bunpen: run process inside a new user namespace

This commit is contained in:
2024-08-24 05:12:27 +00:00
parent 5f35eaccd9
commit e315919b54
3 changed files with 49 additions and 0 deletions

View File

@@ -36,6 +36,7 @@ export fn main() void = {
}; };
rtext::no_new_privs(); rtext::no_new_privs();
restrict::namespace_restrict(&what);
restrict::landlock_restrict(&what); restrict::landlock_restrict(&what);
if (opts.drop_shell) { if (opts.drop_shell) {
do_exec(["/bin/sh"]); do_exec(["/bin/sh"]);

View File

@@ -0,0 +1,9 @@
// vim: set shiftwidth=2 :
use rtext;
export fn namespace_restrict(what: *resources) void = {
rtext::unshare(rtext::CLONE_NEWUSER)!;
// let clone_flags = SIGCHLD | CLONE_NEWNS | CLONE_NEWUSER;
// TODO: CLONE_NEWNET, CLONE_NEWIPC, CLONE_NEWUTS, CLONE_NEWCGROUP,
// CLONE_NEWPID (might not work without forking to also become reaper)
};

View File

@@ -0,0 +1,39 @@
// vim: set shiftwidth=2 :
use rt;
//// for use with `setns`, `unshare`, `clone` syscalls
// new time namespace. calling process is NOT moved into the namespace.
export const CLONE_NEWTIME: u64 = 0x00000080;
// new mount namespace.
// CLONE_NEWNS implies CLONE_FS.
export const CLONE_NEWNS: u64 = 0x00020000;
export const CLONE_NEWCGROUP: u64 = 0x02000000;
// new utsname namespace
export const CLONE_NEWUTS: u64 = 0x04000000;
// CLONE_NEWIPC implies CLONE_SYSVSEM.
export const CLONE_NEWIPC: u64 = 0x08000000;
// CLONE_NEWUSER implies CLONE_THREAD and CLONE_FS.
// calling process must NOT be multi-threaded.
export const CLONE_NEWUSER: u64 = 0x10000000;
// new process ID namespace. calling process is NOT moved into the namespace.
// the first new child spawned becomes pid 1 and has the role of init(1).
// CLONE_NEWPID implies CLONE_THREAD.
export const CLONE_NEWPID: u64 = 0x20000000;
export const CLONE_NEWNET: u64 = 0x40000000;
// additional CLONE flags in kernel, omitted until i need them.
// export fn setns(ns_fd: i32, nstype: i32) (rt::errno | u64) = {
// return syscall(rt::SYS_setns, ns_fd: u64, nstype: u64);
// };
export fn unshare(flags: u64) (rt::errno | u64) = {
return syscall(rt::SYS_unshare, flags);
};