Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit the containerisation code #6

Open
tomsmeding opened this issue Feb 1, 2023 · 0 comments
Open

Audit the containerisation code #6

tomsmeding opened this issue Feb 1, 2023 · 0 comments
Labels
help wanted Extra attention is needed

Comments

@tomsmeding
Copy link
Collaborator

The worker currently uses bubblewrap (using linux cgroups) for privilege separation, and systemd-run (using linux user namespaces) for limiting of volatile resources (time, memory). While this is a nice, lightweight setup, it's not an existing setup, and it has not been audited.

If anyone has the expertise to have an informed opinion about these kind of systems, please help!

The system is as follows: (all is in the play-haskell-worker/ directory)

  • The bwrap-files/ubuntu-base directory is a chroot populated with an Ubuntu installation, set up in the chroot target of Makefile using bwrap-files/chroot-initialise.sh. Hopefully the precise workings of this step do not actually matter for the security property below.
  • The worker starts bwrap-files/stage-1.sh with one argument: a file descriptor that is open for writing in the stage-1.sh process (say P).
  • The worker sends a bunch of untrusted bytes on stdin of P.
  • The worker expects a bunch of untrusted bytes on stdout and stderr of P, as well as on the pipe of which one end is that writable file descriptor.
  • The worker kills the container.

Assuming that the worker (and the server and the client webpage after that) handle the output bytes safely, the security property is (loosely formulated) that no matter what bytes are sent to P, the outside of the container is not harmfully affected. That is to say: the container does not perform network activity, puts no lasting data on disk, and maybe other things that I haven't thought of.

@tomsmeding tomsmeding added the help wanted Extra attention is needed label Feb 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

1 participant