sandbox: move to C++

Makefile

@@ -35,8 +35,8 @@ LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf)
 
 BIN = nsjail
 LIBS = kafel/libkafel.a
-SRCS_C = caps.c log.c cgroup.c mount.c net.c pid.c sandbox.c user.c util.c uts.c cpu.c
-SRCS_CXX = cmdline.cc config.cc contain.cc nsjail.cc subproc.cc
+SRCS_C = caps.c log.c cgroup.c mount.c net.c pid.c user.c util.c uts.c cpu.c
+SRCS_CXX = cmdline.cc config.cc contain.cc nsjail.cc sandbox.cc subproc.cc
 SRCS_PROTO = config.proto
 SRCS_PB_CXX = $(SRCS_PROTO:.proto=.pb.cc)
 SRCS_PB_H = $(SRCS_PROTO:.proto=.pb.h)
@@ -103,17 +103,17 @@ cgroup.o: cgroup.h nsjail.h log.h util.h
 mount.o: mount.h nsjail.h common.h log.h subproc.h util.h
 net.o: net.h nsjail.h log.h subproc.h
 pid.o: pid.h nsjail.h log.h subproc.h
-sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h
 user.o: user.h nsjail.h common.h log.h subproc.h util.h
 util.o: util.h nsjail.h common.h log.h
 uts.o: uts.h nsjail.h log.h
 cpu.o: cpu.h nsjail.h log.h util.h
-cmdline.o: cmdline.h nsjail.h caps.h common.h log.h mount.h sandbox.h user.h
-cmdline.o: util.h config.h
+cmdline.o: cmdline.h nsjail.h caps.h common.h log.h mount.h user.h util.h
+cmdline.o: config.h sandbox.h
 config.o: common.h caps.h nsjail.h config.h log.h mount.h user.h util.h
 config.o: cmdline.h
 contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
 contain.o: user.h uts.h
 nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h util.h
-subproc.o: subproc.h nsjail.h contain.h cgroup.h common.h log.h net.h
-subproc.o: sandbox.h user.h util.h
+sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h
+subproc.o: subproc.h nsjail.h contain.h sandbox.h cgroup.h common.h log.h
+subproc.o: net.h user.h util.h

cmdline.cc

@@ -49,12 +49,12 @@ extern "C" {
 #include "common.h"
 #include "log.h"
 #include "mount.h"
-#include "sandbox.h"
 #include "user.h"
 #include "util.h"
 }
 
 #include "config.h"
+#include "sandbox.h"
 
 namespace cmdline {
 
@@ -859,7 +859,7 @@ std::unique_ptr<struct nsjconf_t> parseArgs(int argc, char* argv[]) {
 		}
 	}
 
-	if (!sandboxPrepare(nsjconf.get())) {
+	if (!sandbox::preparePolicy(nsjconf.get())) {
 		LOG_E("Couldn't prepare sandboxing setup");
 		return nullptr;
 	}

sandbox.c → sandbox.cc

@@ -26,14 +26,18 @@
 #include <stddef.h>
 #include <sys/prctl.h>
 
+extern "C" {
 #include "kafel.h"
 #include "log.h"
+}
+
+namespace sandbox {
 
 #ifndef PR_SET_NO_NEW_PRIVS /* in prctl.h since Linux 3.5 */
 #define PR_SET_NO_NEW_PRIVS 38
 #endif /* PR_SET_NO_NEW_PRIVS */
 
-static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) {
+static bool prepareAndCommit(struct nsjconf_t* nsjconf) {
 	if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
 		return true;
 	}
@@ -49,9 +53,9 @@ static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) {
 	return true;
 }
 
-bool sandboxApply(struct nsjconf_t* nsjconf) { return sandboxPrepareAndCommit(nsjconf); }
+bool applyPolicy(struct nsjconf_t* nsjconf) { return prepareAndCommit(nsjconf); }
 
-bool sandboxPrepare(struct nsjconf_t* nsjconf) {
+bool preparePolicy(struct nsjconf_t* nsjconf) {
 	if (nsjconf->kafel_file_path == NULL && nsjconf->kafel_string == NULL) {
 		return true;
 	}
@@ -82,3 +86,5 @@ bool sandboxPrepare(struct nsjconf_t* nsjconf) {
 	kafel_ctxt_destroy(&ctxt);
 	return true;
 }
+
+}  // namespace sandbox

sandbox.h

@@ -26,7 +26,11 @@
 
 #include "nsjail.h"
 
-bool sandboxApply(struct nsjconf_t* nsjconf);
-bool sandboxPrepare(struct nsjconf_t* nsjconf);
+namespace sandbox {
+
+bool applyPolicy(struct nsjconf_t* nsjconf);
+bool preparePolicy(struct nsjconf_t* nsjconf);
+
+}  // namespace sandbox
 
 #endif /* NS_SANDBOX_H */

subproc.cc

@@ -43,13 +43,13 @@
 #include <unistd.h>
 
 #include "contain.h"
+#include "sandbox.h"
 
 extern "C" {
 #include "cgroup.h"
 #include "common.h"
 #include "log.h"
 #include "net.h"
-#include "sandbox.h"
 #include "user.h"
 #include "util.h"
 
@@ -179,7 +179,7 @@ static int subprocNewProc(
 	}
 
 	/* Should be the last one in the sequence */
-	if (sandboxApply(nsjconf) == false) {
+	if (sandbox::applyPolicy(nsjconf) == false) {
 		exit(0xff);
 	}