Page MenuHomePhabricator

Sandbox/limit child processes within a container runtime
Open, MediumPublic

Description

We have various cases where we want an application to check/parse/transform some form of untrusted binary input (be it an image, a video, a postscript/pdf, etc), and we just execute another binary to handle the actual transformation.

We want the application secrets not to be easily accessible from said binary, and traditionally limit execution with a combination of firejail profiles and (from MediaWiki) limit.sh.

It appears that firejail doesn't work well out of the box within docker (see https://github.com/netblue30/firejail/issues/2579), and limit.sh seems to rely on the ability to modify the global cgroup hierarchy, which I doubt works within any container runtime.

We need to find alternatives or this will block at least moving thumbor and MediaWiki to k8s.

Related Objects

StatusSubtypeAssignedTask
OpenNone
Opentstarling
Resolvedjeena
Resolvedjeena
ResolvedLegoktm
ResolvedLegoktm
Resolvedhashar
Resolveddduvall
ResolvedLegoktm
OpenNone
ResolvedBPirkle
OpenNone
OpenNone
Resolvedtstarling
Opentstarling
OpenNone
ResolvedDaimona
ResolvedLegoktm
OpenNone
ResolvedJoe
ResolvedLegoktm
OpenNone
ResolvedJoe
ResolvedJoe
ResolvedJMeybohm
ResolvedJMeybohm
ResolvedJMeybohm
Resolvedelukey
ResolvedJMeybohm
ResolvedJMeybohm
ResolvedJMeybohm
DeclinedNone
OpenJMeybohm
OpenJMeybohm
ResolvedJMeybohm