Skip to content

use unshare to enforce networkAccess: false when not running in a container #1733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tom-tan opened this issue Sep 7, 2022 · 8 comments
Open

Comments

@tom-tan
Copy link
Member

tom-tan commented Sep 7, 2022

I guess users expect that networkAccess: false can restrict tools to access network but cwltool does not.

Currently I am not sure it is really the issue because the spec only says:

If networkAccess is false or not specified, tools must not assume network access, except for localhost (the loopback device).

That is,

  • this behavior is valid because the spec only requests tools not to assume network access but does not request platforms to restrict network access for tools
  • users expect that networkAccess: false can restrict tools to access network, I guess
  • I am not sure there is a reasonable way to restrict network access if the tool is not in a container

What do you think about it?

How to reproduce

$ cwltool curl.cwl

Expected Behavior

It fails because curl needs network but networkAccess: false is specified.

Actual Behavior

It does not fail.

$ cwltool curl.cwl
INFO /opt/homebrew/bin/cwltool 3.1.20220830195442
INFO Resolved 'curl.cwl' to 'file:///Users/tanjo/tmp/net/curl.cwl'
INFO [job curl.cwl] /private/tmp/docker_tmpz4hne9ck$ curl \
    -fsS \
    https://www.commonwl.org/v1.2/index.html > /private/tmp/docker_tmpz4hne9ck/index.html
INFO [job curl.cwl] completed success
{
    "out": {
        "location": "file:///Users/tanjo/tmp/net/index.html",
        "basename": "index.html",
        "class": "File",
        "checksum": "sha1$4a7d4583b995e2fb27980ddc4ce4a9e1b4ed3952",
        "size": 6525,
        "path": "/Users/tanjo/tmp/net/index.html"
    }
}
INFO Final process status is success

Workflow Code

#!/usr/bin/env cwl-runner

requirements:
  NetworkAccess:
    networkAccess: false

class: CommandLineTool
cwlVersion: v1.2
baseCommand: curl
arguments:
  - -fsS
  - $(inputs.fsS)
inputs:
  - id: fsS
    type: string
    default: https://www.commonwl.org/v1.2/index.html
outputs:
  - id: out
    type: stdout
stdout: index.html

Full Traceback

No exceptions.

Your Environment

  • cwltool version:
$ cwltool --version
/opt/homebrew/bin/cwltool 3.1.20220830195442
@kinow
Copy link
Member

kinow commented Sep 7, 2022

I think the networkAccess is just a flag that tools or job steps can use to handle when the workflow is executed in a restricted environment, but doesn't mean the network connectivity will be disabled.

I guess the specification could be improved to be more clear, and say something like “networkAccess does not prevent tools from accessing network, it is merely an indication ...”

@mr-c
Copy link
Member

mr-c commented Sep 7, 2022

https://man7.org/linux/man-pages/man1/unshare.1.html can be an option on some Linux systems ( from https://unix.stackexchange.com/a/83348 ; may require root access or setuid binary)

Another option can be to set HTTP_PROXY to a valid but non functional value. But using that is optional and won't catch non-http(s) network usage

We could also use https://firejail.wordpress.com/ if it is already installed

But perhaps the best solution is to issue a warning if there is no container and this hint/requirement is present

@kinow
Copy link
Member

kinow commented Sep 7, 2022

We could also use https://firejail.wordpress.com/ if it is already installed

Ah didn't think about that, but I'm using it for Zoom and other apps I don't trust but have no choice but to use it.

But perhaps the best solution is to issue a warning if there is no container and this hint/requirement is present

+1

@mr-c
Copy link
Member

mr-c commented Sep 7, 2022

unshare --user --net wget https://www.google.com/ works on my system without needing sudo. On Debian systems, unshare is part of the util-linux package which is marked Essential (so it is guaranteed to always be installed)

So I recommend that we add support for unshare to cwltool when networkAccess: false and there is no container specified (or --no-container is used), and a fallback warning if it is unavailable.

@kinow
Copy link
Member

kinow commented Sep 7, 2022

No objections from me, sounds like an interesting feature to test in the reference runner. 👍

@mr-c mr-c changed the title Tools can access networks even though networkAccess: false use unshare to enforce networkAccess: false when not running in a container Sep 7, 2022
@jmfernandez
Copy link
Contributor

If you want to support more than one alternative, you can also have a look at bwrap. As it is a bit more complicated than unshare, you can find some common use cases => https://wiki.archlinux.org/title/Bubblewrap

@tetron
Copy link
Member

tetron commented Nov 18, 2022

It doesn't use unshare because I wasn't familiar with it when I wrote that part of cwltool. I was mainly thinking about how you can enable/disable network access for Docker containers. I have no objections to using unshare, it sounds like a good idea.

Bubblewrap is also interesting, I glanced at it and it looks like you can basically create ad-hoc isolated environments where you get to decide what is shared and what isn't?

@kinow
Copy link
Member

kinow commented Nov 19, 2022

Tested both bwrap and unshare, successfully failed to execute ping with both tools 😅

With bwrap:

kinow@ranma:~/Development/python/workspace/lukasa$ bwrap --ro-bind / / --unshare-net ping google.com
kinow@ranma:~/Development/python/workspace/lukasa$ echo $?
2

And unshare:

kinow@ranma:~/Development/python/workspace/lukasa$ unshare -r -n ping google.com
ping: google.com: Temporary failure in name resolution
kinow@ranma:~/Development/python/workspace/lukasa$ echo $?
2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants