util/weakbox - Friedel's Repositories

commit 0f3295e2442f79c947b9c0e1a5ecd2aedd555f29
Author: Friedel Schön <[email protected]>
Date:   Mon, 22 Apr 2024 10:49:55 +0200

initial commit

Diffstat:
A LICENSE 18 ++++++++++++++++++
A Makefile 20 ++++++++++++++++++++
A arg.h 19 +++++++++++++++++++
A readme.md 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A weakbox.1 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A weakbox.c 238 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

6 files changed, 466 insertions(+), 0 deletions(-)
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,17 @@

+Copyright (c) 2023 Friedel Schön <[email protected]>
+
+This software is provided 'as-is', without any express or implied
+warranty. In no event will the authors be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
+
+1. The origin of this software must not be misrepresented; you must not
+   claim that you wrote the original software. If you use this software
+   in a product, an acknowledgment in the product documentation would be
+   appreciated but is not required.
+2. Altered source versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.
+3. This notice may not be removed or altered from any source distribution.
+\ No newline at end of file
diff --git a/Makefile b/Makefile
@@ -0,0 +1,19 @@

+CFLAGS += -O2 -Wall -Wextra
+PREFIX = /usr
+
+.PHONY: all install clean
+
+all: enter
+
+weakbox.o: weakbox.c arg.h
+	$(CC) -c $< -o $@ $(CFLAGS) $(CPPFLAGS)
+
+weakbox: weakbox.o
+	$(CC) $< -o $@ $(LDFLAGS)
+
+install: weakbox weakbox.1
+	cp weakbox $(PREFIX)/bin/
+	cp weakbox.1 $(PREFIX)/share/man/man1/
+
+clean:
+	rm -f weakbox weakbox.1
+\ No newline at end of file
diff --git a/arg.h b/arg.h
@@ -0,0 +1,19 @@

+#pragma once
+
+#define SHIFT (argc--, argv++)
+
+#define ARGBEGIN                                       \
+	for (SHIFT; *argv && *argv[0] == '-'; SHIFT) {     \
+		if ((*argv)[1] == '-' && (*argv)[2] == '\0') { \
+			SHIFT;                                     \
+			break;                                     \
+		}                                              \
+		for (char* opt = *argv + 1; *opt; opt++) {
+
+#define ARGEND \
+	}          \
+	}
+
+#define OPT          (*opt)
+#define ARGF         (argv[1] ? (SHIFT, *argv) : NULL)
+#define EARGF(usage) (argv[1] ? ARGF : (printf("'-%c' requires an argument\n", *opt), usage, NULL))
diff --git a/readme.md b/readme.md
@@ -0,0 +1,70 @@

+# weakbox
+
+**weakbox** is a tool for Linux designed to create a weak (not secured) container for running programs from another Linux distribution. It is particularly useful for executing glibc-based programs (mostly closed-source software) under systems that are musl-based.
+
+## Features
+
+- Create a container environment for running programs from different Linux distributions.
+- Bind mount directories from the host system into the container.
+- Map user and group IDs inside the container.
+- Customizable root path for the container.
+- Option to run commands within the container as `root`.
+
+## Installation
+
+To install **weakbox**, simply clone the repository and compile the source code:
+
+```bash
+git clone https://github.com/friedelschoen/weakbox.git
+cd weakbox
+make
+sudo make install # which installs /usr/bin/weakbox and /usr/share/man/man1/weakbox.1
+sudo make PREFIX=... install # which installs $PREFIX/bin/weakbox and $PREFIX/share/man/man1/weakbox.1
+```
+
+## Usage
+
+Run **weakbox** with the desired options and command to execute within the container:
+
+```bash
+weakbox [options] command ...
+```
+
+### Options
+
+- `-h`: Display usage information.
+- `-s`: Run the specified command within the container as root.
+- `-v`: Enable verbose mode for debugging purposes.
+- `-r path`: Set the root path of the container to `path`.
+- `-b source[:target]`: Bind mount the specified source directory to the target directory within the container. Target is relative to `root`.
+- `-B source`: Remove the specified bind mount from the container.
+- `-u uid[:uid]`: Map user IDs inside the container.
+- `-g gid[:gid]`: Map group IDs inside the container.
+
+### Examples
+
+1. Run a program within the container:
+
+```bash
+weakbox -s /path/to/program
+```
+
+2. Create a container with custom root path and bind mount directories:
+
+```bash
+weakbox -r /custom/root -b /host/dir:/dir /path/to/program
+```
+
+3. Map user and group IDs inside the container:
+
+```bash
+weakbox -u 1000:1000 -g 1000:1000 /path/to/program
+```
+
+## Contributing
+
+Contributions are welcome! Feel free to submit bug reports, feature requests, or pull requests through GitHub issues and pull requests.
+
+## License
+
+This project is licensed under the zlib-license. See the [LICENSE](LICENSE) file for details.
diff --git a/weakbox.1 b/weakbox.1
@@ -0,0 +1,101 @@

