Module security

Functionality for securing workers.

This is needed because workers are used to compile and execute untrusted code (PVFs).

We currently employ the following security measures:

• Restrict filesystem
  • Use Landlock to remove all unnecessary FS access rights.
  • Unshare the user and mount namespaces.
  • Change the root directory to a worker-specific temporary directory.
• Restrict networking by blocking socket creation and io_uring.
• Remove env vars

Modules

• change_root
  Functionality for securing workers by unsharing some namespaces from other processes and changing the root.
• clone
  Functionality for securing the job processes spawned by the workers using clone. If unsupported, falls back to fork.
• landlock
  The landlock docs say it best:
• seccomp
  Functionality for sandboxing workers by restricting their capabilities by blocking certain syscalls with seccomp.

Functions

• check_env_vars_were_cleared
  Require env vars to have been removed when spawning the process, to prevent malicious code from accessing them.