php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #80657 Linux namespace support
Submitted: 2021-01-22 09:39 UTC Modified: -
From: martynas at martynas dot it Assigned:
Status: Open Package: FPM related
PHP Version: Next Minor Version OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: martynas at martynas dot it
New email:
PHP Version: OS:

 

 [2021-01-22 09:39 UTC] martynas at martynas dot it
Description:
------------
Current chroot implementation was okay to use years ago, even if it had its own drawbacks.

Things are changing, and it'd be awesome to have linux mount namespaces for the isolation (and maybe some other namespaces).

https://github.com/containers/bubblewrap is a nice example.

By using mount namespace + pivot_root after (https://linux.die.net/man/8/pivot_root, mntent.h include from glibc) full paths wouldn't change for the applications, as user homedir (for example /home/user), could be still mounted as /home/user in linux namespace).

In addition to this, /etc/passwd could store just the user details needed.

clone() with CLONE_NEWNS would need to be used instead of fork(): https://linux.die.net/man/2/clone

getpid() would need to be replaced with syscall(__NR_getpid) where it's used, because old glibc wrapper for getpid() returns a cached pid invalidated only by fork() calls.

It'd be nice to have it as extensive as https://github.com/containers/bubblewrap/blob/master/demos/bubblewrap-shell.sh example (so that users could specify the environment needed), but a basic implementation would still be way better to have than the current chroot option.


Patches

Pull Requests

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC