-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PID namespace support #64
Conversation
This patch changes the API to require spawning a new process to enable the sandbox. This is necessary because PID namespaces on Linux only take effect for new processes. As a result, the new process will be created as PID 1 without access to any other process through system calls like `kill` or the `procfs` filesystem interface. This fixes a gap in Birdcage's environment variable isolation where it was still possible to read the unsandboxed environment from `/proc/self/environ`. Since the new process takes on the responsibility of PID 1 in the new namespace, it will automatically be made parent for any orphaned process. Currently these processes will remain zombies until the sandboxed process is shut down.
@@ -41,28 +44,74 @@ impl Sandbox for LinuxSandbox { | |||
Ok(self) | |||
} | |||
|
|||
fn lock(self) -> Result<()> { | |||
fn spawn(self, mut sandboxee: Command) -> Result<Child> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion, maybe there could be an API for running some sandboxed code in the child, instead of an external process (Command
). I mean, previously, you could call lock
and then keep running your Rust program. That becomes harder to do now AFAICT. Maybe there could be a function similar to spawn
except that it takes a callback, similar to nix::clone
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I originally planned to use the clone
system call but avoided it for now so this PR wouldn't be bloated up by custom stdout/err/in buffer passing.
Even though macOS doesn't really allow for it as far as I know, I plan to get the Linux sandbox into a state where it does not affect the calling process at all and can be spawned from multi-threaded applications.
02b1d44
to
1d11cd7
Compare
This patch changes the API to require spawning a new process to enable
the sandbox. This is necessary because PID namespaces on Linux only take
effect for new processes.
As a result, the new process will be created as PID 1 without access to
any other process through system calls like
kill
or theprocfs
filesystem interface.
This fixes a gap in Birdcage's environment variable isolation where it
was still possible to read the unsandboxed environment from
/proc/self/environ
.Since the new process takes on the responsibility of PID 1 in the new
namespace, it will automatically be made parent for any orphaned
process. Currently these processes will remain zombies until the
sandboxed process is shut down.