+.TH WEAKBOX 1 "April 2024" "Version 0.1.0" "User Manuals"
+
+.SH NAME
+weakbox \- create a weak container for running programs from a different Linux distribution
+
+.SH SYNOPSIS
+.B weakbox
+[\-hs] [\fI\-r\fP path] [\fI\-b\fP source[:target]] [\fI\-B\fP source] [\fI\-u\fP uid[:uid]] [\fI\-g\fP gid[:gid]] command ...
+
+.SH DESCRIPTION
+\fBweakbox\fR is a tool for Linux that allows you to create a container environment suitable for running programs from a different Linux distribution, particularly useful for executing glibc-based programs (mostly closed-source software) under systems that are musl-based. The container created by \fBweakbox\fR is not secured and should not be considered as a secure isolation mechanism.
+
+.SH OPTIONS
+.TP
+\fB\-h\fP
+Display usage information and exit.
+.TP
+\fB\-s\fP
+Run the specified command within the container as \fIroot\fR.
+.TP
+\fB\-v\fP
+Enable verbose mode for debugging purposes.
+.TP
+\fB\-r\fP path
+Use a different root path of the container than \fBGLIBC_ROOT\fR. \fIpath\fR is relative to \fIcontainer-root\fR.
+.TP
+\fB\-b\fP source[:target]
+Bind mount the specified source directory to the target directory within the container. If \fItarget\fR is not provided, it defaults to the same as \fIsource\fR.
+.TP
+\fB\-B\fP source
+Remove the specified bind mount from the \fIdefault bindings\fR.
+.TP
+\fB\-u\fP uid[:uid]
+Map user IDs inside the container. If only one \fIuid\fR is provided, it will be mapped to the same ID inside the container.
+.TP
+\fB\-g\fP gid[:gid]
+Map group IDs inside the container. If only one \fIgid\fR is provided, it will be mapped to the same ID inside the container.
+
+.SH EXAMPLES
+.TP
+1. Run a program within the container:
+.B weakbox -s /path/to/program
+.TP
+2. Create a container with a custom root path and bind mount directories:
+.B weakbox -r /custom/root -b /host/dir:/dir /path/to/program
+.TP
+3. Map user and group IDs inside the container:
+.B weakbox -u 1000:1000 -g 1000:1000 /path/to/program
+
+.SH ENVIRONMENT VARIABLES
+\fBGLIBC_ROOT\fR
+Set the root path of the container if not provided via the \fI\-r\fR option.
+
+.SH DEFAULT MOUNTS
+.TP
+\fI/dev\fR
+directory containing all devices
+.TP
+\fI/home\fR
+home directories of users
+.TP
+\fI/proc\fR
+directories containing information about processes
+.TP
+\fI/sys\fR
+system directories for various devices
+.TP
+\fI/tmp\fR
+temporary directory
+.TP
+\fI/run\fR
+temporary directory for daemons and long-running programs
+.TP
+\fI/etc/resolv.conf\fR
+nameserver-resolution configuration
+.TP
+\fI/etc/passwd\fR
+file containing information about users
+.TP
+\fI/etc/group\fR
+file containing information about groups
+
+.SH EXIT STATUS
+.TP
+0
+Successful execution.
+.TP
+1
+An error occurred during execution.
+
+.SH SEE ALSO
+For more information, refer to the \fBweakbox\fR source code or documentation.
+
+.SH AUTHOR
+\fBweakbox\fR was written by Friedel Schon.
+
+.SH REPORTING BUGS
+Report bugs to the GitHub repository for \fBweakbox\fR.
+
+.SH COPYRIGHT
+\fBweakbox\fR is licensed under the zlib-license.
diff --git a/weakbox.c b/weakbox.c
@@ -0,0 +1,238 @@

