Module security

Functionality for securing workers.

This is needed because workers are used to compile and execute untrusted code (PVFs).

We currently employ the following security measures:

• Restrict filesystem
  • Use Landlock to remove all unnecessary FS access rights.
  • Unshare the user and mount namespaces.
  • Change the root directory to a worker-specific temporary directory.
• Restrict networking by blocking socket creation and io_uring.
• Remove env vars

Modules

change_root

Functionality for securing workers by unsharing some namespaces from other processes and changing the root.

clone

Functionality for securing the job processes spawned by the workers using clone. If unsupported, falls back to fork.

landlock

The landlock docs say it best:

seccomp

Functionality for sandboxing workers by restricting their capabilities by blocking certain syscalls with seccomp.

Functions

check_env_vars_were_cleared

Require env vars to have been removed when spawning the process, to prevent malicious code from accessing them.