Add --gvisor option for better sandboxing

Author: sandorex

src/cli.rs

@@ -1,4 +1,4 @@
-use crate::{config::Config, Context, FULL_VERSION, LONG_VERSION};
+use crate::{FULL_VERSION, LONG_VERSION, config::Config, context::Context};
 use clap::{Args, Parser, Subcommand};
 use std::path::PathBuf;
 
@@ -84,6 +84,12 @@ pub struct CmdStartArgs {
     #[arg(long, env = crate::ENV_CONTAINER)]
     pub name: Option<String>,
 
+    /// Use gvisor runtime for better sandboxing (EXPERIMENTAL)
+    ///
+    /// Requires runsc to be in PATH
+    #[arg(long, value_name = "BOOL", default_missing_value = "true", require_equals = true, num_args = 0..=1)]
+    pub gvisor: Option<bool>,
+
     /// Set container default shell
     #[arg(long)]
     pub shell: Option<String>,

src/commands/cmd_start.rs

@@ -154,6 +154,7 @@ pub fn start_container(ctx: Context, mut cli_args: CmdStartArgs) -> Result<()> {
 
         // prefer options from cli
         cli_args.shell = cli_args.shell.or(config.shell);
+        cli_args.gvisor = cli_args.gvisor.or(Some(config.gvisor));
         cli_args.network = cli_args.network.or(Some(config.network));
         cli_args.pipewire = cli_args.pipewire.or(Some(config.pipewire));
         cli_args.pulseaudio = cli_args.pulseaudio.or(Some(config.pulseaudio));
@@ -205,6 +206,19 @@ pub fn start_container(ctx: Context, mut cli_args: CmdStartArgs) -> Result<()> {
         "--detach-keys=",
     ]);
 
+    if cli_args.gvisor.unwrap_or(false) {
+        if !crate::executable_in_path("runsc") {
+            return Err(anyhow!("Could not find gvisor (runsc) in path"));
+        }
+
+        // TODO do i want the --rootless flag for runsc?
+        cmd.args([
+            // it seems it can look for it in path
+            "--runtime=runsc",
+            "--runtime-flag", "ignore-cgroups",
+        ]);
+    }
+
     cmd.args([
         format!("--name={}", container_name),
         format!("--label=manager={}", ctx.engine),

src/config/v1.rs

@@ -35,6 +35,10 @@ code_docs_struct! {
         #[serde(default)]
         pub shell: Option<String>,
 
+        /// Use gvisor runtime for better sandboxing
+        #[serde(default)]
+        pub gvisor: bool,
+
         /// Set network access
         #[serde(default)]
         pub network: bool,
@@ -85,7 +89,7 @@ code_docs_struct! {
         /// script itself is responsible for running arcam start with all the arguments
         ///
         /// This allows you total control of the container startup which also
-        /// makes it dangerous if you do not check the config file beforhand
+        /// makes it dangerous if you do not check the config file beforehand
         ///
         /// NOTE: the script is ran using "/bin/sh"
         pub host_pre_init: Option<String>,

tests/podman/test_start.rs

@@ -3,14 +3,20 @@ use anyhow::Result;
 use assert_cmd::Command;
 use arcam::engine::Podman;
 
-#[test]
-#[ignore = "requires podman"]
-fn cmd_start_podman() -> Result<()> {
+fn start_podman(gvisor: bool) -> Result<()> {
     let tempdir = tempfile::tempdir()?;
 
-    let cmd = Command::cargo_bin("arcam")?
-        .args(["start", DEBIAN_IMAGE])
-        .current_dir(tempdir.path())
+    let mut cmd = Command::cargo_bin("arcam")?;
+    cmd.current_dir(tempdir.path());
+    cmd.args(["start"]);
+
+    if gvisor {
+        cmd.arg("--gvisor");
+    }
+
+    cmd.arg(DEBIAN_IMAGE);
+
+    let cmd = cmd
         .assert()
         .success();
 
@@ -42,3 +48,15 @@ fn cmd_start_podman() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+#[ignore = "requires podman"]
+fn cmd_start_podman() -> Result<()> {
+    start_podman(false)
+}
+
+#[test]
+#[ignore = "requires podman and gvisor"]
+fn cmd_start_podman_gvisor() -> Result<()> {
+    start_podman(true)
+}