+#define _GNU_SOURCE
+#include "arg.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <sched.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mount.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#define LEN(arr) (sizeof(arr) / sizeof(*arr))
+#define mapping_t(type) \
+	struct {            \
+		type source;    \
+		type target;    \
+	}
+
+#define DEBUG(...) (flagv ? fprintf(stderr, __VA_ARGS__) : 0)
+
+#define SET_MAPPING_WITH_DEMILITER(mapping, argf, temp, demiliter, source_, target_) \
+	if (((temp) = strchr(argf, demiliter))) {                                        \
+		*(temp)++        = '\0';                                                     \
+		(mapping).source = source_;                                                  \
+		(mapping).target = target_;                                                  \
+	} else {                                                                         \
+		(mapping).source = source_;                                                  \
+		(mapping).target = source_;                                                  \
+	}
+
+#define PATH_PROC_UIDMAP    "/proc/self/uid_map"
+#define PATH_PROC_GIDMAP    "/proc/self/gid_map"
+#define PATH_PROC_SETGROUPS "/proc/self/setgroups"
+#define SHELL_DEFAULT       "bash"
+#define MAX_BINDS           64
+#define MAX_USERMAP         8
+#define MAX_GROUPMAP        16
+
+
+static int open_printf(const char* file, const char* format, ...) {
+	FILE*   fd;
+	va_list va;
+
+	if (!(fd = fopen(file, "w"))) {
+		return -1;
+	}
+
+	va_start(va, format);
+	vfprintf(fd, format, va);
+	va_end(va);
+	fclose(fd);
+	return 0;
+}
+
+static char* argv0;
+
+static __attribute__((noreturn)) void usage(int exitcode) {
+	printf("usage: %s [-hs] [-r path] [-b source[:target]] [-B source] [-u uid[:uid]] [-g gid[:gid]] command ...\n", argv0);
+	exit(exitcode);
+}
+
+static int bind_count                         = 9;
+static mapping_t(const char*) bind[MAX_BINDS] = {
+	{ "/dev", "/dev" },
+	{ "/home", "/home" },
+	{ "/proc", "/proc" },
+	{ "/sys", "/sys" },
+	{ "/tmp", "/tmp" },
+	{ "/run", "/run" },
+	{ "/etc/resolv.conf", "/etc/resolv.conf" },
+	{ "/etc/passwd", "/etc/passwd" },
+	{ "/etc/group", "/etc/group" }
+};
+
+static int usermap_count = 0;
+static mapping_t(uid_t) usermap[MAX_USERMAP];
+
+static int groupmap_count = 0;
+static mapping_t(gid_t) groupmap[MAX_GROUPMAP];
+
+static int remove_bind(const char* path) {
+	int found = 0;
+	for (int i = 0; i < bind_count; i++) {
+		if (!strcmp(bind[i].source, path))
+			found++, bind_count--;
+		if (found) {
+			bind[i].source = bind[i + 1].source;
+			bind[i].target = bind[i + 1].target;
+		}
+	}
+	return found;
+}
+
+int main(int argc, char** argv) {
+	const char* root  = getenv("GLIBC_ROOT");
+	const char* shell = getenv("SHELL");
+	int         flagr = 0, flagv = 0;
+	char        pwd[PATH_MAX];
+	char*       temp;
+	char*       argf;
+
+	(void) argc;
+
+	getcwd(pwd, sizeof(pwd));
+
+	argv0 = *argv;
+	ARGBEGIN
+	switch (OPT) {
+		case 'h':
+			usage(0);
+		case 'v':
+			flagv++;
+			break;
+		case 's':
+			flagr++;
+			break;
+		case 'r':
+			root = EARGF(usage(1));
+			break;
+		case 'b':
+			argf = EARGF(usage(1));
+			if (bind_count >= (int) LEN(bind)) {
+				printf("error: too many bindings\n");
+				return 1;
+			}
+			SET_MAPPING_WITH_DEMILITER(bind[bind_count], argf, temp, ':', argf, temp);
+			bind_count++;
+			break;
+		case 'u':
+			argf = EARGF(usage(1));
+			if (usermap_count >= (int) LEN(usermap)) {
+				printf("error: too many user-mappings\n");
+				return 1;
+			}
+
+			SET_MAPPING_WITH_DEMILITER(usermap[usermap_count], argf, temp, ':', atoi(argf), atoi(temp));
+			usermap_count++;
+			break;
+		case 'g':
+			argf = EARGF(usage(1));
+			if (groupmap_count >= (int) LEN(groupmap)) {
