fd/1 was quite
    unhelpful. First, it did not work when stdout was in the outside
    namespace. Second, it created an independent fd pointing to the same
    file, so writes to stdout and stderr were overwriting each other.
  7. Let the proxy run with privileges of the calling user

    gollux committed Feb 22, 2018
    We want to avoid having a privileged process anywhere inside the
    sandbox. On the other hand, running the proxy under the per-box user
    enables various kinds of mischief (like ptracing the proxy). Generally,
    we want to use a generic nobody-like UID, for which the caller's UID
    serves well.
  8. Introduced a proxy process

    gollux committed Feb 22, 2018
    Previously, the program inside the sandbox was running as the init process
    (PID 1) of its PID namespace. This interfered with signal handling as
    there are special exceptions in delivering signals to init -- rougly
    speaking, unhandled signals which would be otherwise fatal are ignored.
    Now, we put a proxy process between the keeper and the inside process,
    which serves as init and just passes the exit code to the keeper.
  9. --cleanup does not complain when a cgroup does not exist

    gollux committed Feb 22, 2018
    It can happen (for example when "isolate --cleanup" is used before
    the first "isolate --init") that some of the cgroups do not exist yet.
    This is no reason for warning the user -- null cleanups are perfectly
Commits on Jan 7, 2018
  1. Merge branch 'mj-rlimit'

    gollux committed Jan 7, 2018
Commits on Dec 28, 2017
  1. By default, let stderr be inherited from the parent

    gollux committed Dec 28, 2017
    WARNING: This is a change in behavior from the previous releases,
    which defaulted to "stderr follows stdout".
    However, the previous default made little sense and it caused
    error messages to be lost in several real-life scenarios.
    If you want to reproduce the previous behavior, use
    "--stderr=/dev/fd/1". If you are not interested in error messages
    at all, use "--stderr=/dev/null".
Commits on Dec 27, 2017
  1. setup_rlimits() should be called before giving up root privileges

    gollux committed Dec 27, 2017
    Some Linux kernels between Linux 4.14 and 4.15 (more specifically
    between commits 04e35f4495dd560db30c25efca4eecae8ec8c375 and
    779f4e1c6c7c661db40dfebd6dd6bda7b5f88aa3) reset the hard limit
    on stack size to the default 8 MB, overriding a possible higher
    limit set up by PAM.
    On such kernels, isolate was unable to set up the default ulimited
    stack and died. I move setting of the resource limits before giving
    up root privileges, so even a hard limit will be increased if needed.
Commits on Nov 17, 2017
  1. Clean up documentation

    gollux committed Nov 17, 2017
  2. Fix reporting of late timeout and exit status

    gollux committed Nov 17, 2017
    When a program finishes, but it is found to have exceeded the time
    limit afterwards, do not care how it finished and report only the
    Also, report exitcode even if the program exited normally.
  3. Merge pull request #38 from xelez/fix_doc

    gollux committed Nov 17, 2017
    Little docs fix according to real behavior.
  4. Merge pull request #40 from xelez/reset_memory_cgroup

    gollux committed Nov 17, 2017
    Reset memory max usage in cgroup
  5. Merge pull request #36 from op01/master

    gollux committed Nov 17, 2017
    Add more detail about building isolate