idea: use CLONE_NEWCGROUP to fix racey cgroup assignment

shoenig / nomad-pledge-driver

Nomad task driver capable of blocking unwanted syscall and filesystem access. Based on the pledge utility for Linux by Justine Tunney

Mozilla Public License 2.0

22 stars 2 forks source link

idea: use CLONE_NEWCGROUP to fix racey cgroup assignment #2

Closed shoenig closed 1 year ago

shoenig commented 2 years ago

Instead of using a supervisor like the comment suggests, we should be able to just fork/exec the subprocess into the cgroup created for it. Looks like this will be available in an upcoming version of Go

https://github.com/golang/go/issues/51246 https://github.com/golang/go/commit/3204e62dd1abe087430e37e8c33c3d010606aabe

// Ideally we would fork a trusted helper, enter the cgroup ourselves, then
// exec into the user subprocess. This is fine for now.
return e.isolate()

kolyshkin commented 2 years ago

The proper link would be https://go.dev/cl/417695 (and the feature should be available in Go 1.20+).

Also please note this only works for cgroup v2 and requires Linux kernel >= v5.17.

kolyshkin commented 1 year ago

requires Linux kernel >= v5.17.

Just realized I made a typo, I meant Linux kernel >= 5.7 (released in June 2020).

Also, Go 1.20 is out :)

shoenig commented 1 year ago

Thanks @kolyshkin I should have time to pull this little project off the shelf again in the next couple of weeks. And also thanks for all the work you do!