open-nomad/client/fingerprint/landlock.go

package fingerprint

import (
	"fmt"

	"github.com/hashicorp/go-hclog"
	"github.com/shoenig/go-landlock"
)

const (
	landlockKey = "kernel.landlock"
)

// LandlockFingerprint is used to fingerprint the kernel landlock feature.
type LandlockFingerprint struct {
	StaticFingerprinter
	logger   hclog.Logger
	detector func() (int, error)
}

func NewLandlockFingerprint(logger hclog.Logger) Fingerprint {
	return &LandlockFingerprint{
		logger:   logger.Named("landlock"),
		detector: landlock.Detect,
	}
}

func (f *LandlockFingerprint) Fingerprint(_ *FingerprintRequest, resp *FingerprintResponse) error {
	version, err := f.detector()
	if err != nil {
		f.logger.Warn("failed to fingerprint kernel landlock feature", "error", err)
		version = 0
	}
	switch version {
	case 0:
		// do not set any attribute
	default:
		v := fmt.Sprintf("v%d", version)
		resp.AddAttribute(landlockKey, v)
	}
	return nil
}
client: sandbox go-getter subprocess with landlock (#15328) * client: sandbox go-getter subprocess with landlock This PR re-implements the getter package for artifact downloads as a subprocess. Key changes include On all platforms, run getter as a child process of the Nomad agent. On Linux platforms running as root, run the child process as the nobody user. On supporting Linux kernels, uses landlock for filesystem isolation (via go-landlock). On all platforms, restrict environment variables of the child process to a static set. notably TMP/TEMP now points within the allocation's task directory kernel.landlock attribute is fingerprinted (version number or unavailable) These changes make Nomad client more resilient against a faulty go-getter implementation that may panic, and more secure against bad actors attempting to use artifact downloads as a privilege escalation vector. Adds new e2e/artifact suite for ensuring artifact downloading works. TODO: Windows git test (need to modify the image, etc... followup PR) * landlock: fixup items from cr * cr: fixup tests and go.mod file 2022-12-07 22:02:25 +00:00			`package fingerprint`

			`import (`
			`"fmt"`

			`"github.com/hashicorp/go-hclog"`
			`"github.com/shoenig/go-landlock"`
			`)`

			`const (`
			`landlockKey = "kernel.landlock"`
			`)`

			`// LandlockFingerprint is used to fingerprint the kernel landlock feature.`
			`type LandlockFingerprint struct {`
			`StaticFingerprinter`
			`logger hclog.Logger`
			`detector func() (int, error)`
			`}`

			`func NewLandlockFingerprint(logger hclog.Logger) Fingerprint {`
			`return &LandlockFingerprint{`
			`logger: logger.Named("landlock"),`
			`detector: landlock.Detect,`
			`}`
			`}`

			`func (f LandlockFingerprint) Fingerprint(_ FingerprintRequest, resp *FingerprintResponse) error {`
			`version, err := f.detector()`
			`if err != nil {`
			`f.logger.Warn("failed to fingerprint kernel landlock feature", "error", err)`
			`version = 0`
			`}`
			`switch version {`
			`case 0:`
			`// do not set any attribute`
			`default:`
			`v := fmt.Sprintf("v%d", version)`
			`resp.AddAttribute(landlockKey, v)`
			`}`
			`return nil`
			`}`