github.com/cozy/cozy-stack@v0.0.0-20240603063001-31110fa4cae1/scripts/konnector-nsjail-node-run.sh (about) 1 #!/bin/bash 2 set -e 3 4 rundir="${1}" 5 6 usage() { 7 >&2 echo -e "Usage: $0 [dir]" 8 } 9 10 if [ -z "${rundir}" ]; then 11 usage 12 exit 1 13 fi 14 15 if [ -f "${rundir}" ]; then 16 runfile="/usr/src/konnector/$(basename "${rundir}")" 17 rundir="$(dirname "${rundir}")" 18 elif [ -d "${rundir}" ]; then 19 runfile="/usr/src/konnector" 20 else 21 >&2 echo "${rundir} does not exist" 22 exit 1 23 fi 24 25 NODE_BIN="$(command -v nodejs || true)" 26 if [ -z "${NODE_BIN}" ]; then 27 NODE_BIN="$(command -v node || true)" 28 fi 29 30 if ! [ -x "${NODE_BIN}" ]; then 31 >&2 echo "Unable to find nodejs binary, exiting..." 32 exit 1 33 fi 34 35 RLIMIT_AS=4096 36 NODE_OPTS="" 37 38 NODE_VERSION="$(${NODE_BIN} --version)" 39 NODE_VERSION=${NODE_VERSION%%.*} 40 NODE_VERSION=${NODE_VERSION##v} 41 if [ ${NODE_VERSION} -ge 20 ]; then 42 # Node 20 built-in "fetch" instanciate a wasm engine that require more than 10GB of RAM address space 43 # and nsjail limit memory by limiting the address space so we need to increase it by 10 GB 44 RLIMIT_AS=14336 45 elif [ "${NODE_VERSION}" = "12" ]; then 46 NODE_OPTS="--max-http-header-size=16384 --tls-min-v1.0 --http-parser=legacy" 47 fi 48 49 if [ -z "${COZY_JOB_ID}" ]; then 50 COZY_JOB_ID="unknown" 51 fi 52 53 log_name=$(echo "${COZY_JOB_ID}" | tr A-Z a-z | sed -e 's/[^a-z0-9\-]/-/g') 54 55 read -r -d '' seccomp_string << EOM 56 // This seccomp policy is inspired by the following resources: 57 // 58 // https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile 59 // https://github.com/moby/moby/blob/4f259698b07653e9e5220e097df79862f9e54b74/profiles/seccomp/seccomp_default.go 60 // https://github.com/sandstorm-io/sandstorm/blob/dbc66bd315e87910dab868bc85352c3880e9d716/src/sandstorm/supervisor.c%2B%2B#L1069-L1220 61 // 62 // Only allow AF_INET and AF_INET6 protocols with SOCK_STREAM and SOCK_DGRAM 63 // types of socket for TCP and UDP families. 64 65 /* Supported address families. */ 66 #define AF_INET 2 /* Internet IP Protocol */ 67 #define AF_INET6 10 /* IP version 6 */ 68 69 #define SOCK_STREAM 1 /* stream socket */ 70 #define SOCK_DGRAM 2 /* datagram socket */ 71 #define SOCK_TYPE_MASK 0x0f 72 73 POLICY konnectors { 74 KILL { 75 acct, 76 add_key, 77 adjtimex, 78 bpf, 79 clock_adjtime, 80 clock_settime, 81 create_module, 82 delete_module, 83 finit_module, 84 get_kernel_syms, 85 get_mempolicy, 86 init_module, 87 io_cancel, 88 io_destroy, 89 io_getevents, 90 io_setup, 91 io_submit, 92 ioperm, 93 iopl, 94 kcmp, 95 keyctl, 96 kexec_file_load, 97 kexec_load, 98 lookup_dcookie, 