Add hostname option to SandboxConfig

staticfloat · staticfloat · commit 4443622bc79c · 2022-01-06T14:41:03.000-08:00
This allows us to launch sandboxes with a deterministic hostname, if we
so desire to.  Useful for things like fully reproducible builds, etc...
diff --git a/deps/userns_sandbox.c b/deps/userns_sandbox.c
@@ -571,6 +571,7 @@ int main(int sandbox_argc, char **sandbox_argv) {
   int status = 0;
   pid_t pgrp = getpgid(0);
   char * entrypoint = NULL;
+  const char * hostname = NULL;
 
   // First, determine our execution mode based on pid and euid (allowing for override)
   const char * forced_mode = getenv("FORCE_SANDBOX_MODE");
@@ -633,6 +634,7 @@ int main(int sandbox_argc, char **sandbox_argv) {
       {"uid",        required_argument, NULL, 'u'},
       {"gid",        required_argument, NULL, 'g'},
       {"tmpfs-size", required_argument, NULL, 't'},
+      {"hostname",   required_argument, NULL, 'H'},
       {0, 0, 0, 0}
     };
 
@@ -735,6 +737,9 @@ int main(int sandbox_argc, char **sandbox_argv) {
           fprintf(stderr, "Parsed --tmpfs-size as \"%s\"\n", tmpfs_size);
         }
         break;
+      case 'H':
+        hostname = strdup(optarg);
+        break;
       default:
         fputs("getoptlong defaulted?!\n", stderr);
         return 1;
@@ -794,7 +799,7 @@ int main(int sandbox_argc, char **sandbox_argv) {
   }
 
   // We want to request a new PID space, a new mount space, and a new user space
-  int clone_flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWUSER | SIGCHLD;
+  int clone_flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWUSER | CLONE_NEWUTS | SIGCHLD;
   if ((pid = syscall(SYS_clone, clone_flags, 0, 0, 0, 0)) == 0) {
     // If we're in here, we have become the "child" process, within the container.
 
@@ -834,6 +839,11 @@ int main(int sandbox_argc, char **sandbox_argv) {
       mount_the_world(sandbox_root, maps, workspaces, dst_uid, dst_gid, persist_dir, tmpfs_size);
     }
 
+    // Set the hostname, if that's been requested
+    if (hostname != NULL) {
+        check(sethostname(hostname, strlen(hostname)) == 0);
+    }
+
     // Finally, we begin invocation of the target program.
     return sandbox_main(sandbox_root, new_cd, sandbox_argc, sandbox_argv);
   }
diff --git a/src/Docker.jl b/src/Docker.jl
@@ -189,6 +189,10 @@ function build_executor_command(exe::DockerExecutor, config::SandboxConfig, user
         append!(cmd_string, ["--entrypoint", config.entrypoint])
     end
 
+    if config.hostname !== nothing
+        append!(cmd_string, ["--hostname", config.hostname])
+    end
+
     # For each platform requested by `multiarch`, ensure its matching interpreter is registered,
     # but only if we're on Linux.  If we're on some other platform, like macOS where Docker is
     # implemented with a virtual machine, we just trust the docker folks to have set up the
diff --git a/src/SandboxConfig.jl b/src/SandboxConfig.jl
@@ -43,6 +43,8 @@ Sandbox executors require a configuration to set up the environment properly.
 - `stdin`, `stdout`, `stderr`: input/output streams for the sandboxed process.
   - Can be any kind of `IO`, `TTY`, `devnull`, etc...
 
+- `hostname`: Set the hostname within the sandbox, defaults to the current hostname
+
 - `verbose`: Set whether the sandbox construction process should be more or less verbose.
 """
 struct SandboxConfig
@@ -56,6 +58,7 @@ struct SandboxConfig
     uid::Cint
     gid::Cint
     tmpfs_size::Union{String, Nothing}
+    hostname::Union{String, Nothing}
 
     stdin::AnyRedirectable
     stdout::AnyRedirectable
@@ -72,6 +75,7 @@ struct SandboxConfig
                            uid::Integer=0,
                            gid::Integer=0,
                            tmpfs_size::Union{String, Nothing}=nothing,
+                           hostname::Union{String, Nothing}=nothing,
                            stdin::AnyRedirectable = Base.devnull,
                            stdout::AnyRedirectable = Base.stdout,
                            stderr::AnyRedirectable = Base.stderr,
@@ -114,6 +118,6 @@ struct SandboxConfig
             push!(multiarch_formats, platform_qemu_registrations[interp_platforms[platform_idx]])
         end
 
-        return new(read_only_maps, read_write_maps, env, entrypoint, pwd, persist, collect(multiarch_formats), Cint(uid), Cint(gid), tmpfs_size, stdin, stdout, stderr, verbose)
+        return new(read_only_maps, read_write_maps, env, entrypoint, pwd, persist, collect(multiarch_formats), Cint(uid), Cint(gid), tmpfs_size, hostname, stdin, stdout, stderr, verbose)
     end
 end
diff --git a/src/UserNamespaces.jl b/src/UserNamespaces.jl
@@ -184,6 +184,10 @@ function build_executor_command(exe::UserNamespacesExecutor, config::SandboxConf
         append!(cmd_string, ["--tmpfs-size", config.tmpfs_size])
     end
 
+    if config.hostname !== nothing
+        append!(cmd_string, ["--hostname", config.hostname])
+    end
+
     # If we're running in privileged mode, we need to add `sudo` (or `su`, if `sudo` doesn't exist)
     if isa(exe, PrivilegedUserNamespacesExecutor)
         # Next, prefer `sudo`, but allow fallback to `su`. Also, force-set our
diff --git a/test/Sandbox.jl b/test/Sandbox.jl
@@ -280,6 +280,20 @@ for executor in all_executors
             end
         end
 
+        @testset "hostname" begin
+            stdout = IOBuffer()
+
+            config = SandboxConfig(
+                Dict("/" => rootfs_dir);
+                stdout,
+                hostname="sandy",
+            )
+            with_executor(executor) do exe
+                @test success(exe, config, `/bin/uname -n`)
+                @test chomp(String(take!(stdout))) == "sandy"
+            end
+        end
+
         @testset "Internet access" begin
             mktempdir() do rw_dir
                 ro_mappings = Dict(
diff --git a/test/SandboxConfig.jl b/test/SandboxConfig.jl
@@ -14,6 +14,7 @@ using Test, LazyArtifacts, Sandbox
         @test config.stdin == Base.devnull
         @test config.stdout == Base.stdout
         @test config.stderr == Base.stderr
+        @test config.hostname === nothing
     end
 
     @testset "full options" begin
@@ -33,7 +34,8 @@ using Test, LazyArtifacts, Sandbox
             persist = true,
             stdin = Base.stdout,
             stdout = stdout,
-            stderr = Base.devnull
+            stderr = Base.devnull,
+            hostname="sandy",
         )
         @test config.read_only_maps["/"] == rootfs_dir
         @test config.read_only_maps["/lib"] == "/lib"
@@ -45,6 +47,7 @@ using Test, LazyArtifacts, Sandbox
         @test config.stdin == Base.stdout
         @test config.stdout == stdout
         @test config.stderr == Base.devnull
+        @test config.hostname == "sandy"
     end
 
     @testset "errors" begin
