set sandbox nice value

12 files changed, 139 insertions, 3 deletions

diff --git a/README.md b/README.md
index 625df6554..5f3ffbd8a 100644
--- a/README.md
+++ b/README.md
@@ -68,4 +68,14 @@ The  current netfilter configuration (--netfilter option) looks like this:
 The filter is loaded by default for Firefox if a network namespace is configured:
 `````
 $ firejail --net=eth0 firefox
-`````
\ No newline at end of file
+`````
+
+## Set sandbox nice value
+`````
+      --nice=value
+              Set nice value for all processes running inside the sandbox.
+
+              Example:
+              $ firejail --nice=-5 firefox
+`````
+
diff --git a/RELNOTES b/RELNOTES
index 9e9a40bdc..9b025d423 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.39) baseline; urgency=low
   * work in progress!
   * default seccomp filter update
   * disable STUN/WebRTC in default netfilter configuration
+  * added --nice optoin
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 8 Feb 2016 10:00:00 -0500
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 90c3589d9..feb6854fc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -157,8 +157,9 @@ typedef struct config_t {
         unsigned rlimit_fsize;
         unsigned rlimit_sigpending;
         
-        // cpu affinity and control groups
+        // cpu affinity, nice and control groups
         uint32_t cpus;
+        int nice;
         char *cgroup;
         
 
@@ -231,6 +232,7 @@ extern int arg_nosound;	// disable sound
 extern int arg_quiet;           // no output for scripting
 extern int arg_join_network;    // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
+extern int arg_nice;            // nice value configured
 
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 5b88481d1..2f64d2268 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -92,7 +92,7 @@ int arg_nosound = 0;				// disable sound
 int arg_quiet = 0;                              // no output for scripting
 int arg_join_network = 0;                       // join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
-
+int arg_nice = 0;                               // nice value configured
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -678,6 +678,10 @@ int main(int argc, char **argv) {
                         arg_ipc = 1;
                 else if (strncmp(argv[i], "--cpu=", 6) == 0)
                         read_cpu_list(argv[i] + 6);
+                else if (strncmp(argv[i], "--nice=", 7) == 0) {
+                        cfg.nice = atoi(argv[i] + 7);
+                        arg_nice = 1;
+                }
                 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
                         if (arg_cgroup) {
                                 fprintf(stderr, "Error: only a cgroup can be defined\n");
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index bbec17447..e0de69e5e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -290,6 +290,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         
+        // nice value
+        if (strncmp(ptr, "nice ", 4) == 0) {
+                cfg.nice = atoi(ptr + 5);
+                arg_nice = 1;
+                return 0;
+        }
+
         // cgroup
         if (strncmp(ptr, "cgroup ", 7) == 0) {
                 set_cgroup(ptr + 7);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 85f65b610..1ba655301 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -27,6 +27,7 @@
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <dirent.h>
+#include <errno.h>
 
 #include <sched.h>
 #ifndef CLONE_NEWUSER
@@ -582,6 +583,18 @@ int sandbox(void* sandbox_arg) {
         // set user-supplied environment variables
         env_apply();
 
+        // set nice
+        if (arg_nice) {
+                errno = 0;
+                int rv = nice(cfg.nice);
+                (void) rv;
+printf("nice rv %d\n", rv);             
+                if (errno) {
+                        fprintf(stderr, "Warning: cannot set nice value\n");
+                        errno = 0;
+                }
+        }
+        
         //****************************
         // set security filters
         //****************************
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index fa48c55cf..33724c80f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -178,6 +178,7 @@ void usage(void) {
         printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");
         printf("\t\tnetwork namespace.\n\n");
 #endif
+        printf("\t--nice=value - set nice value\n\n");
         printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n");
         printf("\t\tor file.\n\n");
         printf("\t--nogroups - disable supplementary groups. Without this option,\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 20fd731e1..3ebb11549 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -228,6 +228,10 @@ Set the CPU cores available for this sandbox using \fBcpu\fR command. Examples:
 cpu 1,2,3
 Use only CPU cores 0, 1 and 2.
 
+.TP
+nice -5
+Set a nice value of -5 to all processes running inside the sandbox.
+
 .SH Control Groups
 Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example:
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 784f1583e..bdd1bb1f6 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -761,6 +761,16 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
 
+.TP
+\fB\-\-nice=value
+Set nice value for all processes running inside the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail --nice=-5 firefox
+
 
 .TP
 \fB\-\-noblacklist=dirname_or_filename
diff --git a/test/nice.exp b/test/nice.exp
new file mode 100755
index 000000000..f4afb547d
--- /dev/null
+++ b/test/nice.exp
@@ -0,0 +1,80 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --nice=15\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "top -b -n 1\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "15"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "netblu"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "15"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "top"
+}
+
+sleep 1
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --profile=nice.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "top -b -n 1\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "15"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "netblu"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "15"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "top"
+}
+
+
+
+puts "\nall done\n"
+
diff --git a/test/nice.profile b/test/nice.profile
new file mode 100644
index 000000000..d02c8f58b
--- /dev/null
+++ b/test/nice.profile
@@ -0,0 +1 @@
+nice 15
diff --git a/test/test.sh b/test/test.sh
index ca7152b55..923a9b390 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -6,6 +6,9 @@
 
 ./fscheck.sh
 
+echo "TESTING: nice"
+./nice.exp
+
 echo "TESTING: protocol"
 ./protocol.exp