Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PID namespace support #64

Merged
merged 10 commits into from
Nov 29, 2023
Merged

Add PID namespace support #64

merged 10 commits into from
Nov 29, 2023

Conversation

cd-work
Copy link
Collaborator

@cd-work cd-work commented Nov 28, 2023

This patch changes the API to require spawning a new process to enable
the sandbox. This is necessary because PID namespaces on Linux only take
effect for new processes.

As a result, the new process will be created as PID 1 without access to
any other process through system calls like kill or the procfs
filesystem interface.

This fixes a gap in Birdcage's environment variable isolation where it
was still possible to read the unsandboxed environment from
/proc/self/environ.

Since the new process takes on the responsibility of PID 1 in the new
namespace, it will automatically be made parent for any orphaned
process. Currently these processes will remain zombies until the
sandboxed process is shut down.

This patch changes the API to require spawning a new process to enable
the sandbox. This is necessary because PID namespaces on Linux only take
effect for new processes.

As a result, the new process will be created as PID 1 without access to
any other process through system calls like `kill` or the `procfs`
filesystem interface.

This fixes a gap in Birdcage's environment variable isolation where it
was still possible to read the unsandboxed environment from
`/proc/self/environ`.

Since the new process takes on the responsibility of PID 1 in the new
namespace, it will automatically be made parent for any orphaned
process. Currently these processes will remain zombies until the
sandboxed process is shut down.
@cd-work cd-work requested a review from kylewillmon November 28, 2023 15:14
@@ -41,28 +44,74 @@ impl Sandbox for LinuxSandbox {
Ok(self)
}

fn lock(self) -> Result<()> {
fn spawn(self, mut sandboxee: Command) -> Result<Child> {
Copy link

@mrcnski mrcnski Nov 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion, maybe there could be an API for running some sandboxed code in the child, instead of an external process (Command). I mean, previously, you could call lock and then keep running your Rust program. That becomes harder to do now AFAICT. Maybe there could be a function similar to spawn except that it takes a callback, similar to nix::clone.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I originally planned to use the clone system call but avoided it for now so this PR wouldn't be bloated up by custom stdout/err/in buffer passing.

Even though macOS doesn't really allow for it as far as I know, I plan to get the Linux sandbox into a state where it does not affect the calling process at all and can be spawned from multi-threaded applications.

integration/exec_symlinked_dir.rs Show resolved Hide resolved
integration/net.rs Outdated Show resolved Hide resolved
src/linux/mod.rs Outdated Show resolved Hide resolved
src/linux/mod.rs Show resolved Hide resolved
src/lib.rs Outdated Show resolved Hide resolved
@cd-work cd-work requested a review from kylewillmon November 29, 2023 20:32
@cd-work cd-work merged commit d552000 into main Nov 29, 2023
10 checks passed
@cd-work cd-work deleted the pid_namespace branch November 29, 2023 21:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants