Skip to content

Contain rewrite

Ron Williams requested to merge rw_van/contain:contain_rewrite into master

Contain is no longer mainly for chroot. It is now primarily for login, as it must run as root to create the namespace.

Use desktop-contain as your CONFIG_NAME. It's in this MR

login and orblogin will both be the contain variants. If you login as root, you will not run contain, you get a regular root shell in the regular namespace. If you login as user, you will have restricted access - currently /bin, a few files in /etc and your home directory. What you have access to is determined by /etc/contain.toml in your filesystem config. You may need to add your display driver scheme, currently only display.vesa is an included scheme.

A sample configuration file, /etc/config.toml, is included in this repo but not used. You can specify which schemes are unfiltered vs filtered. For filtered namespaces, you can specify read-only (ro) or writable files and directories. If you specify a directory, then everything in that directory will be readable and/or writeable (to the extent the underlying filesystem allows, as contain is just a filter). Note that if you want to allow a user to be able to read a directory but not the things in it, you can specify the directory as a read-only file. e.g. if you want the user to be able to do ls -ld /home, specify file:/home as an entry in rofiles.

contain_test performs a few tests. Probably more are required.

Outstanding Issues:

  • Create/modify namespace is only available to Root right now, so we are missing the important use case of the user being able to sandbox a program
  • There is no namespace free operation, so namespaces are currently just leaked. Contain will create one new namespace per login, which will then be leaked.
  • There needs to be an escape to the full namespace for sudo, probably in conjunction with escalated. What should be allowed and how this is implemented is TBD.
  • Ptyd does not implement ownership, so there is no pty protection. 4lDO2 suggested that we could filter access to ptys by ownership once that is implemented, but I was thinking if we include the owner in the name of the pty, e.g. pty:/n, the user will be able to do ls pty: and see what ptys are available to them. We could do something similar with Orbital windows. We can discuss this after ownership is implemented in ptyd.
  • Contain makes use of "canonicalize" to avoid spoofing with symbolic links. We don't do a very good job of canonicalize, so we need to discuss the way forward.
    • 4lDO2 suggested that fpath should be removed.
    • 4lDO2 suggested that relibc's canonicalize may be a better choice for contain than Path::canonicalize.
    • Chroot is not working well because the contain scheme does not participate after xopen, so "canonicalize" calls from a contained app cannot be "chrooted", i.e. the app will get the full path which is not valid in the contained namespace
    • ptyd gives an entirely new path when you attempt to canonicalize.
Edited by Ron Williams

Merge request reports