bandsocks 0.2.1

Experimental embeddable container sandbox
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

pub mod protocol {
    include! {"../sand/src/protocol.rs"}
}

#[cfg(not(doc))]
const PROGRAM_DATA: &[u8] = include_bytes!(concat!(
    env!("OUT_DIR"),
    "/sand/target/release/bandsocks-sand"
));

#[cfg(doc)]
const PROGRAM_DATA: &[u8] = b"";

use crate::errors::RuntimeError;
use protocol::{LogLevel, LogMessage, SysFd, VPid};
use std::{
    fs::File,
    io::Write,
    os::{
        raw::c_int,
        unix::{
            io::{AsRawFd, RawFd},
            process::CommandExt,
        },
    },
    process::{Command, Stdio},
};

lazy_static! {
    static ref PROGRAM_FILE: Result<File, RuntimeError> = create_program_file();
}

fn create_program_file() -> Result<File, RuntimeError> {
    let memfd = memfd::MemfdOptions::default()
        .allow_sealing(true)
        .create("bandsocks-sand")?;
    memfd.as_file().write_all(PROGRAM_DATA)?;
    memfd.add_seals(
        &[
            memfd::FileSeal::SealWrite,
            memfd::FileSeal::SealShrink,
            memfd::FileSeal::SealGrow,
            memfd::FileSeal::SealSeal,
        ]
        .iter()
        .cloned()
        .collect(),
    )?;
    Ok(memfd.into_file())
}

pub fn command(fd: RawFd) -> Result<Command, RuntimeError> {
    let file = match &*PROGRAM_FILE {
        Err(err) => return Err(RuntimeError::ProgramAllocError(err.to_string())),
        Ok(file) => file,
    };
    let mut cmd = Command::new(format!("/proc/self/fd/{}", file.as_raw_fd()));
    cmd.stdin(Stdio::null());
    cmd.stdout(Stdio::null());
    cmd.stderr(Stdio::piped());
    cmd.arg0("sand");
    cmd.env_clear();
    cmd.env("FD", fd.to_string());
    Ok(cmd)
}

impl AsRawFd for SysFd {
    fn as_raw_fd(&self) -> RawFd {
        self.0 as c_int
    }
}

pub fn max_log_level() -> LogLevel {
    if log::log_enabled!(log::Level::Trace) {
        LogLevel::Trace
    } else if log::log_enabled!(log::Level::Debug) {
        LogLevel::Debug
    } else if log::log_enabled!(log::Level::Info) {
        LogLevel::Info
    } else if log::log_enabled!(log::Level::Warn) {
        LogLevel::Warn
    } else if log::log_enabled!(log::Level::Error) {
        LogLevel::Error
    } else {
        LogLevel::Off
    }
}

pub fn task_log(task: VPid, level: LogLevel, message: LogMessage) {
    let level = match level {
        LogLevel::Off => return,
        LogLevel::Error => log::Level::Error,
        LogLevel::Warn => log::Level::Warn,
        LogLevel::Info => log::Level::Info,
        LogLevel::Debug => log::Level::Debug,
        LogLevel::Trace => log::Level::Trace,
    };
    log::log!(level, "{:?} {:?}", task, message);
}