-
-
Notifications
You must be signed in to change notification settings - Fork 232
use unshare to enforce networkAccess: false
when not running in a container
#1733
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
I think the I guess the specification could be improved to be more clear, and say something like “ |
https://man7.org/linux/man-pages/man1/unshare.1.html can be an option on some Linux systems ( from https://unix.stackexchange.com/a/83348 ; may require root access or setuid binary) Another option can be to set HTTP_PROXY to a valid but non functional value. But using that is optional and won't catch non-http(s) network usage We could also use https://firejail.wordpress.com/ if it is already installed But perhaps the best solution is to issue a warning if there is no container and this hint/requirement is present |
Ah didn't think about that, but I'm using it for Zoom and other apps I don't trust but have no choice but to use it.
+1 |
So I recommend that we add support for |
No objections from me, sounds like an interesting feature to test in the reference runner. 👍 |
networkAccess: false
networkAccess: false
when not running in a container
If you want to support more than one alternative, you can also have a look at bwrap. As it is a bit more complicated than unshare, you can find some common use cases => https://wiki.archlinux.org/title/Bubblewrap |
It doesn't use unshare because I wasn't familiar with it when I wrote that part of cwltool. I was mainly thinking about how you can enable/disable network access for Docker containers. I have no objections to using unshare, it sounds like a good idea. Bubblewrap is also interesting, I glanced at it and it looks like you can basically create ad-hoc isolated environments where you get to decide what is shared and what isn't? |
Tested both With kinow@ranma:~/Development/python/workspace/lukasa$ bwrap --ro-bind / / --unshare-net ping google.com
kinow@ranma:~/Development/python/workspace/lukasa$ echo $?
2 And kinow@ranma:~/Development/python/workspace/lukasa$ unshare -r -n ping google.com
ping: google.com: Temporary failure in name resolution
kinow@ranma:~/Development/python/workspace/lukasa$ echo $?
2 |
I guess users expect that
networkAccess: false
can restrict tools to access network but cwltool does not.Currently I am not sure it is really the issue because the spec only says:
That is,
networkAccess: false
can restrict tools to access network, I guessWhat do you think about it?
How to reproduce
$ cwltool curl.cwl
Expected Behavior
It fails because
curl
needs network butnetworkAccess: false
is specified.Actual Behavior
It does not fail.
Workflow Code
Full Traceback
No exceptions.
Your Environment
The text was updated successfully, but these errors were encountered: