sandbox: do not reset RLIMIT_CORE and clone into pid namespaces when dumpable

Author: alpeng-jump

src/app/fdctl/commands/run_agave.c

@@ -262,7 +262,7 @@ run_agave_cmd_fn( args_t *   args FD_PARAM_UNUSED,
 
   /* Also clone Agave into PID namespaces so it cannot signal
      other tile or the parent. */
-  int flags = config->development.sandbox ? CLONE_NEWPID : 0;
+  int flags = ( config->development.sandbox || !config->development.core_dump ) ? CLONE_NEWPID : 0;
   pid_t clone_pid = clone( agave_main, (uchar *)stack + FD_TILE_PRIVATE_STACK_SZ, flags, config );
   if( FD_UNLIKELY( clone_pid<0 ) ) FD_LOG_ERR(( "clone() failed (%i-%s)", errno, fd_io_strerror( errno ) ));
 }

src/app/shared/commands/run/run.c

@@ -242,7 +242,7 @@ main_pid_namespace( void * _args ) {
   fd_log_private_stack_discover( FD_TILE_PRIVATE_STACK_SZ,
                                  &fd_tile_private_stack0, &fd_tile_private_stack1 );
 
-  if( FD_UNLIKELY( !config->development.sandbox ) ) {
+  if( FD_UNLIKELY( !config->development.sandbox || config->development.core_dump ) ) {
     /* If no sandbox, then there's no actual PID namespace so we can't
        wait() grandchildren for the exit code.  Do this as a workaround. */
     if( FD_UNLIKELY( -1==prctl( PR_SET_CHILD_SUBREAPER, 1, 0, 0, 0 ) ) )
@@ -451,7 +451,7 @@ clone_firedancer( config_t const * config,
   if( FD_UNLIKELY( pipe2( pipefd, O_CLOEXEC | O_NONBLOCK ) ) ) FD_LOG_ERR(( "pipe2() failed (%i-%s)", errno, fd_io_strerror( errno ) ));
 
   /* clone into a pid namespace */
-  int flags = config->development.sandbox ? CLONE_NEWPID : 0;
+  int flags = ( config->development.sandbox || !config->development.core_dump ) ? CLONE_NEWPID : 0;
   struct pidns_clone_args args = { .config = config, .closefd = close_fd, .pipefd = pipefd, };
 
   void * stack = create_clone_stack();

src/app/shared/commands/run/run1.c

@@ -101,7 +101,7 @@ run1_cmd_fn( args_t *   args,
 
   /* Also clone tiles into PID namespaces so they cannot signal each
      other or the parent. */
-  int flags = config->development.sandbox ? CLONE_NEWPID : 0;
+  int flags = ( config->development.sandbox || !config->development.core_dump ) ? CLONE_NEWPID : 0;
   pid_t clone_pid = clone( tile_main, (uchar *)stack + FD_TILE_PRIVATE_STACK_SZ, flags, &clone_args );
   if( FD_UNLIKELY( clone_pid<0 ) ) FD_LOG_ERR(( "clone() failed (%i-%s)", errno, fd_io_strerror( errno ) ));
 }

src/util/sandbox/fd_sandbox.c

@@ -386,7 +386,8 @@ struct rlimit_setting {
 void
 fd_sandbox_private_set_rlimits( ulong rlimit_file_cnt,
                                 ulong rlimit_address_space,
-                                ulong rlimit_data ) {
+                                ulong rlimit_data,
+                                int dumpable ) {
   struct rlimit_setting rlimits[] = {
     { .resource=RLIMIT_NOFILE,     .limit=rlimit_file_cnt },
     /* The man page for setrlimit(2) states about RLIMIT_NICE:
@@ -425,6 +426,7 @@ fd_sandbox_private_set_rlimits( ulong rlimit_file_cnt,
   };
 
   for( ulong i=0UL; i<sizeof(rlimits)/sizeof(rlimits[ 0 ]); i++ ) {
+    if( dumpable && rlimits[i].resource == RLIMIT_CORE ) continue;
     struct rlimit limit = { .rlim_cur=rlimits[ i ].limit, .rlim_max=rlimits[ i ].limit };
     if( -1==setrlimit( rlimits[ i ].resource, &limit ) ) FD_LOG_ERR(( "setrlimit(%u) failed (%i-%s)", rlimits[ i ].resource, errno, fd_io_strerror( errno ) ));
   }
@@ -664,7 +666,7 @@ fd_sandbox_private_enter_no_seccomp( uint        desired_uid,
   fd_sandbox_private_landlock_restrict_self( allow_connect );
 
   /* And trim all the resource limits down to zero. */
-  fd_sandbox_private_set_rlimits( rlimit_file_cnt, rlimit_address_space, rlimit_data );
+  fd_sandbox_private_set_rlimits( rlimit_file_cnt, rlimit_address_space, rlimit_data, dumpable );
 
   /* And drop all the capabilities we have in the new user namespace. */
   fd_sandbox_private_drop_caps( cap_last_cap );

src/util/sandbox/fd_sandbox_private.h

@@ -134,12 +134,15 @@ fd_sandbox_private_pivot_root( void );
    rlimit_file_cnt argument, RLIMIT_AS which is restricted to the
    provided rlimit_address_space argument, RLIMIT_DATA which is
    restricted to the provided rlimit_data argument, and RLIMIT_CPU,
-   RLIMIT_FSIZE, and RLIMIT_RSS which are left as they are (unlimited). */
+   RLIMIT_FSIZE, and RLIMIT_RSS which are left as they are (unlimited).
+
+   If the dumpable bit is set to 1, RLIMIT_CORE is left unchanged. */
 
 void
 fd_sandbox_private_set_rlimits( ulong rlimit_file_cnt,
                                 ulong rlimit_address_space,
-                                ulong rlimit_data );
+                                ulong rlimit_data,
+                                int   dumpable );
 
 /* Read the value of cap_last_cap from /proc/sys/kernel/cap_last_cap
    and return it.  Any error reading or parsing the file will log an

src/util/sandbox/test_sandbox.c

@@ -391,7 +391,7 @@ test_resource_limits_inner( void ) {
 
   TEST_FORK_EXIT_CODE( (void)0, 0 );
 
-  fd_sandbox_private_set_rlimits( 0UL, 0UL, 0UL );
+  fd_sandbox_private_set_rlimits( 0UL, 0UL, 0UL, 0 );
 
   for( ulong i=0UL; i<sizeof( rlimits )/sizeof( rlimits[ 0 ] ); i++ ) {
     struct rlimit rlim;