Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit access to files specified as input #141

Open
fho opened this issue May 7, 2020 · 1 comment
Open

Limit access to files specified as input #141

fho opened this issue May 7, 2020 · 1 comment
Assignees
Labels
enhancement New feature or request

Comments

@fho
Copy link
Collaborator

fho commented May 7, 2020

To ensure that all inputs of a command are specified, prevent that a command can access other files in the repository.

15.12.2022 I'm working on realizing it the following way:

  • use linux namespaces (user, mount) to be able to mount directories as non-root user,
  • mount the repository directory as overlayFS to a temporary directory,
  • remove all files the overlayFS that are not tracked files of a task (with some exceptions: .baur.toml, .git/)
  • bind-mount the overlayFS over the original repository-directory path

The executed process will run in the original directory but only the input-files of the task are accessible.

@fho fho added the enhancement New feature or request label May 7, 2020
@fho fho self-assigned this Dec 15, 2022
@fho fho added the wip label Dec 15, 2022
@fho fho removed the wip label Mar 26, 2024
@fho
Copy link
Collaborator Author

fho commented Jun 11, 2024

alternative: https://github.com/shoenig/go-landlock

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Development

When branches are created from issues, their pull requests are automatically linked.

1 participant