Merge pull request #78 from Pangjiping/feat/components/egress-part1

FEATURE: simple MVP for opensandbox egress

Author: hittyt

.github/workflows/manual-docker-publish.yml

@@ -10,6 +10,7 @@ on:
         options:
           - execd
           - code-interpreter
+          - egress
         default: 'execd'
       image_tag:
         description: 'Docker image tag'
@@ -19,6 +20,7 @@ on:
     tags:
       - 'docker/execd/**'
       - 'docker/code-interpreter/**'
+      - 'docker/egress/**'
 
 jobs:
   publish:
@@ -77,6 +79,8 @@ jobs:
 
           if [ "$COMPONENT" == "execd" ]; then
             cd components/execd
+          elif [ "$COMPONENT" == "egress" ]; then
+            cd components/egress
           else
             cd sandboxes/$COMPONENT
           fi

components/egress/Dockerfile

@@ -0,0 +1,54 @@
+# Copyright 2026 Alibaba Group Holding Ltd.
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:1.24-bookworm AS builder
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+
+# Static-ish build (no cgo) to simplify runtime deps
+ENV CGO_ENABLED=0
+RUN go mod download
+
+COPY . .
+RUN go build -o /out/egress .
+
+FROM debian:bookworm-slim
+
+# iptables is needed for DNS REDIRECT; ca-certificates for TLS to upstream resolvers
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        iptables \
+        ca-certificates \
+        curl \
+        wget \
+        net-tools \
+        dnsutils \
+        netcat-openbsd \
+        iputils-ping \
+        traceroute \
+        telnet \
+        tcpdump \
+        nmap \
+        htop \
+        procps \
+        strace \
+        lsof \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /out/egress /egress
+
+# Default entrypoint; expects OPENSANDBOX_NETWORK_POLICY env at runtime.
+ENTRYPOINT ["/egress"]

components/egress/TODO.md

@@ -0,0 +1,37 @@
+# Egress Sidecar TODO (Linux MVP → Full OSEP-0001)
+
+## Gaps vs OSEP-0001
+- No Layer 2 yet: no nftables full isolation, no DoH/DoT blocking, no IP/CIDR rules.
+- Policy surface is minimal: only domain allow + default_action; missing deny rules, IP/CIDR, `require_full_isolation`.
+- Observability missing: no enforcement mode/status exposure, no violation logs.
+- Capability probing missing: no CAP_NET_ADMIN/nftables detection; no hostNetwork rejection.
+- Platform integration missing: server/SDK/spec not updated; sidecar not wired into server flow.
+- No IPv6; startup ordering not enforced (relies on container start order).
+
+## Short-term priorities (suggested order)
+1) Capability probing & mode exposure  
+   - Detect CAP_NET_ADMIN and nftables; set `dns-only` vs `dns+nftables`; surface in logs/status.  
+   - Fast-fail on hostNetwork.
+2) Layer 2 via nftables  
+   - Allow-set + default DROP; add DNS-learned IPs dynamically.  
+   - Static IP/CIDR rules; block DoH/DoT ports.
+3) Policy expansion  
+   - Support deny rules, IP/CIDR, `require_full_isolation`.  
+   - Validation and clear errors.
+4) Observability & logging  
+   - Violation logs (domain/action/upstream IP); expose current enforcement mode.  
+   - Optional lightweight health/status endpoint.
+5) Platform & SDK alignment  
+   - Update `specs/sandbox-lifecycle.yml`; add `network_policy` to Python/Kotlin SDKs.  
+   - Server (Docker/K8s) integrates sidecar injection; NET_ADMIN only on sidecar.
+6) Security hardening  
+   - Whitelist/validate upstream DNS to avoid arbitrary 53 egress abuse.  
+   - Document bypass/limits (dns-only can be bypassed via direct IP/DoH).
+7) IPv6 & tests  
+   - Handle IPv6 support or explicit non-support.  
+   - Unit/integration tests: interception, graceful degrade, nftables, DoH blocking, hostNetwork rejection.
+
+## Dev notes
+- Current behavior: SO_MARK=0x1 bypass for proxy’s own upstream DNS; iptables only redirects port 53, no other DROP rules.  
+- Runtime deps: Linux, `CAP_NET_ADMIN`, `iptables` binary; upstream DNS must be reachable and recursive.
+

components/egress/build.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# Copyright 2026 Alibaba Group Holding Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+TAG=${TAG:-latest}
+
+docker buildx rm egress-builder || true
+
+docker buildx create --use --name egress-builder
+
+docker buildx inspect --bootstrap
+
+docker buildx ls
+
+docker buildx build \
+  -t opensandbox/egress:${TAG} \
+  -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:${TAG} \
+  --platform linux/amd64,linux/arm64 \
+  --push \
+  .

