"Containerize" individual functions in Rust with extrasafe

submited by
Style Pass
2024-04-04 17:00:02

Today I released a new version of extrasafe which has support for using Linux's unprivileged namespaces feature to create browser-style content processes. Namespaces are perhaps more famously used in container runtimes, which is why I used them in my clickbait title, but the main inspiration and use-case for extrasafe's Isolate is closer to a browser's content process.

Extrasafe is a Linux security toolkit for Rust that makes it simple to use kernel security features directly inside your Rust code. Extrasafe already has support for seccomp and Landlock, which are also used in browsers, containers, and other kinds of isolation tools like firejail and bubblewrap.

We exec (see discussion below for why we have to exec at all) prior to clone/pivot_root because otherwise the linker may not be able to find the necessary .so files to link to if the program is dynamically linked, even if we kept a fd with the contents of /proc/self/exe around. This sequence of operations requires that we have something like Isolate::main_hook to do the setup, and adds an extra point of failure in the sense that a user might not call it. It's not really an issue because in that case the program wouldn't make it to the code to be isolated anyway, but it makes the overall experience more complicated.

Also, one random fact I discovered while working on this feacture that doesn't seem to be documented anywhere besides a random git commit message in systemd: In order to mount a proc or sysfs filesystem inside a user namespace, you must already have a proc (or sysfs) filesystem mounted in your tree somewhere.

Leave a Comment
Related Posts