99 mbind, 100 migrate_pages, 101 modify_ldt, 102 mount, 103 move_pages, 104 name_to_handle_at, 105 nfsservctl, 106 open_by_handle_at, 107 perf_event_open, 108 personality, 109 pivot_root, 110 query_module, 111 process_vm_readv, 112 process_vm_writev, 113 ptrace, 114 quotactl, 115 reboot, 116 remap_file_pages, 117 request_key, 118 seccomp, 119 set_mempolicy, 120 set_thread_area, 121 setns, 122 settimeofday, 123 syslog, 124 swapon, 125 swapoff, 126 sysfs, 127 umount, 128 unshare, 129 uselib, 130 userfaultfd, 131 vmsplice 132 }, 133 ERRNO(57) { /* EAFNOSUPPORT = address family not supported */ 134 socket(domain, type) { 135 (domain != AF_INET && domain != AF_INET6) || 136 ((type & SOCK_TYPE_MASK) != SOCK_STREAM && 137 (type & SOCK_TYPE_MASK) != SOCK_DGRAM) 138 } 139 } 140 } 141 USE konnectors DEFAULT ALLOW 142 EOM 143 144 nsjail \ 145 --quiet \ 146 --mode o \ 147 --rlimit_as ${RLIMIT_AS} \ 148 --rlimit_cpu 1000 \ 149 --rlimit_fsize 1024 \ 150 --rlimit_nofile 128 \ 151 --rlimit_nproc 512 \ 152 --time_limit "${COZY_TIME_LIMIT}" \ 153 --disable_clone_newnet \ 154 --iface_no_lo \ 155 --seccomp_string "${seccomp_string}" \ 156 --log "nsjail-${log_name}.log" \ 157 -E "COZY_URL=${COZY_URL}" \ 158 -E "COZY_FIELDS=${COZY_FIELDS}" \ 159 -E "COZY_PARAMETERS=${COZY_PARAMETERS}" \ 160 -E "COZY_PAYLOAD=${COZY_PAYLOAD}" \ 161 -E "COZY_CREDENTIALS=${COZY_CREDENTIALS}" \ 162 -E "COZY_LOCALE=${COZY_LOCALE}" \ 163 -E "COZY_JOB_ID=${COZY_JOB_ID}" \ 164 -E "COZY_JOB_MANUAL_EXECUTION=${COZY_JOB_MANUAL_EXECUTION}" \ 165 -E "COZY_TIME_LIMIT=${COZY_TIME_LIMIT}" \ 166 -E "COZY_TRIGGER_ID=${COZY_TRIGGER_ID}" \ 167 -R "${rundir}:/usr/src/konnector/" \ 168 -R /lib \ 169 -R /lib64 \ 170 -R /usr/lib \ 171 -R ${NODE_BIN} \ 172 -R /dev/urandom \ 173 -R /etc/resolv.conf \ 174 -R /etc/ssl/certs \ 175 -- ${NODE_BIN} ${NODE_OPTS} "${runfile}" 176 177 # Via a chroot with nodejs installed inside 178 # nsjail \ 179 # --quiet \ 180 # --chroot /chrootdir \ 181 # --rlimit_as ${RLIMIT_AS} \ 182 # --rlimit_cpu 1000 \ 183 # --rlimit_fsize 1024 \ 184 # --rlimit_nofile 128 \ 185 # --rlimit_nproc 512 \ 186 # --time_limit "${COZY_TIME_LIMIT}" \ 187 # --disable_clone_newnet \ 188 # --iface_no_lo \ 189 # --seccomp_string "${seccomp_string}" \ 190 # -E "COZY_URL=${COZY_URL}" \ 191 # -E "COZY_FIELDS=${COZY_FIELDS}" \ 192 # -E "COZY_PARAMETERS=${COZY_PARAMETERS}" \ 193 # -E "COZY_PAYLOAD=${COZY_PAYLOAD}" \ 194 # -E "COZY_CREDENTIALS=${COZY_CREDENTIALS}" \ 195 # -E "COZY_JOB_MANUAL_EXECUTION=${COZY_JOB_MANUAL_EXECUTION}" \ 196 # -E "COZY_LOCALE=${COZY_LOCALE}" \ 197 # -R "${rundir}:/usr/src/konnector/" \ 198 # -- /usr/bin/nodejs ${NODE_OPTS} "${runfile}"