go.mod: experimental integration of gomodjail (library sandbox) #4012
Conversation
AkihiroSuda
force-pushed
the
gomodjail
branch
2 times, most recently
from
3ec186f to
295ee0f
Compare
AkihiroSuda
force-pushed
the
gomodjail
branch
11 times, most recently
from
98c3108 to
8587b52
Compare
|
@AkihiroSuda in the |
Eventually we may have fine-grained policies, but practically just having "confined" and "unconfined" might be enough to avoid complicating it |
AkihiroSuda
force-pushed
the
gomodjail
branch
2 times, most recently
from
347b5c5 to
4d6326d
Compare
This comment was marked as resolved.
This comment was marked as resolved.
AkihiroSuda
force-pushed
the
gomodjail
branch
2 times, most recently
from
cba5a2e to
c4cb682
Compare
AkihiroSuda
force-pushed
the
gomodjail
branch
2 times, most recently
from
cbaa9da to
d849498
Compare
Sure, fixed in |
https://github.com/AkihiroSuda/gomodjail gomodjail imposes syscall restrictions on a specific set of Go modules (excepts ones that use unsafe pointers, reflections, etc.), so as to mitigate their potential vulnerabilities and supply chain attack vectors. Usage: ``` gomodjail run --go-mod=./go.mod -- nerdctl run hello-world ``` or ``` gomodjail pack --go-mod=./go.mod /usr/local/bin/nerdctl ./nerdctl.gomodjail run hello-world ``` Hint: use `git diff --word-diff` for reviewing the changes in this commit Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Also thinking about this: is there a reason we are using (in nerdctl) If there is no serious reason, then we may want to use |
Anyway, |
To clarify: the suggestion was not to change anything for Anyhow, cool to have this. |
|
That got merged fast... I wish we just had a few hours to review after it moved out of draft? |
| @@ -129,6 +130,8 @@ func TestRestartWithTime(t *testing.T) { | |||
| func TestRestartWithSignal(t *testing.T) { | |||
| testCase := nerdtest.Setup() | |||
|
|
|||
| testCase.Require = require.Not(nerdtest.Gomodjail) // FIXME | |||
There was a problem hiding this comment.
Are there details on this, and other similar disabled tests?
There was a problem hiding this comment.
The test now seems to pass on my laptop (aarch64).
Probably it was failing due to a flakiness or something specific to CI.
There was a problem hiding this comment.
Yeah, felt like leftover.
| @@ -721,13 +721,21 @@ func newBase(t *testing.T, ns string, ipv6Compatible bool, kubernetesCompatible | |||
| var err error | |||
| switch base.Target { | |||
| case Nerdctl: | |||
| base.Binary, err = exec.LookPath("nerdctl") | |||
There was a problem hiding this comment.
Curious if there was something preventing us to use the existing mechanism (-test.target=nerdctl.gomodjail) instead of adding this extra layer?
There was a problem hiding this comment.
Thanks, saw you opened a PR
| @@ -101,6 +101,8 @@ type Helpers interface { | |||
| // a Setup or Cleanup routine, and as the basis of any type of helper. | |||
| // For more powerful use-cases outside of test cases, see below CustomizableCommand. | |||
| type TestableCommand interface { | |||
| // Binary returns what binary to execute. | |||
| Binary() string | |||
There was a problem hiding this comment.
I don't think we should have this, at this point.
Unless I am missing something, the existing mechanism (--test.target) was meant to allow customization of the tested binary for use cases like this, without having to resort to augmentation of the TestableCommand interface.
There was a problem hiding this comment.
Plus getTarget would have worked just fine instead of introducing this.
|
More generally, this also ignore the fact that tests do hardcode "nerdctl" when they want to bypass the default command wrapping with These should have been modified too to accommodate for testing a differently named "nerdish-ctl" binary. This ^ in itself is desirable (and needed) for people who want to roll their own cli, but should be done right. |
| if env := os.Getenv("DOCKER"); env != "" { | ||
| docker = env | ||
| } | ||
| base.Binary, err = exec.LookPath(docker) | ||
| if err != nil { | ||
| t.Fatal(err) | ||
| } |
There was a problem hiding this comment.
The same modifications as in nerdtest/command should have been applied here (eg: exec.Command(base.Binary))
Signed-off-by: apostasie <spam_blackhole@farcloser.world>
Signed-off-by: apostasie <spam_blackhole@farcloser.world>
Signed-off-by: apostasie <spam_blackhole@farcloser.world>
Signed-off-by: apostasie <spam_blackhole@farcloser.world>
Signed-off-by: apostasie <spam_blackhole@farcloser.world>
Signed-off-by: apostasie <spam_blackhole@farcloser.world>
Signed-off-by: apostasie <spam_blackhole@farcloser.world>
[FIX]: #4012 follow-ups (fixes and target test binaries)
https://github.com/AkihiroSuda/gomodjail
gomodjail imposes syscall restrictions on a specific set of Go modules (excepts ones that use unsafe pointers, reflections, etc.), so as to mitigate their potential vulnerabilities and supply chain attack vectors.
Usage:
or
Hint: use
git diff --word-difffor reviewing the changes in this commit