search

ioi / isolate

Sandbox for securely executing untrusted programs
Other
1.04k stars 154 forks source link

--as-uid and --as-gid seem to be not usable in Docker container #155

Closed farmerboy95 closed 3 months ago

farmerboy95 commented 3 months ago

Hello,

I'm using Docker to use isolate (I know it's not supposed to be run in Docker anw), and I'm trying to use --as-uid and --as-gid options. This is conducted with the latest master branch. So my init is like

root@25dc9b717b3b:/code# isolate --init -b 0
/var/local/lib/isolate/0

Then I tried to run a simple echo command. It looks fine.

root@25dc9b717b3b:/code# isolate -b 0 --run -- /usr/bin/echo  

OK (0.001 sec real, 0.015 sec wall)

Then I created a user with UID 12000, and use it in the 2 options.

root@25dc9b717b3b:/code# isolate -b 0 --as-uid=12000 --as-gid=12000 --run -- /usr/bin/echo
Cannot switch UID and GID: Operation not permitted

I tried to make the output verbose

root@25dc9b717b3b:/code# isolate -v -b 0 --as-uid=12000 --as-gid=12000 --run -- /usr/bin/echo
Started proxy_pid=161407 box_pid=161408 box_pid_inside_ns=2
Binding ./box on box (flags 5006)
Cannot switch UID and GID: Operation not permitted

When strace it, I found that the setresgid returned an error.

root@25dc9b717b3b:/code# strace -f -e setresuid,setresgid isolate -b 0 --as-uid=12000 --as-gid=12000 --run -- /usr/bin/echo
strace: Process 163558 attached
strace: Process 163559 attached
[pid 163558] setresgid(12000, 12000, 12000) = 0
[pid 163558] setresuid(12000, 12000, 12000) = 0
[pid 163559] setresuid(12000, 12000, 0) = 0
[pid 163559] setresgid(12000, 12000, 0) = -1 EPERM (Operation not permitted)
[pid 163559] +++ exited with 2 +++
[pid 163558] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2, si_uid=12000, si_status=2, si_utime=0, si_stime=0} ---
[pid 163558] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=163558, si_uid=12000, si_status=0, si_utime=0, si_stime=0} ---
Cannot switch UID and GID: Operation not permitted
+++ exited with 2 +++

I tried with cgroup (v2) already. The output is the same.

Is there anything I'm missing here? Am I supposed to use those 2 options in Docker? Please note that I'm at root already and this Docker container is run with --privileged Looking forward to seeing some possible solutions. Thanks a lot guys.

gollux commented 3 months ago

The problem is actually not related to Docker, I can reproduce it on a normal Linux system.

However, I am not sure what you are trying to achieve. The --as-uid and --as-gid options are typically used only when root is initializing a sandbox on behalf of another user (e.g., in a sandbox management daemon as in the daemon branch). So using it with --run does not make much sense.

farmerboy95 commented 3 months ago

Thanks for the quick reply @gollux , I think I understand it now after checking the daemon branch. Since I did not see any example of how to use these 2 options, I thought they could be used with --run.

So you mean that we should only use them in --init?

gollux commented 3 months ago

Yes, it is supposed to be used only with --init as root, while the actual --run is done by the non-root user.