Invalid Argument - clone(flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID) failed

[ndeloney0]

Hi,

I am trying to run nsjail with a very simple python script and am getting the following:

Mode: STANDALONE_ONCE\n[I][2024-06-16T03:25:03+0000] 
Jail parameters: hostname:'python', chroot:'', process:'python3', bind:[::]:0, max_conns:0, max_conns_per_ip:0, time_limit:900, personality:0, daemonize:false, clone_newnet:false, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, clone_newtime:false, keep_caps:false, disable_no_new_privs:false, max_cpus:0\n[I][2024-06-16T03:25:03+0000]
Mount: '/' flags:MS_RDONLY type:'tmpfs' options:'' dir:true\n[I][2024-06-16T03:25:03+0000] 
Mount: '/' -> '/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true\n[I][2024-06-16T03:25:03+0000] 
Mount: '/app' -> '/app' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true\n[I][2024-06-16T03:25:03+0000] Mount: '/tmp' -> '/tmp' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true\n[I][2024-06-16T03:25:03+0000] Uid map: inside_uid:0 outside_uid:0 count:1 newuidmap:false\n[W][2024-06-16T03:25:03+0000][6] 
logParams():313 Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files\n[I][2024-06-16T03:25:03+0000] 
Gid map: inside_gid:0 outside_gid:0 count:1 newgidmap:false\n[W][2024-06-16T03:25:03+0000][6] 
logParams():323 Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files\n[W][2024-06-16T03:25:03+0000][6] 

The last lines seem to be the error:

runChild():491 clone(flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID) failed: Invalid argument\n[E][2024-06-16T03:25:03+0000][6] 
standaloneMode():275 Couldn't launch the child process\n"}

I have seen similar issues such as #111 and have tried adding this --disable_clone_newcgroup flag, but it doesn't seem to help. Any advice on how I can proceed?

[rohangrg]

I am facing same issue.

[okunz]

I couldn't replicate this at the moment on my machine. Can you please post the following:

• nsjail configuration (or command line)
• full log output with --verbose

[ndeloney0]

@okunz Yes, here is the nsjail.cfg:

mode: ONCE
hostname: "python"
time_limit: 900

rlimit_as: 2048
rlimit_cpu: 1000
rlimit_fsize: 1024
rlimit_nofile: 64

# Mounts
mount {
    src: "/"
    dst: "/"
    is_bind: true
    rw: false
}
mount {
    src: "/app"
    dst: "/app"
    is_bind: true
    rw: true
}
mount {
    src: "/tmp"
    dst: "/tmp"
    is_bind: true
    rw: true
}

clone_newnet: false

This is how I am executing the script:

# main.py
result = subprocess.run(
    [
        "nsjail",
        "--config",
        "nsjail.cfg",
        "--",
        "python3",
        "user_script.py",
        "--disable_clone_newcgroup",
        "--verbose",
    ],
    capture_output=True,
    text=True,
)

And this is the full log output after adding --verbose:

[I][2024-06-17T14:01:35+0000] Mode: STANDALONE_ONCE\n[I][2024-06-17T14:01:35+0000] Jail parameters: hostname:'python', chroot:'', process:'python3', bind:[::]:0, max_conns:0, max_conns_per_ip:0, time_limit:900, personality:0, daemonize:false, clone_newnet:false, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, clone_newtime:false, keep_caps:false, disable_no_new_privs:false, max_cpus:0\n
[I][2024-06-17T14:01:35+0000] Mount: '/' flags:MS_RDONLY type:'tmpfs' options:'' dir:true\n
[I][2024-06-17T14:01:35+0000] Mount: '/' -> '/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true\n
[I][2024-06-17T14:01:35+0000] Mount: '/app' -> '/app' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true\n
[I][2024-06-17T14:01:35+0000] Mount: '/tmp' -> '/tmp' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true\n
[I][2024-06-17T14:01:35+0000] Uid map: inside_uid:0 outside_uid:0 count:1 newuidmap:false\n
[W][2024-06-17T14:01:35+0000][6] logParams():313 Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files\n
[I][2024-06-17T14:01:35+0000] Gid map: inside_gid:0 outside_gid:0 count:1 newgidmap:false\n
[W][2024-06-17T14:01:35+0000][6] logParams():323 Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files\n
[W][2024-06-17T14:01:35+0000][6] runChild():491 clone(flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID) failed: Invalid argument\n
[E][2024-06-17T14:01:35+0000][6] standaloneMode():275 Couldn't launch the child process\n

[okunz]

Your log output shows that something is wrong with how you invoke the nsjail. Have you tried it out by running nsjail directly on the cmdline? I suggest you try both, with the config file and if that doesn't work then also by using the cmdline args (to ensure it's not also related to #229

[okunz]

Check out my response to #229. The default config values might be different when using --config.

In addition, you need to pass the parameters for nsjail before the -- which is the separator after which the passed options are treated as args for the sandboxee binary. In your case, the last two args would be considered args you pass to python3.

Further, you likely have to specify the full path of the binaries, both for nsjail and for python3 in your example.

With the points mentioned above, I could not replicate the issue that you report. I think for your debugging, try to find out what argument is reported as invalid.

[imfing]

I ran into similar issue in a non-privileged container environment. Disabling all the clone related flags work for me:

nsjail --verbose \
    --disable_clone_newnet \
    --disable_clone_newuser \
    --disable_clone_newns \
    --disable_clone_newpid \
    --disable_clone_newipc \
    --disable_clone_newuts \
    --disable_clone_newcgroup \
    python3