monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-13. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
b55b3364af2be4c8a1f24ba27d772e90a6db00eb
greywall/internal/sandbox/linux_features.go
Mathieu Virbel b55b3364af
Some checks failed
Build and test / Build (push) Successful in 11s
Details
Build and test / Lint (push) Failing after 1m24s
Details
Build and test / Test (Linux) (push) Failing after 40s
Details
Build and test / Test (macOS) (push) Has been cancelled
Details
feat: add dependency status to --version and document AppArmor userns fix 
Show installed dependencies, security features, and transparent proxy
availability when running --version. Detect AppArmor
unprivileged_userns restriction on Ubuntu 24.04+ and suggest the fix.
Document the RTM_NEWADDR issue in experience.md.
2026-02-11 19:31:24 -06:00

428 lines
11 KiB
Go
Raw Blame History

//go:build linux
package sandbox
import (
"fmt"
"os"
"os/exec"
"strconv"
"strings"
"sync"
"unsafe"
"golang.org/x/sys/unix"
)
// LinuxFeatures describes available Linux sandboxing features.
type LinuxFeatures struct {
// Core dependencies
HasBwrap bool
HasSocat bool
// Kernel features
HasSeccomp bool
SeccompLogLevel int // 0=none, 1=LOG, 2=USER_NOTIF
HasLandlock bool
LandlockABI int // 0=none, 1-4 = ABI version
// eBPF capabilities (requires CAP_BPF or root)
HasEBPF bool
HasCapBPF bool
HasCapRoot bool
// Network namespace capability
// This can be false in containerized environments (Docker, CI) without CAP_NET_ADMIN
CanUnshareNet bool
// Transparent proxy support
HasIpCommand bool // ip (iproute2) available
HasDevNetTun bool // /dev/net/tun exists
HasTun2Socks bool // tun2socks embedded binary available
// Kernel version
KernelMajor int
KernelMinor int
}
var (
detectedFeatures *LinuxFeatures
detectOnce sync.Once
)
// DetectLinuxFeatures checks what sandboxing features are available.
// Results are cached for subsequent calls.
func DetectLinuxFeatures() *LinuxFeatures {
detectOnce.Do(func() {
detectedFeatures = &LinuxFeatures{}
detectedFeatures.detect()
})
return detectedFeatures
}
func (f *LinuxFeatures) detect() {
// Check for bwrap and socat
f.HasBwrap = commandExists("bwrap")
f.HasSocat = commandExists("socat")
// Parse kernel version
f.parseKernelVersion()
// Check seccomp support
f.detectSeccomp()
// Check Landlock support
f.detectLandlock()
// Check eBPF capabilities
f.detectEBPF()
// Check if we can create network namespaces
f.detectNetworkNamespace()
// Check transparent proxy support
f.HasIpCommand = commandExists("ip")
_, err := os.Stat("/dev/net/tun")
f.HasDevNetTun = err == nil
f.HasTun2Socks = true // embedded binary, always available
}
func (f *LinuxFeatures) parseKernelVersion() {
var uname unix.Utsname
if err := unix.Uname(&uname); err != nil {
return
}
release := unix.ByteSliceToString(uname.Release[:])
parts := strings.Split(release, ".")
if len(parts) >= 2 {
f.KernelMajor, _ = strconv.Atoi(parts[0])
// Handle versions like "6.2.0-39-generic"
minorStr := strings.Split(parts[1], "-")[0]
f.KernelMinor, _ = strconv.Atoi(minorStr)
}
}
func (f *LinuxFeatures) detectSeccomp() {
// Check if seccomp is supported via prctl
// PR_GET_SECCOMP returns 0 if seccomp is disabled, 1/2 if enabled, -1 on error
_, _, err := unix.Syscall(unix.SYS_PRCTL, unix.PR_GET_SECCOMP, 0, 0)
if err == 0 || err == unix.EINVAL {
// EINVAL means seccomp is supported but not enabled for this process
f.HasSeccomp = true
}
// SECCOMP_RET_LOG available since kernel 4.14
if f.KernelMajor > 4 || (f.KernelMajor == 4 && f.KernelMinor >= 14) {
f.SeccompLogLevel = 1
}
// SECCOMP_RET_USER_NOTIF available since kernel 5.0
if f.KernelMajor >= 5 {
f.SeccompLogLevel = 2
}
}
func (f *LinuxFeatures) detectLandlock() {
// Landlock available since kernel 5.13
if f.KernelMajor < 5 || (f.KernelMajor == 5 && f.KernelMinor < 13) {
return
}
// Try to query the Landlock ABI version using Landlock syscall
// landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)
// Returns the highest supported ABI version on success
ret, _, err := unix.Syscall(
unix.SYS_LANDLOCK_CREATE_RULESET,
0, // NULL attr to query ABI version
0, // size = 0
uintptr(LANDLOCK_CREATE_RULESET_VERSION),
)
// Check if syscall succeeded (errno == 0)
// ret contains the ABI version number (1, 2, 3, 4, etc.)
