From 8fdc4029ad9bd2489aa0266bbbcaefac4fb239d1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 11 Feb 2016 09:03:35 -0500 Subject: set sandbox nice value --- README.md | 12 ++++++- RELNOTES | 1 + src/firejail/firejail.h | 4 ++- src/firejail/main.c | 6 +++- src/firejail/profile.c | 7 ++++ src/firejail/sandbox.c | 13 +++++++ src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 4 +++ src/man/firejail.txt | 10 ++++++ test/nice.exp | 80 ++++++++++++++++++++++++++++++++++++++++++++ test/nice.profile | 1 + test/test.sh | 3 ++ 12 files changed, 139 insertions(+), 3 deletions(-) create mode 100755 test/nice.exp create mode 100644 test/nice.profile diff --git a/README.md b/README.md index 625df6554..5f3ffbd8a 100644 --- a/README.md +++ b/README.md @@ -68,4 +68,14 @@ The current netfilter configuration (--netfilter option) looks like this: The filter is loaded by default for Firefox if a network namespace is configured: ````` $ firejail --net=eth0 firefox -````` \ No newline at end of file +````` + +## Set sandbox nice value +````` + --nice=value + Set nice value for all processes running inside the sandbox. + + Example: + $ firejail --nice=-5 firefox +````` + diff --git a/RELNOTES b/RELNOTES index 9e9a40bdc..9b025d423 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,6 +2,7 @@ firejail (0.9.39) baseline; urgency=low * work in progress! * default seccomp filter update * disable STUN/WebRTC in default netfilter configuration + * added --nice optoin * bugfixes -- netblue30 Tue, 8 Feb 2016 10:00:00 -0500 diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 90c3589d9..feb6854fc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -157,8 +157,9 @@ typedef struct config_t { unsigned rlimit_fsize; unsigned rlimit_sigpending; - // cpu affinity and control groups + // cpu affinity, nice and control groups uint32_t cpus; + int nice; char *cgroup; @@ -231,6 +232,7 @@ extern int arg_nosound; // disable sound extern int arg_quiet; // no output for scripting extern int arg_join_network; // join only the network namespace extern int arg_join_filesystem; // join only the mount namespace +extern int arg_nice; // nice value configured extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; diff --git a/src/firejail/main.c b/src/firejail/main.c index 5b88481d1..2f64d2268 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -92,7 +92,7 @@ int arg_nosound = 0; // disable sound int arg_quiet = 0; // no output for scripting int arg_join_network = 0; // join only the network namespace int arg_join_filesystem = 0; // join only the mount namespace - +int arg_nice = 0; // nice value configured int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -678,6 +678,10 @@ int main(int argc, char **argv) { arg_ipc = 1; else if (strncmp(argv[i], "--cpu=", 6) == 0) read_cpu_list(argv[i] + 6); + else if (strncmp(argv[i], "--nice=", 7) == 0) { + cfg.nice = atoi(argv[i] + 7); + arg_nice = 1; + } else if (strncmp(argv[i], "--cgroup=", 9) == 0) { if (arg_cgroup) { fprintf(stderr, "Error: only a cgroup can be defined\n"); diff --git a/src/firejail/profile.c b/src/firejail/profile.c index bbec17447..e0de69e5e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -290,6 +290,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + // nice value + if (strncmp(ptr, "nice ", 4) == 0) { + cfg.nice = atoi(ptr + 5); + arg_nice = 1; + return 0; + } + // cgroup if (strncmp(ptr, "cgroup ", 7) == 0) { set_cgroup(ptr + 7); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 85f65b610..1ba655301 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #ifndef CLONE_NEWUSER @@ -582,6 +583,18 @@ int sandbox(void* sandbox_arg) { // set user-supplied environment variables env_apply(); + // set nice + if (arg_nice) { + errno = 0; + int rv = nice(cfg.nice); + (void) rv; +printf("nice rv %d\n", rv); + if (errno) { + fprintf(stderr, "Warning: cannot set nice value\n"); + errno = 0; + } + } + //**************************** // set security filters //**************************** diff --git a/src/firejail/usage.c b/src/firejail/usage.c index fa48c55cf..33724c80f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -178,6 +178,7 @@ void usage(void) { printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); printf("\t\tnetwork namespace.\n\n"); #endif + printf("\t--nice=value - set nice value\n\n"); printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); printf("\t\tor file.\n\n"); printf("\t--nogroups - disable supplementary groups. Without this option,\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 20fd731e1..3ebb11549 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -228,6 +228,10 @@ Set the CPU cores available for this sandbox using \fBcpu\fR command. Examples: cpu 1,2,3 Use only CPU cores 0, 1 and 2. +.TP +nice -5 +Set a nice value of -5 to all processes running inside the sandbox. + .SH Control Groups Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example: diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 784f1583e..bdd1bb1f6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -761,6 +761,16 @@ PID User RX(KB/s) TX(KB/s) Command .br 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission +.TP +\fB\-\-nice=value +Set nice value for all processes running inside the sandbox. +.br + +.br +Example: +.br +$ firejail --nice=-5 firefox + .TP \fB\-\-noblacklist=dirname_or_filename diff --git a/test/nice.exp b/test/nice.exp new file mode 100755 index 000000000..f4afb547d --- /dev/null +++ b/test/nice.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --nice=15\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "top -b -n 1\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "netblue" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "15" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "netblu" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "15" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "top" +} + +sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --profile=nice.profile\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "top -b -n 1\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "netblue" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "15" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "netblu" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "15" +} +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "top" +} + + + +puts "\nall done\n" + diff --git a/test/nice.profile b/test/nice.profile new file mode 100644 index 000000000..d02c8f58b --- /dev/null +++ b/test/nice.profile @@ -0,0 +1 @@ +nice 15 diff --git a/test/test.sh b/test/test.sh index ca7152b55..923a9b390 100755 --- a/test/test.sh +++ b/test/test.sh @@ -6,6 +6,9 @@ ./fscheck.sh +echo "TESTING: nice" +./nice.exp + echo "TESTING: protocol" ./protocol.exp -- cgit v1.2.3-70-g09d2