Adam Hooper adamhooper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ctypes | |
| import os | |
| import signal | |
| from typing import Callable | |
| libc = ctypes.CDLL("libc.so.6", use_errno=True) | |
| # <linux/prctl.h> | |
| PR_SET_NAME = 15 | |
| PR_SET_SECCOMP = 22 |
adamhooper
/ spawner.py
Last active
November 27, 2019 19:24
Clone a process with new file descriptors
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import socket | |
| from c_clone import libc_clone | |
| # Primer on global variables: we set these before clone(), so they're set in | |
| # both the spawner process and the child process. Set them to None when they're | |
| # no longer needed, to make code easier to read. | |
| # | |
| # Primer on pipes: `os.pipe()` creates two file descriptors: a "read" and a | |
| # "write". Data written to the "write" end can (and must) be read by the "read" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| CHROOT=/var/lib/workbench/chroot # Empty | |
| BASE_LAYER=/var/lib/workbench/chroot-base # already populated with /etc, /lib, /usr... | |
| CHROOT_SIZE=20G # max size of user edits | |
| VENV_PATH="/root/.local/share/virtualenvs" # only exits in dev | |
| # /app/common (base layer) |
adamhooper
/ pyspawner_sandbox.py
Created
December 7, 2019 19:12
Network-namespace a process so it can't access our internal network
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import errno | |
| import sys | |
| from dataclasses import dataclass | |
| import pyroute2 | |
| @dataclass(frozen=True) | |
| class NetworkConfig: | |
| """ |
OlderNewer