1nwf / zcrun Goto Github PK

Hey, great work with zcrun!

Any chance you'd be willing to put this under an open source license?

Which of the following properties are planned?

• 1. option for full cleanup/reset after process/container being run with/without errors (stateless)
• 2. all namespaces specified by clone (network, pid, mount, and uts given, missing are IPC and user)
• 3. sane ziggified clone3 interface and/or stack routines (upstream Zig still uses clone2)
• 4. ziggigied clone3 for race free signaling
• 5. build/run API for all the filepath things, which now search hardcoded system paths
• 6. scope of rtnetlink with address, link, route is quite abit unclear and rtnetlink/ has no rtnetlink.zig (I guess network filters are not protocol aware besides "what kind of sys connection is it", but this looks like awefully lot configuration options)
• 7. syscall or Kernel object access filtering (seccomp, seccomp-bpf, landlock)
• 8. checking most relevant Kernel configs (https://en.wikipedia.org/wiki/Kernel_same-page_merging being the most obvious one)

Use case 1 is for testing and quality, 2 for completeness, 3 for long-living supervision processes (and testing 1) and efficiency, 4 for sane process control instead of the racy posix mess, 5+6 for reusability, 7 the fancy dancy stuff, 8 nice to have.

Very novice to sandboxing code, but I believe "must create a child process to enter the new PID namespace" is wrong, see "man 3 unshare": "unshare() allows a process (or thread) to disassociate parts of its execution context that are currently being shared with other processes (or threads)." Afaiu, only exec* must be used to start a new execution context, which is also what the example code shows.