sandbox: document less obvious parts of setup
All checks were successful
Test / Create distribution (push) Successful in 29s
Test / Sandbox (push) Successful in 2m8s
Test / Fortify (push) Successful in 3m3s
Test / Sandbox (race detector) (push) Successful in 3m9s
Test / Fpkg (push) Successful in 4m22s
Test / Fortify (race detector) (push) Successful in 4m37s
Test / Flake checks (push) Successful in 1m19s
All checks were successful
Test / Create distribution (push) Successful in 29s
Test / Sandbox (push) Successful in 2m8s
Test / Fortify (push) Successful in 3m3s
Test / Sandbox (race detector) (push) Successful in 3m9s
Test / Fpkg (push) Successful in 4m22s
Test / Fortify (race detector) (push) Successful in 4m37s
Test / Flake checks (push) Successful in 1m19s
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
022242a84a
commit
0ba8be659f
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
@ -104,16 +104,6 @@ type (
|
|||||||
|
|
||||||
Flags HardeningFlags
|
Flags HardeningFlags
|
||||||
}
|
}
|
||||||
|
|
||||||
Ops []Op
|
|
||||||
Op interface {
|
|
||||||
early(params *Params) error
|
|
||||||
apply(params *Params) error
|
|
||||||
prefix() string
|
|
||||||
|
|
||||||
Is(op Op) bool
|
|
||||||
fmt.Stringer
|
|
||||||
}
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func (p *Container) Start() error {
|
func (p *Container) Start() error {
|
||||||
|
|||||||
@ -45,10 +45,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
log.Fatal("this process must run as pid 1")
|
log.Fatal("this process must run as pid 1")
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
receive setup payload
|
|
||||||
*/
|
|
||||||
|
|
||||||
var (
|
var (
|
||||||
params initParams
|
params initParams
|
||||||
closeSetup func() error
|
closeSetup func() error
|
||||||
@ -111,10 +107,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
// cache sysctl before pivot_root
|
// cache sysctl before pivot_root
|
||||||
LastCap()
|
LastCap()
|
||||||
|
|
||||||
/*
|
|
||||||
set up mount points from intermediate root
|
|
||||||
*/
|
|
||||||
|
|
||||||
if err := syscall.Mount("", "/", "",
|
if err := syscall.Mount("", "/", "",
|
||||||
syscall.MS_SILENT|syscall.MS_SLAVE|syscall.MS_REC,
|
syscall.MS_SILENT|syscall.MS_SLAVE|syscall.MS_REC,
|
||||||
""); err != nil {
|
""); err != nil {
|
||||||
@ -155,6 +147,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
if err := os.Mkdir(hostDir, 0755); err != nil {
|
if err := os.Mkdir(hostDir, 0755); err != nil {
|
||||||
log.Fatalf("%v", err)
|
log.Fatalf("%v", err)
|
||||||
}
|
}
|
||||||
|
// pivot_root uncovers basePath in hostDir
|
||||||
if err := syscall.PivotRoot(basePath, hostDir); err != nil {
|
if err := syscall.PivotRoot(basePath, hostDir); err != nil {
|
||||||
log.Fatalf("cannot pivot into intermediate root: %v", err)
|
log.Fatalf("cannot pivot into intermediate root: %v", err)
|
||||||
}
|
}
|
||||||
@ -173,10 +166,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
// setup requiring host root complete at this point
|
||||||
pivot to sysroot
|
|
||||||
*/
|
|
||||||
|
|
||||||
if err := syscall.Mount(hostDir, hostDir, "",
|
if err := syscall.Mount(hostDir, hostDir, "",
|
||||||
syscall.MS_SILENT|syscall.MS_REC|syscall.MS_PRIVATE,
|
syscall.MS_SILENT|syscall.MS_REC|syscall.MS_PRIVATE,
|
||||||
""); err != nil {
|
""); err != nil {
|
||||||
@ -216,10 +206,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
caps/securebits and seccomp filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
if _, _, errno := syscall.Syscall(PR_SET_NO_NEW_PRIVS, 1, 0, 0); errno != 0 {
|
if _, _, errno := syscall.Syscall(PR_SET_NO_NEW_PRIVS, 1, 0, 0); errno != 0 {
|
||||||
log.Fatalf("prctl(PR_SET_NO_NEW_PRIVS): %v", errno)
|
