php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #80657 Linux namespace support
Submitted: 2021-01-22 09:39 UTC Modified: -
From: martynas at martynas dot it Assigned:
Status: Open Package: FPM related
PHP Version: Next Minor Version OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: martynas at martynas dot it
New email:
PHP Version: OS:

 

 [2021-01-22 09:39 UTC] martynas at martynas dot it
Description:
------------
Current chroot implementation was okay to use years ago, even if it had its own drawbacks.

Things are changing, and it'd be awesome to have linux mount namespaces for the isolation (and maybe some other namespaces).

https://github.com/containers/bubblewrap is a nice example.

By using mount namespace + pivot_root after (https://linux.die.net/man/8/pivot_root, mntent.h include from glibc) full paths wouldn't change for the applications, as user homedir (for example /home/user), could be still mounted as /home/user in linux namespace).

In addition to this, /etc/passwd could store just the user details needed.

clone() with CLONE_NEWNS would need to be used instead of fork(): https://linux.die.net/man/2/clone

getpid() would need to be replaced with syscall(__NR_getpid) where it's used, because old glibc wrapper for getpid() returns a cached pid invalidated only by fork() calls.

It'd be nice to have it as extensive as https://github.com/containers/bubblewrap/blob/master/demos/bubblewrap-shell.sh example (so that users could specify the environment needed), but a basic implementation would still be way better to have than the current chroot option.


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jul 23 17:01:23 2021 UTC