+				printf("error: too many group-mappings\n");
+				return 1;
+			}
+			SET_MAPPING_WITH_DEMILITER(groupmap[groupmap_count], argf, temp, ':', atoi(argf), atoi(temp));
+			groupmap_count++;
+			break;
+		case 'B':
+			argf = EARGF(usage(1));
+			if (!remove_bind(argf))
+				printf("warn: binding '%s' not found\n", argf);
+			break;
+		default:
+			printf("error: unknown option '-%c'\n", OPT);
+			usage(1);
+	}
+	ARGEND
+
+	usermap[usermap_count].source     = flagr ? geteuid() : 0;
+	usermap[usermap_count++].target   = getegid();
+	groupmap[groupmap_count].source   = flagr ? getegid() : 0;
+	groupmap[groupmap_count++].target = getegid();
+
+	if (!root) {
+		fprintf(stderr, "error: $GLIBC_ROOT not set and option '-r' is not used\n");
+		return 1;
+	}
+
+	DEBUG("debug: unsharing filesystem-namespace and user-namespace\n");
+	if (unshare(CLONE_NEWNS | CLONE_NEWUSER)) {
+		fprintf(stderr, "error: unable to unshare for new filesystem and user-environment: %s\n", strerror(errno));
+		return 1;
+	}
+
+	DEBUG("debug: setting setgroups-policy\n");
+	if (open_printf(PATH_PROC_SETGROUPS, "deny") && errno != ENOENT) {
+		fprintf(stderr, "error: unable to set setgroups-policy: %s\n", strerror(errno));
+		return 1;
+	}
+
+	for (int i = 0; i < usermap_count; i++) {
+		DEBUG("debug: mapping user %d to %d\n", usermap[i].source, usermap[i].target);
+		if (open_printf(PATH_PROC_UIDMAP, "%u %u 1", usermap[i].target, usermap[i].source)) {
+			fprintf(stderr, "error: unable to map user %d to %d: %s\n", usermap[i].source, usermap[i].target, strerror(errno));
+			return 1;
+		}
+	}
+
+	for (int i = 0; i < groupmap_count; i++) {
+		DEBUG("debug: mapping group %d to %d\n", groupmap[i].source, groupmap[i].target);
+		if (open_printf(PATH_PROC_UIDMAP, "%u %u 1", groupmap[i].target, groupmap[i].source)) {
+			fprintf(stderr, "error: unable to map group %d to %d: %s\n", groupmap[i].source, groupmap[i].target, strerror(errno));
+			return 1;
+		}
+	}
+
+	char target[PATH_MAX];
+	for (int i = 0; i < bind_count; i++) {
+		snprintf(target, sizeof(target), "%s/%s", root, bind[i].target);
+		DEBUG("debug: mount '%s' to '%s'\n", bind[i].source, target);
+		if (mount(bind[i].source, target, NULL, MS_BIND | MS_REC, NULL)) {
+			fprintf(stderr, "error: unable to bind '%s' to '%s': %s\n", bind[i].source, target, strerror(errno));
+			return 1;
+		}
+	}
+
+	DEBUG("debug: change root to '%s'\n", root);
+	if (chroot(root)) {
+		fprintf(stderr, "error: unable to set root to '%s': %s\n", root, strerror(errno));
+		return 1;
+	}
+
+	// if chdir(pwd) fails, chdir("/") cannot fail
+	DEBUG("debug: change directory to '%s'\n", pwd);
+	if (chdir(pwd)) {
+		DEBUG("debug: ... which failed (%s), change directory to '/'\n", strerror(errno));
+		(void) chdir("/");
+	}
+
+	if (*argv) {
+		DEBUG("debug: executing '%s'...\n", *argv);
+		execvp(*argv, argv);
+		fprintf(stderr, "error: unable to execute '%s': %s\n", *argv, strerror(errno));
+	} else if (shell) {
+		DEBUG("debug: executing '%s'...\n", shell);
+		execlp(shell, shell, NULL);
+		fprintf(stderr, "error: unable to execute '%s': %s\n", shell, strerror(errno));
+	} else {
+		DEBUG("debug: executing '" SHELL_DEFAULT "'...\n");
+		execlp(SHELL_DEFAULT, SHELL_DEFAULT, NULL);
+		fprintf(stderr, "error: unable to execute '" SHELL_DEFAULT "': %s\n", strerror(errno));
+	}
+	return 1;
+}

	util/weakbox initial commit (0f3295e2442f79c947b9c0e1a5ecd2aedd555f29)
	Repositories \| LICENSE

A	LICENSE	18	++++++++++++++++++
A	Makefile	20	++++++++++++++++++++
A	arg.h	19	+++++++++++++++++++
A	readme.md	70	++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	weakbox.1	101	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	weakbox.c	238	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++