open-nomad/client/allocrunner/taskrunner/getter/util_linux.go

//go:build linux

package getter

import (
	"path/filepath"
	"syscall"

	"github.com/hashicorp/nomad/helper/users"
	"github.com/shoenig/go-landlock"
)

var (
	// userUID is the current user's uid
	userUID uint32

	// userGID is the current user's gid
	userGID uint32
)

func init() {
	userUID = uint32(syscall.Getuid())
	userGID = uint32(syscall.Getgid())
}

// attributes returns the system process attributes to run
// the sandbox process with
func attributes() *syscall.SysProcAttr {
	uid, gid := credentials()
	return &syscall.SysProcAttr{
		Credential: &syscall.Credential{
			Uid: uid,
			Gid: gid,
		},
	}
}

// credentials returns the UID and GID of the user the child process
// will run as. On Linux systems this will be the nobody user if Nomad
// is being run as the root user, or the user Nomad is being run as
// otherwise.
func credentials() (uint32, uint32) {
	switch userUID {
	case 0:
		return users.NobodyIDs()
	default:
		return userUID, userGID
	}
}

// defaultEnvironment is the default minimal environment variables for Linux.
func defaultEnvironment(taskDir string) map[string]string {
	tmpDir := filepath.Join(taskDir, "tmp")
	return map[string]string{
		"PATH":   "/usr/local/bin:/usr/bin:/bin",
		"TMPDIR": tmpDir,
	}
}

// lockdown isolates this process to only be able to write and
// create files in the task's task directory.
// dir - the task directory
//
// Only applies to Linux, when available.
func lockdown(allocDir, taskDir string) error {
	// landlock not present in the kernel, do not sandbox
	if !landlock.Available() {
		return nil
	}
	paths := []*landlock.Path{
		landlock.DNS(),
		landlock.Certs(),
		landlock.Shared(),
		landlock.Dir("/bin", "rx"),
		landlock.Dir("/usr/bin", "rx"),
		landlock.Dir("/usr/local/bin", "rx"),
		landlock.Dir(allocDir, "rwc"),
		landlock.Dir(taskDir, "rwc"),
	}
	locker := landlock.New(paths...)
	return locker.Lock(landlock.Mandatory)
}
client: sandbox go-getter subprocess with landlock (#15328) * client: sandbox go-getter subprocess with landlock This PR re-implements the getter package for artifact downloads as a subprocess. Key changes include On all platforms, run getter as a child process of the Nomad agent. On Linux platforms running as root, run the child process as the nobody user. On supporting Linux kernels, uses landlock for filesystem isolation (via go-landlock). On all platforms, restrict environment variables of the child process to a static set. notably TMP/TEMP now points within the allocation's task directory kernel.landlock attribute is fingerprinted (version number or unavailable) These changes make Nomad client more resilient against a faulty go-getter implementation that may panic, and more secure against bad actors attempting to use artifact downloads as a privilege escalation vector. Adds new e2e/artifact suite for ensuring artifact downloading works. TODO: Windows git test (need to modify the image, etc... followup PR) * landlock: fixup items from cr * cr: fixup tests and go.mod file 2022-12-07 22:02:25 +00:00			`//go:build linux`

			`package getter`

			`import (`
			`"path/filepath"`
			`"syscall"`

			`"github.com/hashicorp/nomad/helper/users"`
			`"github.com/shoenig/go-landlock"`
			`)`

			`var (`
			`// userUID is the current user's uid`
			`userUID uint32`

			`// userGID is the current user's gid`
			`userGID uint32`
			`)`

			`func init() {`
			`userUID = uint32(syscall.Getuid())`
			`userGID = uint32(syscall.Getgid())`
			`}`

			`// attributes returns the system process attributes to run`
			`// the sandbox process with`
			`func attributes() *syscall.SysProcAttr {`
			`uid, gid := credentials()`
			`return &syscall.SysProcAttr{`
			`Credential: &syscall.Credential{`
			`Uid: uid,`
			`Gid: gid,`
			`},`
			`}`
			`}`

			`// credentials returns the UID and GID of the user the child process`
			`// will run as. On Linux systems this will be the nobody user if Nomad`
			`// is being run as the root user, or the user Nomad is being run as`
			`// otherwise.`
			`func credentials() (uint32, uint32) {`
			`switch userUID {`
			`case 0:`
			`return users.NobodyIDs()`
			`default:`
			`return userUID, userGID`
			`}`
			`}`

