Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103820 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 7914 invoked from network); 24 Jan 2019 15:00:31 -0000 Received: from unknown (HELO outbound0.mail.transip.nl) (149.210.149.69) by pb1.pair.com with SMTP; 24 Jan 2019 15:00:31 -0000 Received: from submission13.mail.transip.nl (submission13.mail.transip.nl [149.210.149.135]) by outbound0.mail.transip.nl (Postfix) with ESMTP id 43lgCL4bsZzxPDW for ; Thu, 24 Jan 2019 12:38:38 +0100 (CET) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by submission13.mail.transip.nl (Postfix) with ESMTPA id 43lgCK3ySDz1yTY for ; Thu, 24 Jan 2019 12:38:33 +0100 (CET) Received: by mail-wm1-f49.google.com with SMTP id m22so2663434wml.3 for ; Thu, 24 Jan 2019 03:38:33 -0800 (PST) X-Gm-Message-State: AJcUukf1QnIqVf5+e/kVjdOazmVECl743FfVbDsFfSgJRPpPaXK0xqgZ lH9QEvjL7hSoFksivvLb8krNHJl23iXsTSizchE= X-Google-Smtp-Source: ALg8bN7ZWmgdEmTRP3myB2tx2J0nLT1SUXGIY+zcDAFXY7P26h8SuXenQdOh4C7iyQn18qhwvOwhVSAOqrKpmn2R3Kw= X-Received: by 2002:a1c:f605:: with SMTP id w5mr2429111wmc.116.1548329913237; Thu, 24 Jan 2019 03:38:33 -0800 (PST) MIME-Version: 1.0 References: <65339914-c10a-4922-3444-c731bd2e34d1@gmail.com> In-Reply-To: <65339914-c10a-4922-3444-c731bd2e34d1@gmail.com> Date: Thu, 24 Jan 2019 11:38:21 +0000 X-Gmail-Original-Message-ID: Message-ID: To: Rowan Collins Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000794732058032a64d" X-Scanned-By: ClueGetter at submission13.mail.transip.nl DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=transip-a; d=pmmaga.net; t=1548329917; h=from:subject:to:cc: references:in-reply-to:date:mime-version:content-type; bh=j9seHvNbTqYk48ZMIx/ua70WKyRHJziNfZhGhPcv+wI=; b=B49dzbGAiXCBlvdimO1nAksRSvMtBPtoFhzLBZsFa1UYpOcgm7GpDanZwM8z8EjkXVWifg 7cCEhseUnQS1tG1Xb4NHs9A/QmHvahlnknl9w3uTZuC3WT9d6hC5ub0w+XsGwFHMy5DkJ7 ybY7KiuucXruXrrcUCPqL8z38YmaETM4UR8LNs9G817jcsQOBijXkbap/BuXY7aqN7G0JI XlKR+egNwoIRRLfFIMbcamL4SKr0AWWsz8xkBG+ltZRCynt9WT8mkHqEE+ysbvjKBKgLiu RtvzYvR9Na48JnwA3NyWkJIebp4XczbPc0JGQtHxZHIHMbAmTUDTb6/B1W78+w== X-Report-Abuse-To: abuse@transip.nl Subject: Re: [PHP-DEV] Exposing the linux namespaces API via pcntl_* From: mail@pmmaga.net (=?UTF-8?Q?Pedro_Magalh=C3=A3es?=) --000000000000794732058032a64d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jan 23, 2019 at 10:05 PM Rowan Collins wrote: > On 23/01/2019 21:15, Pedro Magalh=C3=A3es wrote: > > I think it can be useful for a language to expose this functionality to > the > > users for that kind of purpose (ie. run a security sensitive task in > > isolation, simulate certain conditions like no network access, etc..). > For > > that end, I've put forward https://github.com/php/php-src/pull/3760 > which > > provides an implementation of `pcntl_unshare(int $flags): bool`. And I'= m > > looking for some feedback if anyone would oppose the introduction of th= is > > function (and probably `setns` next). > Could you give an example of how this would work in the context of a PHP > process? Would it only make sense in a CLI context, when performing some > kind of system task? > Yes, I agree it makes most sense in a CLI context. Some examples I've thought of: - For testing frameworks it may be useful to have CLONE_NEWNET as that should guarantee that a test is executed without any network access; - For some processing tasks where you may want to mount a remote drive you can use CLONE_NEWNS to ensure that the mount doesn't affect the host; - If you are running a daemon controlling multiple child processes you could issue a `pcntl_unshare(CLONE_NEWPID)` before launching each one of them so that they can't refer to each other. - Using all the flags available together with a `chroot` would already give you a sufficiently isolated environment where you can run some service you don't want installed on the host. As for setns, it would allow you to join all the namespaces of a given process. So your PHP process can join other processes you have unshared before (or a Docker container for that matter). Regards, Pedro --000000000000794732058032a64d--