if err == 0 {
f.HasLandlock = true
f.LandlockABI = int(ret)
return
}
// Fallback: try creating an actual ruleset (for older detection methods)
attr := landlockRulesetAttr{
handledAccessFS: LANDLOCK_ACCESS_FS_READ_FILE,
}
ret, _, err = unix.Syscall(
unix.SYS_LANDLOCK_CREATE_RULESET,
uintptr(unsafe.Pointer(&attr)), //nolint:gosec // required for syscall
unsafe.Sizeof(attr),
0,
)
if err == 0 {
f.HasLandlock = true
f.LandlockABI = 1 // Minimum supported version
_ = unix.Close(int(ret))
}
}
func (f *LinuxFeatures) detectEBPF() {
// Check if we have CAP_BPF or CAP_SYS_ADMIN (root)
f.HasCapRoot = os.Geteuid() == 0
// Try to check CAP_BPF capability
if f.HasCapRoot {
f.HasCapBPF = true
f.HasEBPF = true
return
}
// Check if user has CAP_BPF via /proc/self/status
data, err := os.ReadFile("/proc/self/status")
if err != nil {
return
}
for _, line := range strings.Split(string(data), "\n") {
if strings.HasPrefix(line, "CapEff:") {
// Parse effective capabilities
fields := strings.Fields(line)
if len(fields) >= 2 {
caps, err := strconv.ParseUint(fields[1], 16, 64)
if err == nil {
// CAP_BPF is bit 39
const CAP_BPF = 39
if caps&(1<<CAP_BPF) != 0 {
f.HasCapBPF = true
f.HasEBPF = true
}
}
}
break
}
}
}
// detectNetworkNamespace probes whether bwrap --unshare-net works.
// This can fail in containerized environments (Docker, GitHub Actions, etc.)
// that don't have CAP_NET_ADMIN capability needed to set up the loopback interface.
func (f *LinuxFeatures) detectNetworkNamespace() {
if !f.HasBwrap {
return
}
// Run a minimal bwrap command with --unshare-net to test if it works
// We use a very short timeout since this should either succeed or fail immediately
// The bind mount is required in some environments
cmd := exec.Command("bwrap", "--unshare-net", "--ro-bind", "/", "/", "--", "/bin/true")
err := cmd.Run()
f.CanUnshareNet = err == nil
}
// Summary returns a human-readable summary of available features.
func (f *LinuxFeatures) Summary() string {
var parts []string
parts = append(parts, fmt.Sprintf("kernel %d.%d", f.KernelMajor, f.KernelMinor))
if f.HasBwrap {
if f.CanUnshareNet {
parts = append(parts, "bwrap")
} else {
parts = append(parts, "bwrap(no-netns)")
}
}
if f.HasSeccomp {
switch f.SeccompLogLevel {
case 2:
parts = append(parts, "seccomp+usernotif")
case 1:
parts = append(parts, "seccomp+log")
default:
parts = append(parts, "seccomp")
}
}
if f.HasLandlock {
parts = append(parts, fmt.Sprintf("landlock-v%d", f.LandlockABI))
}
if f.HasEBPF {
if f.HasCapRoot {
parts = append(parts, "ebpf(root)")
} else {
parts = append(parts, "ebpf(CAP_BPF)")
}
}
return strings.Join(parts, ", ")
}
// CanMonitorViolations returns true if we can monitor sandbox violations.
func (f *LinuxFeatures) CanMonitorViolations() bool {
// seccomp LOG requires kernel 4.14+
// eBPF monitoring requires CAP_BPF or root
return f.SeccompLogLevel >= 1 || f.HasEBPF
}
// CanUseLandlock returns true if Landlock is available.
func (f *LinuxFeatures) CanUseLandlock() bool {
return f.HasLandlock && f.LandlockABI >= 1
}
// CanUseTransparentProxy returns true if transparent proxying via tun2socks is possible.
func (f *LinuxFeatures) CanUseTransparentProxy() bool {
return f.HasIpCommand && f.HasDevNetTun && f.CanUnshareNet
}
// MinimumViable returns true if the minimum required features are available.
func (f *LinuxFeatures) MinimumViable() bool {
return f.HasBwrap && f.HasSocat
}
// PrintDependencyStatus prints dependency status with install suggestions for Linux.
