| 1 |
On 2017-09-22 10:03 AM, Brian Dolbec wrote: |
| 2 |
> On Fri, 22 Sep 2017 15:06:49 +0000 |
| 3 |
> James McMechan <james_mcmechan@×××××××.com> wrote: |
| 4 |
> |
| 5 |
>> On Fri, Sep 22, 2017 at 5:27 AM, Rich Freeman <rich0@g.o> |
| 6 |
>> wrote: |
| 7 |
>>> On Fri, Sep 22, 2017 at 7:38 AM, Sergei Trofimovich |
| 8 |
>>> <slyfox@g.o> wrote: |
| 9 |
>>>> |
| 10 |
>>>> Some other distros try harder to isolate build environment either |
| 11 |
>>>> through chroot and/or private mount/user/network namespace that |
| 12 |
>>>> contains only explicitly specified files in build environment. |
| 13 |
>>>> |
| 14 |
>>>> That would require more cooperation from package manager to fetch |
| 15 |
>>>> list of all visible depends. |
| 16 |
>>>> |
| 17 |
>>> |
| 18 |
>>> I definitely think this is something that would be VERY useful to |
| 19 |
>>> have, because it makes build-time dependency issues almost |
| 20 |
>>> impossible. |
| 21 |
>>> |
| 22 |
>>> However, you don't need that complete solution just to have a |
| 23 |
>>> sandbox. You could simply create a container with the entire |
| 24 |
>>> contents of the main filesystem, but read-only, with the exception |
| 25 |
>>> of the build area. That would replicate the functionality of the |
| 26 |
>>> current sandbox and would be easier than building out just the files |
| 27 |
>>> specified in the dependencies. |
| 28 |
>>> |
| 29 |
>>> The main issue I see with making it dependency aware is performance. |
| 30 |
>>> You would need to walk all the dependencies and their run-time |
| 31 |
>>> dependencies, and the system set, and then individually bind-mount |
| 32 |
>>> the files that belong to them read-only into the container. That |
| 33 |
>>> isn't necessarily difficult, but I imagine that it would be slow. |
| 34 |
>>> Walking the dependencies obviously already happens during resolution |
| 35 |
>>> so that could probably be cached. You could also cache the list of |
| 36 |
>>> files for the system set, and you could even maintain a snapshot of |
| 37 |
>>> these that is used as the base of the container (somebody would need |
| 38 |
>>> to work out the savings of doing this vs the cost of updating it |
| 39 |
>>> every time a system set package changes). |
| 40 |
>>> |
| 41 |
>>> However, the main thing I wanted to point out is that you don't need |
| 42 |
>>> a dependency-aware solution to just replace the existing sandbox. |
| 43 |
>>> |
| 44 |
>>>> I like clear sandbox error reporting. |
| 45 |
>>> |
| 46 |
>>> As far as error reporting goes, you would get kernel-level errors |
| 47 |
>>> like attempting to write to a read-only bind mount, or trying to |
| 48 |
>>> read a file that doesn't exist. To a portage dev it should be |
| 49 |
>>> pretty obvious what is going on. You could add canned text to the |
| 50 |
>>> portage error output at the end. I'm not sure how visible the |
| 51 |
>>> problems would be to portage except to the degree that the build |
| 52 |
>>> system makes them visible |
| 53 |
>>> - it would just see make terminate with a non-zero return. |
| 54 |
>>> |
| 55 |
>>> I would think that containers would be almost completely bug-free |
| 56 |
>>> though. The only thing I could see as an issue is some build system |
| 57 |
>>> that relies on IPC with the host, network access, etc. Namespaces |
| 58 |
>>> themselves are very robust, and the kernel already looks at every |
| 59 |
>>> process as belonging to a set of namespaces even in the default case |
| 60 |
>>> where you only have one set of namespaces on the system, so they |
| 61 |
>>> don't involve different code paths/etc. |
| 62 |
>>> |
| 63 |
>>> -- |
| 64 |
>>> Rich |
| 65 |
>> |
| 66 |
>> Another possibility, could be to have the sandbox be an overlayfs |
| 67 |
>> not of the build directory but of the entire system starting at "/" |
| 68 |
>> and stick that into the container, only CLONE_NEWNS looks to be |
| 69 |
>> needed. |
| 70 |
>> |
| 71 |
>> A container with all writes going to the upper layer of the overlay |
| 72 |
>> could be safe against even #RM -RF / and other disasters, while still |
| 73 |
>> tracking what is happening during the build. |
| 74 |
>> |
| 75 |
>> Should performance be too much of a problem having a bind mount of |
| 76 |
>> the build directory on top of the overlay should give normal |
| 77 |
>> performance to everything that is obeying good practice. |
| 78 |
>> |
| 79 |
>> After the build completes the directory that was mounted as upper |
| 80 |
>> could be scanned to find any wayward writes that had occurred... |
| 81 |
>> |
| 82 |
>> This would not require LD_PRELOAD or ptrace eliminating most of the |
| 83 |
>> "high magic" currently used. |
| 84 |
>> |
| 85 |
>> Just yesterday I had a lot of ptrace failures while trying something |
| 86 |
>> odd with ROOT= and custom USE |
| 87 |
>> |
| 88 |
>> Jim McMechan |
| 89 |
> |
| 90 |
> I kinda like this idea, It looks to me to have pretty much all the |
| 91 |
> benefits of a sandbox and nearly none of the drawbacks. |
| 92 |
> |
| 93 |
> Sounds like it should get more research into this idea, figure out it's |
| 94 |
> limitations and if there are any caveats. |
| 95 |
> |
| 96 |
|
| 97 |
I haven't had time as of yet to look in to it, but theoretically one |
| 98 |
could use seccomp with bpf to make a more robust sandbox, though you |
| 99 |
might not get as nice error reporting as we have now. |
| 100 |
|
| 101 |
Also apparmor could theoretically be used to make a nice sandbox, but I |
| 102 |
suspect that could come with other implications. |
Archives