TODO: overlayfs, seccomp, capabilities, privielege, mounts
Check, that we don't have any processes of host in ps aux
Check, that we can limit CPU, RAM, disk I/O, etc...
Check, that we cannot access host systems files
Check, that we cannot get host info (or that it is changed at least)
Let's take a look at /proc
We will use linux namespaces for it
func setNamespace() error {
return nil
}
We will use cgroups for it
func setResourceLimits() error {
return nil
}
func changeDirectory(path string) error {
err := syscall.Mkdir(path, 0o777)
if err != nil {
return err
}
err = syscall.Chroot(path)
if err != nil {
return err
}
// err = os.Chdir(path)
// if err != nil {
// return err
// }
return nil
}
Due to new filesystem, we don't really have userspace now
// TODO
func updateHost() error {
return nil
}
It will be similar to docker -it
We will use exec
syscall to rewrite our processe's .text (executing code)
func run(argv []string) error {
cmd := exec.Command(argv[0], argv[1:]...)
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err := cmd.Run()
if err != nil {
return err
}
return nil
}
Container is just an isolated Linux process