Module: SafeImage::Sandbox

Defined in:: lib/safe_image/sandbox.rb

Constant Summary collapse

DEFAULT_RLIMITS =

{
  cpu_seconds: 30,
  memory_bytes: 2 * 1024 * 1024 * 1024,
  file_size_bytes: 1024 * 1024 * 1024,
  open_files: 256
}.freeze

Class Method Summary collapse

.available? ⇒ Boolean
.capture_command!(argv, read:, write:, timeout: Runner::DEFAULT_TIMEOUT, env: nil, rlimits: DEFAULT_RLIMITS) ⇒ Object
.default_execute_paths ⇒ Object
.default_read_paths ⇒ Object
.existing_paths(paths) ⇒ Object
.failure_detail(error) ⇒ Object

Sandbox failures often happen before the child can write structured output (e.g. a denied shared-library read kills it at dynamic-link time); include stderr so CI logs remain diagnosable.
.landlock_abi ⇒ Object
.landlock_capture!(argv, **options) ⇒ Object
.landlock_command_error ⇒ Object
.landlock_supported? ⇒ Boolean
.runtime_read_paths ⇒ Object

Class Method Details

.available? ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/safe_image/sandbox.rb', line 17

def available?
  require "landlock"
  landlock_supported?
rescue LoadError
  false
end

.capture_command!(argv, read:, write:, timeout: Runner::DEFAULT_TIMEOUT, env: nil, rlimits: DEFAULT_RLIMITS) ⇒ `Object`

# File 'lib/safe_image/sandbox.rb', line 48

def capture_command!(argv, read:, write:, timeout: Runner::DEFAULT_TIMEOUT, env: nil, rlimits: DEFAULT_RLIMITS)
  require "landlock"
  env ||= Runner.command_env(Dir.tmpdir)

  result =
    landlock_capture!(
      argv,
      read: existing_paths([*default_read_paths, *runtime_read_paths, *read]),
      write: existing_paths(write),
      execute: existing_paths([*default_execute_paths, File.dirname(RbConfig.ruby)]),
      env: env.merge("SAFE_IMAGE_SANDBOX_CHILD" => "1"),
      unsetenv_others: true,
      timeout: timeout,
      rlimits: rlimits,
      seccomp_deny_network: true,
      max_output_bytes: 512 * 1024,
      truncate_output: false
    )
  [result.stdout, result.stderr]
rescue LoadError
  raise Error, "landlock sandbox requested but the landlock gem is unavailable"
rescue landlock_command_error => e
  raise CommandError.new(
          "sandboxed command failed: #{failure_detail(e)}",
          command: argv,
          status: e.status&.exitstatus,
          stdout: e.stdout,
          stderr: e.stderr,
          category: :sandbox_command
        )
end

.default_execute_paths ⇒ `Object`



40
41
42

# File 'lib/safe_image/sandbox.rb', line 40

def default_execute_paths
  %w[/usr /lib /lib64 /bin /sbin /opt].select { |path| File.exist?(path) }
end

.default_read_paths ⇒ `Object`



36
37
38

# File 'lib/safe_image/sandbox.rb', line 36

def default_read_paths
  %w[/usr /lib /lib64 /etc /bin /sbin /opt].select { |path| File.exist?(path) }
end

.existing_paths(paths) ⇒ `Object`



102
103
104

# File 'lib/safe_image/sandbox.rb', line 102

def existing_paths(paths)
  paths.flatten.compact.map(&:to_s).reject(&:empty?).select { |path| File.exist?(path) }.uniq
end

.failure_detail(error) ⇒ `Object`

Sandbox failures often happen before the child can write structured output (e.g. a denied shared-library read kills it at dynamic-link time); include stderr so CI logs remain diagnosable.

# File 'lib/safe_image/sandbox.rb', line 109

def failure_detail(error)
  detail = error.stderr.to_s.strip
  detail = "exit status #{error.status&.exitstatus.inspect}" if detail.empty?
  detail[0, 2000]
end

.landlock_abi ⇒ `Object`



32
33
34

# File 'lib/safe_image/sandbox.rb', line 32

def landlock_abi
  Landlock.abi_version
end

.landlock_capture!(argv, **options) ⇒ `Object`



44
45
46

# File 'lib/safe_image/sandbox.rb', line 44

def landlock_capture!(argv, **options)
  Landlock.capture!(argv.map(&:to_s), allow_all_known: true, **options)
end

.landlock_command_error ⇒ `Object`



28
29
30

# File 'lib/safe_image/sandbox.rb', line 28

def landlock_command_error
  Landlock::CommandError
end

.landlock_supported? ⇒ `Boolean`

Returns:

(Boolean)



24
25
26

# File 'lib/safe_image/sandbox.rb', line 24

def landlock_supported?
  Landlock.supported?
end

.runtime_read_paths ⇒ `Object`

# File 'lib/safe_image/sandbox.rb', line 80

def runtime_read_paths
  paths = []
  paths.concat(Gem.path) if defined?(Gem)
  paths.concat($LOAD_PATH.select { |path| path && path != "." })
  paths << RbConfig::CONFIG["rubylibdir"]
  paths << RbConfig::CONFIG["rubyarchdir"]
  paths << RbConfig::CONFIG["sitearchdir"]
  paths << RbConfig::CONFIG["vendorarchdir"]
  # An --enable-shared Ruby installed outside the default read roots
  # (e.g. GitHub Actions' /opt/hostedtoolcache builds) keeps libruby in
  # libdir; helper/tool subprocesses need read access before they can start.
  paths << RbConfig::CONFIG["libdir"]
  paths << File.dirname(RbConfig.ruby)
  # Pango/fontconfig need the font directories and configs for the native
  # letter_avatar text rendering inside the helper.
  paths << "/etc/fonts"
  paths << "/usr/share/fonts"
  paths << "/usr/local/share/fonts"
  paths << "/var/cache/fontconfig"
  paths
end

Module: SafeImage::Sandbox

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.available? ⇒ Boolean

.capture_command!(argv, read:, write:, timeout: Runner::DEFAULT_TIMEOUT, env: nil, rlimits: DEFAULT_RLIMITS) ⇒ Object

.default_execute_paths ⇒ Object

.default_read_paths ⇒ Object

.existing_paths(paths) ⇒ Object

.failure_detail(error) ⇒ Object

.landlock_abi ⇒ Object

.landlock_capture!(argv, **options) ⇒ Object

.landlock_command_error ⇒ Object

.landlock_supported? ⇒ Boolean

.runtime_read_paths ⇒ Object