kavach 0.22.3

Sandbox execution framework — backend abstraction, strength scoring, policy engine, credential proxy, and audit hooks
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217

//! cgroup v2 resource limit enforcement.
//!
//! Creates a per-sandbox cgroup scope under `/sys/fs/cgroup/kavach/<id>/`
//! and writes memory, CPU, and PID limits.

use crate::policy::SandboxPolicy;

/// cgroup scope for a sandbox instance.
pub struct CgroupScope {
    path: std::path::PathBuf,
    created: bool,
}

impl CgroupScope {
    /// Create a new cgroup scope. Does not create the directory yet.
    pub fn new(sandbox_id: &str) -> Self {
        Self {
            path: std::path::PathBuf::from(format!("/sys/fs/cgroup/kavach/{sandbox_id}")),
            created: false,
        }
    }

    /// Check if any resource limits are configured in the policy.
    pub fn has_limits(policy: &SandboxPolicy) -> bool {
        policy.memory_limit_mb.is_some() || policy.cpu_limit.is_some() || policy.max_pids.is_some()
    }

    /// Create the cgroup directory and write limits.
    #[cfg(target_os = "linux")]
    pub fn create(&mut self, policy: &SandboxPolicy) -> crate::Result<()> {
        // Create parent dir if needed
        let parent = self.path.parent().unwrap();
        if !parent.exists() {
            std::fs::create_dir_all(parent).map_err(|e| {
                crate::KavachError::ExecFailed(format!(
                    "cgroup parent dir {}: {e}",
                    parent.display()
                ))
            })?;
        }

        std::fs::create_dir_all(&self.path).map_err(|e| {
            crate::KavachError::ExecFailed(format!("cgroup create {}: {e}", self.path.display()))
        })?;
        self.created = true;

        // Write memory limit
        if let Some(mb) = policy.memory_limit_mb {
            let bytes = mb * 1024 * 1024;
            self.write_limit("memory.max", &bytes.to_string())?;
        }

        // Write CPU limit
        if let Some(cpu) = policy.cpu_limit {
            let cpu_max = format_cpu_max(cpu);
            self.write_limit("cpu.max", &cpu_max)?;
        }

        // Write PID limit
        if let Some(pids) = policy.max_pids {
            self.write_limit("pids.max", &pids.to_string())?;
        }

        tracing::debug!(path = %self.path.display(), "cgroup scope created");
        Ok(())
    }

    /// Stub for non-Linux platforms.
    #[cfg(not(target_os = "linux"))]
    pub fn create(&mut self, _policy: &SandboxPolicy) -> crate::Result<()> {
        Ok(())
    }

    /// Add a process to this cgroup scope.
    #[cfg(target_os = "linux")]
    pub fn add_pid(&self, pid: u32) -> crate::Result<()> {
        if !self.created {
            return Ok(());
        }
        self.write_limit("cgroup.procs", &pid.to_string())
    }

    #[cfg(not(target_os = "linux"))]
    pub fn add_pid(&self, _pid: u32) -> crate::Result<()> {
        Ok(())
    }

    /// Read current memory usage in bytes.
    #[cfg(target_os = "linux")]
    pub fn memory_current(&self) -> Option<u64> {
        if !self.created {
            return None;
        }
        std::fs::read_to_string(self.path.join("memory.current"))
            .ok()
            .and_then(|s| s.trim().parse().ok())
    }

    #[cfg(not(target_os = "linux"))]
    pub fn memory_current(&self) -> Option<u64> {
        None
    }

    /// Cleanup: remove the cgroup directory.
    #[cfg(target_os = "linux")]
    pub fn destroy(&self) {
        if !self.created {
            return;
        }
        // Kill any remaining processes
        if let Ok(procs) = std::fs::read_to_string(self.path.join("cgroup.procs")) {
            for line in procs.lines() {
                if let Ok(pid) = line.trim().parse::<i32>() {
                    let _ = nix::sys::signal::kill(
                        nix::unistd::Pid::from_raw(pid),
                        nix::sys::signal::Signal::SIGKILL,
                    );
                }
            }
        }
        let _ = std::fs::remove_dir(&self.path);
        tracing::debug!(path = %self.path.display(), "cgroup scope destroyed");
    }

    #[cfg(not(target_os = "linux"))]
    pub fn destroy(&self) {}

    #[cfg(target_os = "linux")]
    fn write_limit(&self, file: &str, value: &str) -> crate::Result<()> {
        let path = self.path.join(file);
        std::fs::write(&path, value).map_err(|e| {
            crate::KavachError::ExecFailed(format!("cgroup write {}: {e}", path.display()))
        })
    }
}

impl Drop for CgroupScope {
    fn drop(&mut self) {
        self.destroy();
    }
}

/// Format CPU limit as cgroup v2 `cpu.max` value.
/// `cpu_limit` is fractional cores (e.g., 0.5 = 50% of one core).
/// Format: "QUOTA PERIOD" where both are in microseconds.
pub fn format_cpu_max(cpu_limit: f64) -> String {
    let period: u64 = 100_000; // 100ms period
    let quota = (cpu_limit * period as f64) as u64;
    format!("{quota} {period}")
}

/// Apply resource limits via setrlimit as a fallback when cgroups are unavailable.
#[cfg(target_os = "linux")]
pub fn apply_rlimits(policy: &SandboxPolicy) -> crate::Result<()> {
    use nix::sys::resource::{Resource, setrlimit};

    if let Some(mb) = policy.memory_limit_mb {
        let bytes = mb * 1024 * 1024;
        setrlimit(Resource::RLIMIT_AS, bytes, bytes)
            .map_err(|e| crate::KavachError::ExecFailed(format!("setrlimit AS: {e}")))?;
    }

    if let Some(pids) = policy.max_pids {
        setrlimit(Resource::RLIMIT_NPROC, pids as u64, pids as u64)
            .map_err(|e| crate::KavachError::ExecFailed(format!("setrlimit NPROC: {e}")))?;
    }

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn format_cpu_max_half_core() {
        assert_eq!(format_cpu_max(0.5), "50000 100000");
    }

    #[test]
    fn format_cpu_max_full_core() {
        assert_eq!(format_cpu_max(1.0), "100000 100000");
    }

    #[test]
    fn format_cpu_max_quarter_core() {
        assert_eq!(format_cpu_max(0.25), "25000 100000");
    }

    #[test]
    fn has_limits_none() {
        let policy = SandboxPolicy::minimal();
        assert!(!CgroupScope::has_limits(&policy));
    }

    #[test]
    fn has_limits_memory() {
        let mut policy = SandboxPolicy::minimal();
        policy.memory_limit_mb = Some(512);
        assert!(CgroupScope::has_limits(&policy));
    }

    #[test]
    fn has_limits_strict() {
        let policy = SandboxPolicy::strict();
        assert!(CgroupScope::has_limits(&policy));
    }

    #[test]
    fn scope_path() {
        let scope = CgroupScope::new("test-123");
        assert_eq!(
            scope.path,
            std::path::PathBuf::from("/sys/fs/cgroup/kavach/test-123")
        );
    }
}