agentd 0.1.2

Agent daemon for secure capability execution with pluggable isolation backends
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

//! Targeted integration tests that exercise the most critical sandbox layers.
//!
//! These tests intentionally run heavy-weight isolation primitives (Landlock,
//! seccomp, network namespaces) inside short-lived forked children so the
//! parent test process remains unaffected.

#[cfg(all(test, target_os = "linux"))]
mod tests {
    use anyhow::Result;
    use nix::sched::{unshare, CloneFlags};
    use nix::sys::signal::Signal;
    use nix::sys::wait::{waitpid, WaitStatus};
    use nix::unistd::{fork, ForkResult};
    use std::fs::File;
    use std::io::Write;
    use tempfile::tempdir;

    use smith_jailer::landlock::{self, LandlockConfig};
    use smith_jailer::seccomp::{self, SeccompConfig};

    /// Helper to run closure inside a forked child and wait for the outcome.
    ///
    /// The closure returns `Ok(())` to indicate success or `Err(code)` to
    /// request a specific exit code from the child process.
    fn run_in_subprocess<F>(f: F) -> Result<WaitStatus>
    where
        F: FnOnce() -> Result<(), i32>,
    {
        match unsafe { fork()? } {
            ForkResult::Child => {
                let exit_code = match f() {
                    Ok(()) => 0,
                    Err(code) => code,
                };
                std::process::exit(exit_code);
            }
            ForkResult::Parent { child } => Ok(waitpid(child, None)?),
        }
    }

    fn require_root(reason: &str) -> bool {
        if unsafe { libc::geteuid() == 0 } {
            true
        } else {
            eprintln!("Skipping test ({reason}): requires root privileges");
            false
        }
    }

    #[test]
    fn landlock_blocks_forbidden_paths() -> Result<()> {
        if !landlock::is_landlock_available() {
            eprintln!("Skipping Landlock test: kernel does not support Landlock");
            return Ok(());
        }
        if !require_root("Landlock needs CAP_SYS_ADMIN for path setup") {
            return Ok(());
        }

        let allowed = tempdir()?;
        let forbidden = tempdir()?;
        let allowed_file = allowed.path().join("allowed.txt");
        let forbidden_file = forbidden.path().join("forbidden.txt");
        File::create(&allowed_file)?.write_all(b"allowed")?;
        File::create(&forbidden_file)?.write_all(b"forbidden")?;

        let status = run_in_subprocess(|| {
            let mut config = LandlockConfig::default();
            let allowed_path = allowed
                .path()
                .to_str()
                .expect("tempdir path should be UTF-8");
            config.allow_read(allowed_path);
            config.allow_read("/proc");
            config.allow_read("/etc");
            config.allow_read("/run");
            config.allow_read("/tmp");

            landlock::apply_landlock_rules(&config).expect("apply landlock");

            // Allowed file succeeds
            if std::fs::read(&allowed_file).is_err() {
                eprintln!("Landlock unexpectedly denied allowed read");
                return Err(3);
            }

            // Forbidden file should be denied with EPERM
            match std::fs::read(&forbidden_file) {
                Err(err) if err.kind() == std::io::ErrorKind::PermissionDenied => Ok(()),
                Ok(_) => {
                    eprintln!("Landlock unexpectedly allowed forbidden read");
                    Err(1)
                }
                Err(err) => {
                    eprintln!("Unexpected error reading forbidden file: {err}");
                    Err(2)
                }
            }
        })?;

        match status {
            WaitStatus::Exited(_, code) => assert_eq!(code, 0, "Landlock child exited with {code}"),
            other => panic!("Unexpected child status: {other:?}"),
        }

        Ok(())
    }

    #[test]
    fn seccomp_traps_disallowed_syscalls() -> Result<()> {
        // Seccomp filters can be applied without root as long as NO_NEW_PRIVS is set.
        let status = run_in_subprocess(|| {
            let mut config = SeccompConfig::default();
            config.allow_syscalls(&[
                libc::SYS_read as i32,
                libc::SYS_write as i32,
                libc::SYS_exit as i32,
                libc::SYS_exit_group as i32,
            ]);

            seccomp::apply_seccomp_filter(&config).expect("apply seccomp");

            // This syscall is not on the allowlist and should terminate the process.
            unsafe {
                libc::syscall(libc::SYS_getpid);
            }

            // If the process is still alive, the filter did not work.
            Err(1)
        })?;

        match status {
            WaitStatus::Signaled(_, Signal::SIGSYS, _) => Ok(()),
            WaitStatus::Exited(_, code) if code == 77 => {
                // Some kernels translate SECCOMP_RET_KILL to exit status 77.
                Ok(())
            }
            other => panic!("Seccomp filter did not trigger as expected: {other:?}"),
        }
    }

    #[test]
    fn network_namespace_blocks_outbound_connections() -> Result<()> {
        if !require_root("creating a network namespace") {
            return Ok(());
        }

        let status = run_in_subprocess(|| {
            unshare(CloneFlags::CLONE_NEWNET).expect("unshare network namespace");

            match std::net::TcpStream::connect("127.0.0.1:80") {
                Err(err)
                    if matches!(
                        err.kind(),
                        std::io::ErrorKind::ConnectionRefused
                            | std::io::ErrorKind::NetworkUnreachable
                            | std::io::ErrorKind::AddrNotAvailable
                    ) =>
                {
                    Ok(())
                }
                Err(err) => {
                    eprintln!("Unexpected network error: {err}");
                    Err(1)
                }
                Ok(_) => {
                    eprintln!("Connection succeeded unexpectedly inside isolated namespace");
                    Err(2)
                }
            }
        })?;

        match status {
            WaitStatus::Exited(_, code) => {
                assert_eq!(code, 0, "Network namespace child exited with {code}")
            }
            other => panic!("Unexpected child status: {other:?}"),
        }

        Ok(())
    }
}