initial cli

Author: bcpeinhardt

go.mod

@@ -0,0 +1,3 @@
+module github.com/coder/squeeze
+
+go 1.25.0

isolation-flow.puml

@@ -0,0 +1,45 @@
+@startuml Isolation Flow
+participant "User" as U
+participant "squeeze (parent)" as P
+participant "squeeze (child)" as C
+participant "target command" as T
+
+U -> P: squeeze -- command args
+activate P
+
+note over P: Parse config, setup proxy
+
+P -> P: fork()
+activate C
+
+note over C: Child process starts\nin parent's namespaces
+
+C -> C: unshare(CLONE_NEWUSER)
+note over C: Create user namespace\n(enables root inside)
+
+C -> C: unshare(CLONE_NEWNS) 
+note over C: Create mount namespace\n(isolate filesystem view)
+
+C -> C: unshare(CLONE_NEWNET)
+note over C: Create network namespace\n(isolate network)
+
+note over C: Setup mount binds\nfor allowed paths
+
+note over C: Setup network interfaces\nand iptables rules
+
+C -> T: exec(target command)
+deactivate C
+activate T
+
+note over T: Target runs in\nisolated namespaces
+
+P -> P: wait for child
+note over P: Parent monitors child\nand manages proxy
+
+T -> C: exit
+deactivate T
+C -> P: child exit status
+P -> U: return exit status
+deactivate P
+
+@enduml

main.go

@@ -0,0 +1,46 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/coder/squeeze/squeeze"
+)
+
+func main() {
+	var configFile = flag.String("config", "", "path to configuration file")
+	
+	flag.Usage = func() {
+		fmt.Fprintf(os.Stderr, "Usage: %s [options] -- command [args...]\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "\nOptions:\n")
+		flag.PrintDefaults()
+	}
+	
+	flag.Parse()
+	command := flag.Args()
+
+	if len(command) < 1 {
+		fmt.Fprintf(os.Stderr, "Error: no command specified after --\n")
+		flag.Usage()
+		os.Exit(1)
+	}
+	
+	// Create basic config for testing (config file loading not implemented yet)
+	config := squeeze.NewConfig(
+		squeeze.WithCommand(command[0], command[1:]...),
+		squeeze.WithWorkingDir("."),
+	)
+
+	if *configFile != "" {
+		fmt.Printf("Config file specified: %s (not implemented yet)\n", *configFile)
+	}
+	
+	fmt.Printf("Running isolated: %s\n", strings.Join(command, " "))
+	
+	if err := config.RunIsolated(); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+}

squeeze/squeeze.go

@@ -0,0 +1,106 @@
+package squeeze
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+)
+
+const (
+	CLONE_NEWNET  = 0x40000000 // Network namespace
+	CLONE_NEWNS   = 0x00020000 // Mount namespace
+	CLONE_NEWUSER = 0x10000000 // User namespace
+)
+
+// IsolationConfig holds the configuration for running a process in isolated namespaces
+type IsolationConfig struct {
+	ProxyAddr     string   // Address where the transparent HTTP proxy will listen
+	AllowedPaths  []string // Filesystem paths that will be visible in the mount namespace
+	Command       []string // Command and arguments to execute in isolation
+	WorkingDir    string   // Working directory for the isolated process
+}
+
+// Option is a functional option for configuring IsolationConfig
+type Option func(*IsolationConfig)
+
+// WithProxy sets the address where the transparent HTTP proxy will listen.
+// All network traffic from the isolated process will be routed through this proxy.
+func WithProxy(addr string) Option {
+	return func(c *IsolationConfig) {
+		c.ProxyAddr = addr
+	}
+}
+
+// WithAllowedPath adds a filesystem path that will be visible in the mount namespace.
+// This can be called multiple times to allow access to multiple paths.
+func WithAllowedPath(path string) Option {
+	return func(c *IsolationConfig) {
+		c.AllowedPaths = append(c.AllowedPaths, path)
+	}
+}
+
+// WithCommand sets the command and arguments to execute in the isolated environment.
+func WithCommand(cmd string, args ...string) Option {
+	return func(c *IsolationConfig) {
+		c.Command = append([]string{cmd}, args...)
+	}
+}
+
+// WithWorkingDir sets the working directory for the isolated process.
+func WithWorkingDir(dir string) Option {
+	return func(c *IsolationConfig) {
+		c.WorkingDir = dir
+	}
+}
+
+// NewConfig creates a new IsolationConfig with the given options applied.
+// It returns a configuration with sensible defaults that can be customized
+// using the provided functional options.
+func NewConfig(options ...Option) *IsolationConfig {
+	config := &IsolationConfig{
+		ProxyAddr:  "127.0.0.1:0", // Let OS choose port
+		WorkingDir: "/tmp",        // Safe default working directory
+	}
+	
+	for _, option := range options {
+		option(config)
+	}
+	
+	return config
+}
+
+// RunIsolated executes the configured command in isolated namespaces.
+// The parent process remains in the original namespaces while the child
+// runs in isolation with network, mount, and user namespace separation.
+func (c *IsolationConfig) RunIsolated() error {
+	if len(c.Command) == 0 {
+		return fmt.Errorf("no command specified")
+	}
+
+	// Fork a child process
+	pid, err := syscall.ForkExec(
+		"/proc/self/exe", // Re-execute ourselves
+		[]string{"squeeze-child"}, // Special arg to indicate child mode
+		&syscall.ProcAttr{
+			Dir:   c.WorkingDir,
+			Env:   os.Environ(),
+			Files: []uintptr{0, 1, 2}, // stdin, stdout, stderr
+		},
+	)
+	if err != nil {
+		return fmt.Errorf("failed to fork child process: %w", err)
+	}
+
+	// Parent: wait for child to complete
+	var status syscall.WaitStatus
+	_, err = syscall.Wait4(pid, &status, 0, nil)
+	if err != nil {
+		return fmt.Errorf("failed to wait for child: %w", err)
+	}
+
+	if !status.Exited() || status.ExitStatus() != 0 {
+		return fmt.Errorf("child process failed with status: %d", status.ExitStatus())
+	}
+
+	return nil
+}