Add an option to provide externally configured Command
#15
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cgwalters
added a commit
to cgwalters/rpm-ostree
that referenced
this pull request
Nov 22, 2021
Depends: containers/containers-image-proxy-rs#15 A core principle I want to maintain going forward is that the host updates is isolated from containerized applications. Today for example the containers/storage stack will do things like access `~/.docker` and worse things like `/var/lib/containers` for caching purposes. By using systemd to spawn a `DynamicUser` for the `skopeo` process, we are guaranteed that the fetcher process runs with very low privileges (no access to application containers) and has no persistent state. Now, it turns out that today this is actually blocked by the Fedora selinux policy: `[ 3589.002130] audit: type=1400 audit(1637602145.194:288): avc: denied { read } for pid=1223 comm="dbus-broker" path="pipe:[14969]" dev="pipefs" ino=14969 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0` because we're trying to pass a pipe fd across the system bus. It may work to talk to the system private socket directly; would require switching to the raw DBus API instead of having `systemd-run` do it for us. Longer term though, I think what we really want is to teach systemd APIs to support this kind of "unprivileged worker process that is bound to the lifecycle of a larger unit". In particular the above bug with passing a pipe would be fixed if we could have this unit log using the same journal stream as the main daemon.
|
Example user in coreos/rpm-ostree#3239 (Tested with that and... 😢 ... |
jlebon
approved these changes
Nov 23, 2021
This will allow higher level tooling to inject their own sandboxing. I would like to add opinionated usage of e.g. `systemd-run` but this is a useful start.
cgwalters
force-pushed
the
option-cmd-prefix
branch
from
a6c34d1
to
caee793
Compare
cgwalters
added a commit
to cgwalters/rpm-ostree
that referenced
this pull request
Jul 13, 2022
Depends: containers/containers-image-proxy-rs#15 A core principle I want to maintain going forward is that the host updates is isolated from containerized applications. Today for example the containers/storage stack will do things like access `~/.docker` and worse things like `/var/lib/containers` for caching purposes. By using systemd to spawn a `DynamicUser` for the `skopeo` process, we are guaranteed that the fetcher process runs with very low privileges (no access to application containers) and has no persistent state. Now, it turns out that today this is actually blocked by the Fedora selinux policy: `[ 3589.002130] audit: type=1400 audit(1637602145.194:288): avc: denied { read } for pid=1223 comm="dbus-broker" path="pipe:[14969]" dev="pipefs" ino=14969 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0` because we're trying to pass a pipe fd across the system bus. It may work to talk to the system private socket directly; would require switching to the raw DBus API instead of having `systemd-run` do it for us. Longer term though, I think what we really want is to teach systemd APIs to support this kind of "unprivileged worker process that is bound to the lifecycle of a larger unit". In particular the above bug with passing a pipe would be fixed if we could have this unit log using the same journal stream as the main daemon.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This will allow higher level tooling to inject their own
sandboxing.
I would like to add opinionated usage of e.g.
systemd-runbutthis is a useful start.