Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add namespace support to Linux sandbox #43

Merged
merged 11 commits into from
Sep 14, 2023
Merged

Add namespace support to Linux sandbox #43

merged 11 commits into from
Sep 14, 2023

Conversation

cd-work
Copy link
Collaborator

@cd-work cd-work commented Sep 13, 2023

The previous Linux sandbox would allow for access of abstract namespace sockets and handled network sandboxing through fragile seccomp rules.

To both simplify the code and improve our sandboxing, this patch introduces the usage of Linux namespaces to both clear the abstract namespace and create a network namespace.

It is now necessary to always lock down the sandbox in a newly created process, since user namespaces cannot be created from multi-threaded applications and require writing to /proc/self/*id_map exactly once (every following write from the same process is a permission error).

This patch completely removes all seccomp code, however some part of it might still be useful for future sandboxing improvements.

@cd-work
Add namespace support to Linux sandbox
6f82216 
The previous Linux sandbox would allow for access of abstract namespace
sockets and handled network sandboxing through fragile seccomp rules.

To both simplify the code and improve our sandboxing, this patch
introduces the usage of Linux namespaces to both clear the abstract
namespace and create a network namespace.

It is now necessary to always lock down the sandbox in a newly created
process, since user namespaces cannot be created from multi-threaded
applications and require writing to `/proc/self/*id_map` exactly once
(every following write from the same process is a permission error).

This patch completely removes all seccomp code, however some part of it
might still be useful for future sandboxing improvements.
@cd-work
Add seccomp fallback
89d0f1b 
This fixes issues where network sandboxing would cause failures when
seccomp is supported while the `unshare` syscall is blocked (i.e.
docker).
@cd-work
Add back io_uring tests
62c3d31
kylewillmon
kylewillmon requested changes Sep 14, 2023
View reviewed changes
src/linux/mod.rs Outdated Show resolved Hide resolved
src/linux/mod.rs Outdated Show resolved Hide resolved
src/linux/mod.rs Outdated Show resolved Hide resolved
kylewillmon
kylewillmon requested changes Sep 14, 2023
View reviewed changes
tests/net_without_seccomp.rs Show resolved Hide resolved
src/linux/mod.rs Outdated Show resolved Hide resolved
@cd-work cd-work merged commit b940485 into main Sep 14, 2023
10 checks passed
@cd-work cd-work deleted the namespaces branch September 14, 2023 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kylewillmon kylewillmon kylewillmon approved these changes

Assignees

@cd-work cd-work

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cd-work @kylewillmon