sandlock-cli 0.7.0

CLI for sandlock process sandbox
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

// Network registry — shared state in /dev/shm for cross-sandbox port discovery.
//
// Each sandbox with a hostname registers its port mappings in a single JSON
// file. `sandlock network` reads this file to display all active sandboxes.

use std::collections::HashMap;
use std::fs;
use std::io::{self, Read, Seek};
use std::path::PathBuf;

use serde::{Deserialize, Serialize};

#[derive(Serialize, Deserialize, Debug)]
pub struct NetworkEntry {
    pub pid: i32,
    pub ports: HashMap<u16, u16>,
    /// Allowed hostnames (from `net_allow_hosts`).
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub allowed_hosts: Vec<String>,
    /// Virtual `/etc/hosts` content injected into the sandbox.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub virtual_etc_hosts: Option<String>,
}

pub type Registry = HashMap<String, NetworkEntry>;

fn registry_dir() -> PathBuf {
    let uid = unsafe { libc::getuid() };
    PathBuf::from(format!("/dev/shm/sandlock-{}", uid))
}

fn registry_path() -> PathBuf {
    registry_dir().join("network.json")
}

/// Open the registry file with an exclusive flock, creating it if needed.
fn open_locked() -> io::Result<fs::File> {
    fs::create_dir_all(registry_dir())?;
    let file = fs::OpenOptions::new()
        .read(true)
        .write(true)
        .create(true)
        .truncate(false)
        .open(registry_path())?;
    // Exclusive lock — blocks until available
    let ret = unsafe { libc::flock(std::os::unix::io::AsRawFd::as_raw_fd(&file), libc::LOCK_EX) };
    if ret != 0 {
        return Err(io::Error::last_os_error());
    }
    Ok(file)
}

fn read_registry(file: &mut fs::File) -> Registry {
    let mut buf = String::new();
    file.read_to_string(&mut buf).ok();
    serde_json::from_str(&buf).unwrap_or_default()
}

fn write_registry(file: &mut fs::File, registry: &Registry) -> io::Result<()> {
    file.set_len(0)?;
    file.seek(std::io::SeekFrom::Start(0))?;
    serde_json::to_writer_pretty(file, registry)?;
    Ok(())
}

/// Register a sandbox's network state. Returns an error if the hostname is
/// already claimed by a live process.
pub fn register(
    hostname: &str,
    pid: i32,
    ports: HashMap<u16, u16>,
    allowed_hosts: Vec<String>,
    virtual_etc_hosts: Option<String>,
) -> io::Result<()> {
    let mut file = open_locked()?;
    let mut reg = read_registry(&mut file);
    // Check for hostname conflict with a live process
    if let Some(existing) = reg.get(hostname) {
        if unsafe { libc::kill(existing.pid, 0) } == 0 {
            return Err(io::Error::new(
                io::ErrorKind::AddrInUse,
                format!("hostname '{}' already claimed by PID {}", hostname, existing.pid),
            ));
        }
    }
    reg.insert(hostname.to_string(), NetworkEntry {
        pid,
        ports,
        allowed_hosts,
        virtual_etc_hosts,
    });
    write_registry(&mut file, &reg)
}

/// Update port mappings for an already-registered hostname.
pub fn update_ports(hostname: &str, ports: HashMap<u16, u16>) -> io::Result<()> {
    let mut file = open_locked()?;
    let mut reg = read_registry(&mut file);
    if let Some(entry) = reg.get_mut(hostname) {
        entry.ports = ports;
        write_registry(&mut file, &reg)?;
    }
    Ok(())
}

/// Remove a sandbox's entry from the registry.
pub fn unregister(hostname: &str) -> io::Result<()> {
    let mut file = open_locked()?;
    let mut reg = read_registry(&mut file);
    reg.remove(hostname);
    write_registry(&mut file, &reg)
}

/// Generate the next available sandbox name (sandbox-1, sandbox-2, ...).
pub fn next_name() -> String {
    let max_n = match open_locked() {
        Ok(mut file) => {
            let reg = read_registry(&mut file);
            reg.keys()
                .filter_map(|k| {
                    k.strip_prefix("sandbox-")
                        .and_then(|s| s.parse::<u64>().ok())
                })
                .max()
                .unwrap_or(0)
        }
        Err(_) => 0,
    };
    format!("sandbox-{}", max_n + 1)
}

/// Read all entries, pruning dead PIDs.
pub fn list() -> io::Result<Registry> {
    let mut file = match open_locked() {
        Ok(f) => f,
        Err(e) if e.kind() == io::ErrorKind::NotFound => return Ok(Registry::new()),
        Err(e) => return Err(e),
    };
    let mut reg = read_registry(&mut file);
    let before = reg.len();
    reg.retain(|_, entry| unsafe { libc::kill(entry.pid, 0) } == 0);
    if reg.len() != before {
        let _ = write_registry(&mut file, &reg);
    }
    Ok(reg)
}