3 releases (breaking)
0.3.0 | Dec 2, 2023 |
---|---|
0.2.0 | Nov 21, 2023 |
0.1.0 | Sep 20, 2023 |
#912 in Unix APIs
155KB
4K
SLoC
cordon
Embeddable, customizable rootless containerization for Rust.
Milestones
- M1: Steel Thread
- M2: Mount Namespace and Filesystem Control
- M3: PID namespace and UID mapping
- M4: Control groups
Features
- Give the child a list of mounts
M1: Steel Thread
A complete, yet limited, working implementation of the library, which can spawn a user-specified program in a user namespace. This milestone will be complete when "whoami", run in the sandbox, returns "root."
M2: Mount Namespace and Filesystem Control
We'll add the facility to enter a mount namespace in the sandbox, to change the apparent root of the sandboxed program, and to manipulate the mount table inside the sanbdox. This milestone will be complete when the output of "ls /" differs inside and outside the sandbox.
M3: PID namespace, UID mapping
We'll add the ability to place the sandboxed program in a PID namespace, and to map user IDs inside the sandbox to user IDs outside the sandbox. This milestone will be complete when files written inside the sandbox appear to the host as owned by the outer process's user ID, and when "sh -c 'echo $$'" returns 1 inside the sandbox.
M4: Control groups
We'll add the ability to place the sandboxed child process in a Linux control group, and allow the caller to set its parameters. This milestone will be complete when the host can suspend and resume the sandboxed child using the cgroup freezer.
Dependencies
~12MB
~225K SLoC