diff options
| author |  Matteo Bertucci <[email protected]> | 2021-12-07 08:08:33 +0000 |
|---|---|---|
| committer |  GitHub <[email protected]> | 2021-12-07 08:27:06 +0000 |
| commit | 91689001f179f7a68d4d17d73ff98f6a6b1ec89c (patch) | |
| tree | 5a488d641f83272fd343c3995c454ca8d6e3a7e4 | |
| parent | Merge pull request #120 from onerandomusername/patch-2 (diff) | |
Add the --use_cgroupv2 flag when relevant
According to https://github.com/google/nsjail/pull/119, the flag should be passed for NsJail to try to use cgroupv2. This commit will use the /sys/fs/cgroup structure to guess the installed version, and depending on the version add that flag.
| -rw-r--r-- | snekbox/nsjail.py | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/snekbox/nsjail.py b/snekbox/nsjail.py index ce2b28f..cb18392 100644 --- a/snekbox/nsjail.py +++ b/snekbox/nsjail.py @@ -26,6 +26,9 @@ LOG_BLACKLIST = ("Process will be ",) NSJAIL_PATH = os.getenv("NSJAIL_PATH", "/usr/sbin/nsjail") NSJAIL_CFG = os.getenv("NSJAIL_CFG", "./config/snekbox.cfg") +# If this file is present, cgroupv2 should be enabled +CGROUPV2_PROBE_PATH = Path("/sys/fs/cgroup/cgroup.controllers") + # Limit of stdout bytes we consume before terminating nsjail OUTPUT_MAX = 1_000_000 # 1 MB READ_CHUNK_SIZE = 10_000 # chars @@ -41,6 +44,17 @@ class NsJail: def __init__(self, nsjail_binary: str = NSJAIL_PATH): self.nsjail_binary = nsjail_binary self.config = self._read_config() + + @staticmethod + def _probe_cgroup_version() -> int: + """Poll the filesystem and return the guessed cgroup version""" + # Right now we check whenever the controller path exists + version = 2 if CGROUPV2_PROBE_PATH.exists() else 1 + + if DEBUG: + log.info(f"Guessed cgroups version: {version}") + + return version @staticmethod def _read_config() -> NsJailConfig: @@ -190,6 +204,9 @@ class NsJail: cgroup = self._create_dynamic_cgroups() with NamedTemporaryFile() as nsj_log: + if self._probe_cgroup_version() == 2: + nsjail_args = (["--use_cgroupv2"]).extend(nsjail_args) + args = ( self.nsjail_binary, "--config", NSJAIL_CFG, @@ -204,7 +221,7 @@ class NsJail: msg = "Executing code..." if DEBUG: - msg = f"{msg[:-3]}:\n{textwrap.indent(code, ' ')}" + msg = f"{msg[:-3]}:\n{textwrap.indent(code, ' ')}\nWith the arguments {args}." log.info(msg) try: |