Research Project Process Isolation Built the shim in Rust (clone_shim).
Wrote a quite nice to use wrapper for the clone3 syscall in (relatively) safe Rust (clone.rs).
Wrote the basis of specification, that should be extensible enough for future features (specification.rs).
Currently this reads only JSON specifications, but Rust’s serde library has support for a variety of binary formats to try later on. Started tying things together. Currently on the running at startup launches work, but they do launch and it’s a strong basis to add more features from....
Research Project Process Isolation Built three privilege separated test applications.
Wrote a privilege separated fib implementation (fib_priv_sep.c).
Pretty basic separation as the program is trivial. In the later cp example I did privilege separate the arguments, but I didn’t for the purpose of fib. Starting to build up a structure. The files are structured to have a main implementation reminiscent of the eventual shim, while the functions like real_main would come from the eventual binary....
Research Project Process Isolation Wrote an OCaml binding for the clone3 syscall (clone_shim.ml/clone3_stub.c).
Some decisions made to make this feel a bit higher level: List of flags rather than ORed together numbers. Options used where helpful. Looked into using an OCaml callback, but of course this doesn’t work (as expected - OCaml didn’t like Multicore!). Currently execve’s a specific binary (/bin/sh), but should be easy to extend. Tricky to know sometimes what to put in C and what to put in OCaml....
Research Project Process Isolation Setup a Fedora testing VM for easier and consistent testing.
Fedora 35 uses pure cgroups2 by default - very useful! Sorted out backups for the repo and the above machine. Chose a testing framework for C enabling testing of the assertions to build the project upon.
Used Unity. Simple and the examples show that it doesn’t do much beyond the minimum - important for this low level code with syscalls....