Comments (5)
rohangrg
commented on July 17, 2024
I am facing same issue.
from nsjail.
okunz
commented on July 17, 2024
I couldn't replicate this at the moment on my machine. Can you please post the following:
- nsjail configuration (or command line)
- full log output with
--verbose
from nsjail.
ndeloney0
commented on July 17, 2024
@okunz Yes, here is the nsjail.cfg:
mode: ONCE
hostname: "python"
time_limit: 900
rlimit_as: 2048
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 64
# Mounts
mount {
src: "/"
dst: "/"
is_bind: true
rw: false
}
mount {
src: "/app"
dst: "/app"
is_bind: true
rw: true
}
mount {
src: "/tmp"
dst: "/tmp"
is_bind: true
rw: true
}
clone_newnet: false
This is how I am executing the script:
# main.py
result = subprocess.run(
[
"nsjail",
"--config",
"nsjail.cfg",
"--",
"python3",
"user_script.py",
"--disable_clone_newcgroup",
"--verbose",
],
capture_output=True,
text=True,
)
And this is the full log output after adding --verbose:
[I][2024-06-17T14:01:35+0000] Mode: STANDALONE_ONCE\n[I][2024-06-17T14:01:35+0000] Jail parameters: hostname:'python', chroot:'', process:'python3', bind:[::]:0, max_conns:0, max_conns_per_ip:0, time_limit:900, personality:0, daemonize:false, clone_newnet:false, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, clone_newtime:false, keep_caps:false, disable_no_new_privs:false, max_cpus:0\n
[I][2024-06-17T14:01:35+0000] Mount: '/' flags:MS_RDONLY type:'tmpfs' options:'' dir:true\n
[I][2024-06-17T14:01:35+0000] Mount: '/' -> '/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true\n
[I][2024-06-17T14:01:35+0000] Mount: '/app' -> '/app' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true\n
[I][2024-06-17T14:01:35+0000] Mount: '/tmp' -> '/tmp' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true\n
[I][2024-06-17T14:01:35+0000] Uid map: inside_uid:0 outside_uid:0 count:1 newuidmap:false\n
[W][2024-06-17T14:01:35+0000][6] logParams():313 Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files\n
[I][2024-06-17T14:01:35+0000] Gid map: inside_gid:0 outside_gid:0 count:1 newgidmap:false\n
[W][2024-06-17T14:01:35+0000][6] logParams():323 Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files\n
[W][2024-06-17T14:01:35+0000][6] runChild():491 clone(flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID) failed: Invalid argument\n
[E][2024-06-17T14:01:35+0000][6] standaloneMode():275 Couldn't launch the child process\n
from nsjail.
okunz
commented on July 17, 2024
Your log output shows that something is wrong with how you invoke the nsjail. Have you tried it out by running nsjail directly on the cmdline? I suggest you try both, with the config file and if that doesn't work then also by using the cmdline args (to ensure it's not also related to #229
from nsjail.
okunz
commented on July 17, 2024
Check out my response to #229. The default config values might be different when using --config.
In addition, you need to pass the parameters for nsjail before the -- which is the separator after which the passed options are treated as args for the sandboxee binary. In your case, the last two args would be considered args you pass to python3.
Further, you likely have to specify the full path of the binaries, both for nsjail and for python3 in your example.
With the points mentioned above, I could not replicate the issue that you report. I think for your debugging, try to find out what argument is reported as invalid.
from nsjail.
Related Issues (20)
- Add millisecond precision to nsjail logs HOT 1
- Package nsjail for ease of installation on Linux
- Build fails on armv7l (32 bit) HOT 2
- mnt:mountPt fails with invalid argument HOT 1
- Better fs isolation HOT 2
- Using nsjail with GPU and OpenGL HOT 1
- Include installation instructions in the README HOT 1
- Compilation fails HOT 1
- Making configs
- Updated vendored kafel to enable build on gcc13 HOT 1
- Python Tracing and Runtime security
- Build failed on arm64 with clang-15 HOT 1
- Build Fails when compiling on musl-libc system HOT 6
- config.cc uses old protobuf log handling API that was removed in protobuf 22.0 HOT 1
- SIGTERM Default Handler Issue HOT 1
- Exploring nsjail for Application Isolation with ROS2 HOT 1
- Error while loading shared libraries only when using config file HOT 9
- bind mounted /var/run/netns acts differently if nsjail started before or after network namespace is created HOT 1
- IPC resources should be explicitly cleaned up upon jail exit
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nsjail.