components/egress/go.mod

@@ -0,0 +1,13 @@
+module github.com/alibaba/opensandbox/egress
+
+go 1.24.0
+
+require github.com/miekg/dns v1.1.61
+
+require (
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
+)

components/egress/go.sum

@@ -0,0 +1,12 @@
+github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs=
+github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=

components/egress/main.go

@@ -0,0 +1,62 @@
+// Copyright 2026 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"context"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/alibaba/opensandbox/egress/pkg/dnsproxy"
+	"github.com/alibaba/opensandbox/egress/pkg/iptables"
+)
+
+// Linux MVP: DNS proxy + iptables REDIRECT. No nftables/full isolation yet.
+func main() {
+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	policy, err := dnsproxy.LoadPolicyFromEnv()
+	if err != nil {
+		log.Fatalf("failed to parse network policy: %v", err)
+	}
+	if policy == nil {
+		log.Println("OPENSANDBOX_NETWORK_POLICY empty; skip egress control")
+		// Block here to avoid infinite container restart loop in Kubernetes
+		// when restartPolicy is Always. As a sidecar, we should keep running.
+		<-ctx.Done()
+		return
+	}
+
+	proxy, err := dnsproxy.New(policy, "")
+	if err != nil {
+		log.Fatalf("failed to init dns proxy: %v", err)
+	}
+	if err := proxy.Start(ctx); err != nil {
+		log.Fatalf("failed to start dns proxy: %v", err)
+	}
+	log.Println("dns proxy started on 127.0.0.1:15353")
+
+	if err := iptables.SetupRedirect(15353); err != nil {
+		log.Fatalf("failed to install iptables redirect: %v", err)
+	}
+	log.Printf("iptables redirect configured (OUTPUT 53 -> 15353) with SO_MARK bypass for proxy upstream traffic")
+
+	<-ctx.Done()
+	log.Println("received shutdown signal; exiting")
+	_ = os.Stderr.Sync()
+}

components/egress/pkg/dnsproxy/proxy.go

@@ -0,0 +1,150 @@
+// Copyright 2026 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package dnsproxy
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net"
+	"os"
+	"time"
+
+	"github.com/miekg/dns"
+
+	"github.com/alibaba/opensandbox/egress/pkg/policy"
+)
+
+const defaultListenAddr = "127.0.0.1:15353"
+
+type Proxy struct {
+	policy     *policy.NetworkPolicy
+	listenAddr string
+	upstream   string // single upstream for MVP
+	servers    []*dns.Server
+}
+
+// New builds a proxy with resolved upstream; listenAddr can be empty for default.
+func New(p *policy.NetworkPolicy, listenAddr string) (*Proxy, error) {
+	if listenAddr == "" {
+		listenAddr = defaultListenAddr
+	}
+	upstream, err := discoverUpstream()
+	if err != nil {
+		return nil, err
+	}
+	return &Proxy{
+		policy:     p,
+		listenAddr: listenAddr,
+		upstream:   upstream,
+	}, nil
+}
+
+func (p *Proxy) Start(ctx context.Context) error {
+	handler := dns.HandlerFunc(p.serveDNS)
+
+	udpServer := &dns.Server{Addr: p.listenAddr, Net: "udp", Handler: handler}
+	tcpServer := &dns.Server{Addr: p.listenAddr, Net: "tcp", Handler: handler}
+	p.servers = []*dns.Server{udpServer, tcpServer}
+
+	errCh := make(chan error, len(p.servers))
+	for _, srv := range p.servers {
+		s := srv
+		go func() {
+			if err := s.ListenAndServe(); err != nil {
+				errCh <- err
+			}
+		}()
+	}
+
+	// Shutdown on context done
+	go func() {
+		<-ctx.Done()
+		for _, srv := range p.servers {
+			_ = srv.Shutdown()
+		}
+	}()
+
+	select {
+	case err := <-errCh:
+		return fmt.Errorf("dns proxy failed: %w", err)
+	case <-time.After(200 * time.Millisecond):
+		// small grace window; running fine
+		return nil
+	}
+}
+
+func (p *Proxy) serveDNS(w dns.ResponseWriter, r *dns.Msg) {
+	if len(r.Question) == 0 {
+		_ = w.WriteMsg(new(dns.Msg)) // empty response
+		return
+	}
+	q := r.Question[0]
+	domain := q.Name
+
+	if p.policy != nil && p.policy.Evaluate(domain) == policy.ActionDeny {
+		resp := new(dns.Msg)
+		resp.SetRcode(r, dns.RcodeNameError)
+		_ = w.WriteMsg(resp)
+		return
+	}
+
+	resp, err := p.forward(r)
+	if err != nil {
+		log.Printf("[dns] forward error for %s: %v", domain, err)
+		fail := new(dns.Msg)
+		fail.SetRcode(r, dns.RcodeServerFailure)
+		_ = w.WriteMsg(fail)
+		return
+	}
+	_ = w.WriteMsg(resp)
+}
+
+func (p *Proxy) forward(r *dns.Msg) (*dns.Msg, error) {
+	c := &dns.Client{
+		Timeout: 5 * time.Second,
+		Dialer:  p.dialerWithMark(),
+	}
+	resp, _, err := c.Exchange(r, p.upstream)
+	return resp, err
+}
+
+// UpstreamHost returns the host part of the upstream resolver, empty on parse error.
+func (p *Proxy) UpstreamHost() string {
+	host, _, err := net.SplitHostPort(p.upstream)
+	if err != nil {
+		return ""
+	}
+	return host
+}
+
+func discoverUpstream() (string, error) {
+	cfg, err := dns.ClientConfigFromFile("/etc/resolv.conf")
+	if err == nil && len(cfg.Servers) > 0 {
+		return net.JoinHostPort(cfg.Servers[0], cfg.Port), nil
+	}
+	// fallback to public resolver; comment to explain deterministic behavior
+	log.Printf("[dns] fallback upstream resolver due to error: %v", err)
+	return "8.8.8.8:53", nil
+}
+
+// LoadPolicyFromEnv reads OPENSANDBOX_NETWORK_POLICY and parses it.
+func LoadPolicyFromEnv() (*policy.NetworkPolicy, error) {
+	raw := os.Getenv("OPENSANDBOX_NETWORK_POLICY")
+	if raw == "" {
+		return nil, nil
+	}
+	return policy.ParsePolicy(raw)
+}