func PrintDependencyStatus() {
features := DetectLinuxFeatures()
fmt.Printf("\n Platform: linux (kernel %d.%d)\n", features.KernelMajor, features.KernelMinor)
fmt.Printf("\n Dependencies (required):\n")
allGood := true
if features.HasBwrap {
fmt.Printf(" ✓ bubblewrap (bwrap)\n")
} else {
fmt.Printf(" ✗ bubblewrap (bwrap) — REQUIRED\n")
allGood = false
}
if features.HasSocat {
fmt.Printf(" ✓ socat\n")
} else {
fmt.Printf(" ✗ socat — REQUIRED\n")
allGood = false
}
if !allGood {
fmt.Printf("\n Install missing dependencies:\n")
fmt.Printf(" %s\n", suggestInstallCmd(features))
}
fmt.Printf("\n Security features: %s\n", features.Summary())
if features.CanUseTransparentProxy() {
fmt.Printf(" Transparent proxy: available\n")
} else {
parts := []string{}
if !features.HasIpCommand {
parts = append(parts, "iproute2")
}
if !features.HasDevNetTun {
parts = append(parts, "/dev/net/tun")
}
if !features.CanUnshareNet {
parts = append(parts, "network namespace")
}
if len(parts) > 0 {
fmt.Printf(" Transparent proxy: unavailable (missing: %s)\n", strings.Join(parts, ", "))
} else {
fmt.Printf(" Transparent proxy: unavailable\n")
}
if !features.CanUnshareNet && features.HasBwrap {
if val := readSysctl("kernel/apparmor_restrict_unprivileged_userns"); val == "1" {
fmt.Printf("\n Note: AppArmor is restricting unprivileged user namespaces.\n")
fmt.Printf(" This prevents bwrap --unshare-net (needed for transparent proxy).\n")
fmt.Printf(" To fix: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0\n")
fmt.Printf(" Persist: echo 'kernel.apparmor_restrict_unprivileged_userns=0' | sudo tee /etc/sysctl.d/99-greywall-userns.conf\n")
}
}
}
if allGood {
fmt.Printf("\n Status: ready\n")
} else {
fmt.Printf("\n Status: missing required dependencies\n")
}
}
func suggestInstallCmd(features *LinuxFeatures) string {
var missing []string
if !features.HasBwrap {
missing = append(missing, "bubblewrap")
}
if !features.HasSocat {
missing = append(missing, "socat")
}
pkgs := strings.Join(missing, " ")
switch {
case commandExists("apt-get"):
return fmt.Sprintf("sudo apt install %s", pkgs)
case commandExists("dnf"):
return fmt.Sprintf("sudo dnf install %s", pkgs)
case commandExists("yum"):
return fmt.Sprintf("sudo yum install %s", pkgs)
case commandExists("pacman"):
return fmt.Sprintf("sudo pacman -S %s", pkgs)
case commandExists("apk"):
return fmt.Sprintf("sudo apk add %s", pkgs)
case commandExists("zypper"):
return fmt.Sprintf("sudo zypper install %s", pkgs)
default:
return fmt.Sprintf("install %s using your package manager", pkgs)
}
}
func readSysctl(name string) string {
data, err := os.ReadFile("/proc/sys/" + name)
if err != nil {
return ""
}
return strings.TrimSpace(string(data))
}
func commandExists(name string) bool {
_, err := exec.LookPath(name)
return err == nil
}
// Landlock constants
const (
LANDLOCK_CREATE_RULESET_VERSION = 1 << 0
// Filesystem access rights (ABI v1+)
LANDLOCK_ACCESS_FS_EXECUTE = 1 << 0
LANDLOCK_ACCESS_FS_WRITE_FILE = 1 << 1
LANDLOCK_ACCESS_FS_READ_FILE = 1 << 2
LANDLOCK_ACCESS_FS_READ_DIR = 1 << 3
LANDLOCK_ACCESS_FS_REMOVE_DIR = 1 << 4
LANDLOCK_ACCESS_FS_REMOVE_FILE = 1 << 5
LANDLOCK_ACCESS_FS_MAKE_CHAR = 1 << 6
LANDLOCK_ACCESS_FS_MAKE_DIR = 1 << 7
LANDLOCK_ACCESS_FS_MAKE_REG = 1 << 8
LANDLOCK_ACCESS_FS_MAKE_SOCK = 1 << 9
LANDLOCK_ACCESS_FS_MAKE_FIFO = 1 << 10
LANDLOCK_ACCESS_FS_MAKE_BLOCK = 1 << 11
LANDLOCK_ACCESS_FS_MAKE_SYM = 1 << 12
LANDLOCK_ACCESS_FS_REFER = 1 << 13 // ABI v2
LANDLOCK_ACCESS_FS_TRUNCATE = 1 << 14 // ABI v3
LANDLOCK_ACCESS_FS_IOCTL_DEV = 1 << 15 // ABI v5
// Network access rights (ABI v4+)
LANDLOCK_ACCESS_NET_BIND_TCP = 1 << 0
LANDLOCK_ACCESS_NET_CONNECT_TCP = 1 << 1
// Rule types
LANDLOCK_RULE_PATH_BENEATH = 1
LANDLOCK_RULE_NET_PORT = 2
)
// landlockRulesetAttr is the Landlock ruleset attribute structure
type landlockRulesetAttr struct {
handledAccessFS uint64
handledAccessNet uint64
}
// landlockPathBeneathAttr is used to add path-based rules
type landlockPathBeneathAttr struct {
allowedAccess uint64
parentFd int32
_ [4]byte // padding
}
Reference in New Issue View Git Blame Copy Permalink