artifact: enable inheriting environment variables from client (#15514) * artifact: enable inheriting environment variables from client This PR adds client configuration for specifying environment variables that should be inherited by the artifact sandbox process from the Nomad Client agent. Most users should not need to set these values but the configuration is provided to ensure backwards compatability. Configuration of go-getter should ideally be done through the artifact block in a jobspec task. e.g. ```hcl client { artifact { set_environment_variables = "TMPDIR,GIT_SSH_OPTS" } } ``` Closes #15498 * website: update set_environment_variables text to mention PATH 2022-12-09 21:46:07 +00:00			`// defaultEnvironment is the default minimal environment variables for Linux.`
			`func defaultEnvironment(taskDir string) map[string]string {`
client: sandbox go-getter subprocess with landlock (#15328) * client: sandbox go-getter subprocess with landlock This PR re-implements the getter package for artifact downloads as a subprocess. Key changes include On all platforms, run getter as a child process of the Nomad agent. On Linux platforms running as root, run the child process as the nobody user. On supporting Linux kernels, uses landlock for filesystem isolation (via go-landlock). On all platforms, restrict environment variables of the child process to a static set. notably TMP/TEMP now points within the allocation's task directory kernel.landlock attribute is fingerprinted (version number or unavailable) These changes make Nomad client more resilient against a faulty go-getter implementation that may panic, and more secure against bad actors attempting to use artifact downloads as a privilege escalation vector. Adds new e2e/artifact suite for ensuring artifact downloading works. TODO: Windows git test (need to modify the image, etc... followup PR) * landlock: fixup items from cr * cr: fixup tests and go.mod file 2022-12-07 22:02:25 +00:00			`tmpDir := filepath.Join(taskDir, "tmp")`
artifact: enable inheriting environment variables from client (#15514) * artifact: enable inheriting environment variables from client This PR adds client configuration for specifying environment variables that should be inherited by the artifact sandbox process from the Nomad Client agent. Most users should not need to set these values but the configuration is provided to ensure backwards compatability. Configuration of go-getter should ideally be done through the artifact block in a jobspec task. e.g. ```hcl client { artifact { set_environment_variables = "TMPDIR,GIT_SSH_OPTS" } } ``` Closes #15498 * website: update set_environment_variables text to mention PATH 2022-12-09 21:46:07 +00:00			`return map[string]string{`
			`"PATH": "/usr/local/bin:/usr/bin:/bin",`
			`"TMPDIR": tmpDir,`
client: sandbox go-getter subprocess with landlock (#15328) * client: sandbox go-getter subprocess with landlock This PR re-implements the getter package for artifact downloads as a subprocess. Key changes include On all platforms, run getter as a child process of the Nomad agent. On Linux platforms running as root, run the child process as the nobody user. On supporting Linux kernels, uses landlock for filesystem isolation (via go-landlock). On all platforms, restrict environment variables of the child process to a static set. notably TMP/TEMP now points within the allocation's task directory kernel.landlock attribute is fingerprinted (version number or unavailable) These changes make Nomad client more resilient against a faulty go-getter implementation that may panic, and more secure against bad actors attempting to use artifact downloads as a privilege escalation vector. Adds new e2e/artifact suite for ensuring artifact downloading works. TODO: Windows git test (need to modify the image, etc... followup PR) * landlock: fixup items from cr * cr: fixup tests and go.mod file 2022-12-07 22:02:25 +00:00			`}`
			`}`

			`// lockdown isolates this process to only be able to write and`
			`// create files in the task's task directory.`
			`// dir - the task directory`
			`//`
			`// Only applies to Linux, when available.`
artifact: fix sandbox behavior when destination is shared alloc directory (#15712) This PR fixes the artifact sandbox (new in Nomad 1.5) to allow downloading artifacts into the shared 'alloc' directory made available to each task in a common allocation. Previously we assumed the 'alloc' dir would be mounted under the 'task' dir, but this is only the case in fs isolation: chroot; in other modes the alloc dir is elsewhere. 2023-01-09 15:46:32 +00:00			`func lockdown(allocDir, taskDir string) error {`
client: sandbox go-getter subprocess with landlock (#15328) * client: sandbox go-getter subprocess with landlock This PR re-implements the getter package for artifact downloads as a subprocess. Key changes include On all platforms, run getter as a child process of the Nomad agent. On Linux platforms running as root, run the child process as the nobody user. On supporting Linux kernels, uses landlock for filesystem isolation (via go-landlock). On all platforms, restrict environment variables of the child process to a static set. notably TMP/TEMP now points within the allocation's task directory kernel.landlock attribute is fingerprinted (version number or unavailable) These changes make Nomad client more resilient against a faulty go-getter implementation that may panic, and more secure against bad actors attempting to use artifact downloads as a privilege escalation vector. Adds new e2e/artifact suite for ensuring artifact downloading works. TODO: Windows git test (need to modify the image, etc... followup PR) * landlock: fixup items from cr * cr: fixup tests and go.mod file 2022-12-07 22:02:25 +00:00			`// landlock not present in the kernel, do not sandbox`
			`if !landlock.Available() {`
			`return nil`
			`}`
			`paths := []*landlock.Path{`
			`landlock.DNS(),`
			`landlock.Certs(),`
			`landlock.Shared(),`
			`landlock.Dir("/bin", "rx"),`
			`landlock.Dir("/usr/bin", "rx"),`
			`landlock.Dir("/usr/local/bin", "rx"),`
artifact: fix sandbox behavior when destination is shared alloc directory (#15712) This PR fixes the artifact sandbox (new in Nomad 1.5) to allow downloading artifacts into the shared 'alloc' directory made available to each task in a common allocation. Previously we assumed the 'alloc' dir would be mounted under the 'task' dir, but this is only the case in fs isolation: chroot; in other modes the alloc dir is elsewhere. 2023-01-09 15:46:32 +00:00			`landlock.Dir(allocDir, "rwc"),`
			`landlock.Dir(taskDir, "rwc"),`
client: sandbox go-getter subprocess with landlock (#15328) * client: sandbox go-getter subprocess with landlock This PR re-implements the getter package for artifact downloads as a subprocess. Key changes include On all platforms, run getter as a child process of the Nomad agent. On Linux platforms running as root, run the child process as the nobody user. On supporting Linux kernels, uses landlock for filesystem isolation (via go-landlock). On all platforms, restrict environment variables of the child process to a static set. notably TMP/TEMP now points within the allocation's task directory kernel.landlock attribute is fingerprinted (version number or unavailable) These changes make Nomad client more resilient against a faulty go-getter implementation that may panic, and more secure against bad actors attempting to use artifact downloads as a privilege escalation vector. Adds new e2e/artifact suite for ensuring artifact downloading works. TODO: Windows git test (need to modify the image, etc... followup PR) * landlock: fixup items from cr * cr: fixup tests and go.mod file 2022-12-07 22:02:25 +00:00			`}`
			`locker := landlock.New(paths...)`
			`return locker.Lock(landlock.Mandatory)`
			`}`