log.Fatalf("prctl(PR_SET_NO_NEW_PRIVS): %v", errno)
|
||||||
}
|
}
|
||||||
@ -255,20 +241,13 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
log.Fatalf("cannot load syscall filter: %v", err)
|
log.Fatalf("cannot load syscall filter: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
pass through extra files
|
|
||||||
*/
|
|
||||||
|
|
||||||
extraFiles := make([]*os.File, params.Count)
|
extraFiles := make([]*os.File, params.Count)
|
||||||
for i := range extraFiles {
|
for i := range extraFiles {
|
||||||
|
// setup fd is placed before all extra files
|
||||||
extraFiles[i] = os.NewFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
|
extraFiles[i] = os.NewFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
|
||||||
}
|
}
|
||||||
syscall.Umask(oldmask)
|
syscall.Umask(oldmask)
|
||||||
|
|
||||||
/*
|
|
||||||
prepare initial process
|
|
||||||
*/
|
|
||||||
|
|
||||||
cmd := exec.Command(params.Path)
|
cmd := exec.Command(params.Path)
|
||||||
cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
|
cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
|
||||||
cmd.Args = params.Args
|
cmd.Args = params.Args
|
||||||
@ -281,22 +260,11 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
}
|
}
|
||||||
msg.Suspend()
|
msg.Suspend()
|
||||||
|
|
||||||
/*
|
|
||||||
close setup pipe
|
|
||||||
*/
|
|
||||||
|
|
||||||
if err := closeSetup(); err != nil {
|
if err := closeSetup(); err != nil {
|
||||||
log.Println("cannot close setup pipe:", err)
|
log.Println("cannot close setup pipe:", err)
|
||||||
// not fatal
|
// not fatal
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
perform init duties
|
|
||||||
*/
|
|
||||||
|
|
||||||
sig := make(chan os.Signal, 2)
|
|
||||||
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
|
|
||||||
|
|
||||||
type winfo struct {
|
type winfo struct {
|
||||||
wpid int
|
wpid int
|
||||||
wstatus syscall.WaitStatus
|
wstatus syscall.WaitStatus
|
||||||
@ -333,6 +301,10 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
close(done)
|
close(done)
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
// handle signals to dump withheld messages
|
||||||
|
sig := make(chan os.Signal, 2)
|
||||||
|
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
|
||||||
|
|
||||||
// closed after residualProcessTimeout has elapsed after initial process death
|
// closed after residualProcessTimeout has elapsed after initial process death
|
||||||
timeout := make(chan struct{})
|
timeout := make(chan struct{})
|
||||||
|
|
||||||
@ -345,7 +317,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
} else {
|
} else {
|
||||||
msg.Verbosef("terminating on %s", s.String())
|
msg.Verbosef("terminating on %s", s.String())
|
||||||
}
|
}
|
||||||
msg.BeforeExit()
|
|
||||||
os.Exit(0)
|
os.Exit(0)
|
||||||
case w := <-info:
|
case w := <-info:
|
||||||
if w.wpid == cmd.Process.Pid {
|
if w.wpid == cmd.Process.Pid {
|
||||||
|
|||||||
@ -13,6 +13,22 @@ import (
|
|||||||
"unsafe"
|
"unsafe"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type (
|
||||||
|
Ops []Op
|
||||||
|
Op interface {
|
||||||
|
// early is called in host root.
|
||||||
|
early(params *Params) error
|
||||||
|
// apply is called in intermediate root.
|
||||||
|
apply(params *Params) error
|
||||||
|
|
||||||
|
prefix() string
|
||||||
|
Is(op Op) bool
|
||||||
|
fmt.Stringer
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
|
||||||
|
|
||||||
func init() { gob.Register(new(BindMount)) }
|
func init() { gob.Register(new(BindMount)) }
|
||||||
|
|
||||||
// BindMount bind mounts host path Source on container path Target.
|
// BindMount bind mounts host path Source on container path Target.
|
||||||
Loading…
Reference in New Issue
Block a user