Merge remote-tracking branch 'aosp/upstream-master'
Change-Id: Ide59a09d54b24cf4753fcba68c5280e2c2b7e068
diff --git a/.gitmodules b/.gitmodules
deleted file mode 100644
index 4c3ff73..0000000
--- a/.gitmodules
+++ /dev/null
@@ -1,3 +0,0 @@
-[submodule "kafel"]
- path = kafel
- url = https://github.com/google/kafel.git
diff --git a/Android.bp b/Android.bp
new file mode 100644
index 0000000..cef4436
--- /dev/null
+++ b/Android.bp
@@ -0,0 +1,47 @@
+cc_binary_host {
+ name: "nsjail",
+ cflags: [
+ "-D_GNU_SOURCE",
+ "-Wformat",
+ "-Wformat-security",
+ "-Wno-format-nonliteral",
+ "-Wall",
+ "-Wextra",
+ "-Werror",
+ "-Wno-unused",
+ "-Wno-unused-parameter",
+ ],
+ cppflags: ["-fno-exceptions"],
+ shared_libs: ["libnl"],
+ srcs: [
+ "caps.cc",
+ "cgroup.cc",
+ "cgroup2.cc",
+ "cmdline.cc",
+ "config.cc",
+ "contain.cc",
+ "cpu.cc",
+ "logs.cc",
+ "mnt.cc",
+ "net.cc",
+ "nsjail.cc",
+ "pid.cc",
+ "subproc.cc",
+ "uts.cc",
+ "user.cc",
+ "util.cc",
+
+ "sandbox_no_kafel.cc",
+
+ "config.proto",
+ ],
+ proto: {
+ type: "full",
+ },
+
+ target: {
+ darwin: {
+ enabled: false,
+ },
+ },
+}
diff --git a/METADATA b/METADATA
new file mode 100644
index 0000000..3211db4
--- /dev/null
+++ b/METADATA
@@ -0,0 +1,18 @@
+name: "nsjail"
+description:
+ "A light-weight process isolation tool, making use of Linux namespaces and "
+ "seccomp-bpf syscall filters (with help of the kafel bpf language)"
+
+third_party {
+ url {
+ type: HOMEPAGE
+ value: "http://nsjail.com"
+ }
+ url {
+ type: GIT
+ value: "https://github.com/google/nsjail"
+ }
+ version: "6483728e2490c1fc497a81bba5682515eb489cf8"
+ last_upgrade_date { year: 2022 month: 3 day: 29 }
+ license_type: NOTICE
+}
diff --git a/MODULE_LICENSE_APACHE2 b/MODULE_LICENSE_APACHE2
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/MODULE_LICENSE_APACHE2
diff --git a/NOTICE b/NOTICE
new file mode 120000
index 0000000..7a694c9
--- /dev/null
+++ b/NOTICE
@@ -0,0 +1 @@
+LICENSE
\ No newline at end of file
diff --git a/OWNERS b/OWNERS
new file mode 100644
index 0000000..e9105c2
--- /dev/null
+++ b/OWNERS
@@ -0,0 +1 @@
+dwillemsen@google.com
diff --git a/caps.cc b/caps.cc
index ca5745b..2c1c23a 100644
--- a/caps.cc
+++ b/caps.cc
@@ -21,6 +21,7 @@
#include "caps.h"
+#include <errno.h>
#include <linux/capability.h>
#include <string.h>
#include <sys/prctl.h>
diff --git a/kafel b/kafel
deleted file mode 160000
index 00532cc..0000000
--- a/kafel
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 00532cc1ee142355c2db8a58001bcc669893cff8
diff --git a/sandbox_no_kafel.cc b/sandbox_no_kafel.cc
new file mode 100644
index 0000000..16cce8f
--- /dev/null
+++ b/sandbox_no_kafel.cc
@@ -0,0 +1,52 @@
+/*
+
+ nsjail - seccomp-bpf sandboxing
+ -----------------------------------------
+
+ Copyright 2014 Google Inc. All Rights Reserved.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+#include "sandbox.h"
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "logs.h"
+
+namespace sandbox {
+
+bool applyPolicy(nsjconf_t* nsjconf) {
+ if (nsjconf->kafel_file_path.empty() && nsjconf->kafel_string.empty()) {
+ return true;
+ }
+
+ PLOG_E("kafel support not included");
+ return false;
+}
+
+bool preparePolicy(nsjconf_t* nsjconf) {
+ if (nsjconf->kafel_file_path.empty() && nsjconf->kafel_string.empty()) {
+ return true;
+ }
+
+ PLOG_E("kafel support not included");
+ return false;
+}
+
+void closePolicy(nsjconf_t* nsjconf) {}
+
+} // namespace sandbox