php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #80657 Linux namespace support
Submitted: 2021-01-22 09:39 UTC Modified: -
From: martynas at martynas dot it Assigned:
Status: Open Package: FPM related
PHP Version: Next Minor Version OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
30 - 11 = ?
Subscribe to this entry?

 
 [2021-01-22 09:39 UTC] martynas at martynas dot it
Description:
------------
Current chroot implementation was okay to use years ago, even if it had its own drawbacks.

Things are changing, and it'd be awesome to have linux mount namespaces for the isolation (and maybe some other namespaces).

https://github.com/containers/bubblewrap is a nice example.

By using mount namespace + pivot_root after (https://linux.die.net/man/8/pivot_root, mntent.h include from glibc) full paths wouldn't change for the applications, as user homedir (for example /home/user), could be still mounted as /home/user in linux namespace).

In addition to this, /etc/passwd could store just the user details needed.

clone() with CLONE_NEWNS would need to be used instead of fork(): https://linux.die.net/man/2/clone

getpid() would need to be replaced with syscall(__NR_getpid) where it's used, because old glibc wrapper for getpid() returns a cached pid invalidated only by fork() calls.

It'd be nice to have it as extensive as https://github.com/containers/bubblewrap/blob/master/demos/bubblewrap-shell.sh example (so that users could specify the environment needed), but a basic implementation would still be way better to have than the current chroot option.


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jun 12 11:01:23 2021 UTC