HomePhabricator

Allow optional firejail containment for nodejs services.

Description

Allow optional firejail containment for nodejs services.

This has been initially tested with mathoid and after we flip
the services one-by-one, the firejail conditional can be dropped,
making firejail the default for all future node services.

The current configuration runs every nodefs service an isolated
Linux namespace with

  • read-only system directories (like /usr or /lib)
  • private PID space
  • private /tmp (using tmpfs)
  • /root and /home/* blacklisted
  • reduced capabilities: CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN
  • filtered syscalls: mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, iopl,ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init kcmp

Bug: T101870
Change-Id: I7e9c8d1c3f7d6655bba598938eba885210c9e9d6

Details

Provenance
MuehlenhoffAuthored on
Parents
rOPUPef118bef3fc4: conftool: update etcd hosts list
Branches
Unknown
Tags
Unknown
ChangeId
I7e9c8d1c3f7d6655bba598938eba885210c9e9d6