search

google / nsjail

A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
https://nsjail.dev
Apache License 2.0
2.85k stars 268 forks source link

bind mounted /var/run/netns acts differently if nsjail started before or after network namespace is created #230

Open tsalminenforce opened 1 month ago

tsalminenforce commented 1 month ago

Bumped into this issue with current master (and older ones), where if there's a mount 

mount {
  src: "/var/run/netns"
  dst: "/var/run/netns"
  rw: false 
  is_bind: true
  mandatory: false
}

then if I start bash in nsjail, create the namespace and try to access the namespace:

bash-5.1$ cat /var/run/netns/three3 
cat: /var/run/netns/three3: Permission denied

But if I stop the nsjail process and start it again:

bash-5.1$ cat /var/run/netns/three3 
cat: /var/run/netns/three3: Invalid argument

I know cat isn't the correct way to enter no namespace, but just here illustrating that (at least) network namespace created after the nsjail process started cannot be accessed.

tsalminenforce commented 1 month ago

Minimal reproducing:

sudo ./nsjail -R /usr/sbin -R /lib -R /lib64 -R /usr/bin -R /usr/lib -R /usr/share/zoneinfo -R /var/run/netns -- /usr/bin/bash
[I][2024-05-15T12:49:23+0300] Mode: STANDALONE_ONCE
[I][2024-05-15T12:49:23+0300] Jail parameters: hostname:'NSJAIL', chroot:'', process:'/usr/bin/bash', bind:[::]:0, max_conns:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, clone_newtime:false, keep_caps:false, disable_no_new_privs:false, max_cpus:0
[I][2024-05-15T12:49:23+0300] Mount: '/' flags:MS_RDONLY type:'tmpfs' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/usr/sbin' -> '/usr/sbin' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/lib' -> '/lib' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/lib64' -> '/lib64' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/usr/bin' -> '/usr/bin' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/usr/lib' -> '/usr/lib' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/usr/share/zoneinfo' -> '/usr/share/zoneinfo' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/var/run/netns' -> '/var/run/netns' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Uid map: inside_uid:0 outside_uid:0 count:1 newuidmap:false
[W][2024-05-15T12:49:23+0300][63653] logParams():313 Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files
[I][2024-05-15T12:49:23+0300] Gid map: inside_gid:0 outside_gid:0 count:1 newgidmap:false
[W][2024-05-15T12:49:23+0300][63653] logParams():323 Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files
[I][2024-05-15T12:49:23+0300] Executing '/usr/bin/bash' for '[STANDALONE MODE]'
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.1# cat /var/run/netns/netns_before 
cat: /var/run/netns/netns_before: Invalid argument
bash-5.1# cat /var/run/netns/netns_after  
cat: /var/run/netns/netns_after: Permission denied