Merge branch 'main' into bcpeinhardt/simple-allow-impl

Author: bcpeinhardt

.github/workflows/ci.yml

@@ -73,6 +73,36 @@ jobs:
     - name: Download and verify dependencies
       run: make deps
 
+      # Before (default):
+      #  - /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
+      #  - stub-resolv.conf points to 127.0.0.53 (systemd-resolved stub listener)
+      #  - systemd-resolved forwards to the real upstream file:
+      #      /run/systemd/resolve/resolv.conf
+      #  Flow: /etc/resolv.conf -> stub-resolv.conf (127.0.0.53) -> systemd-resolved -> /run/systemd/resolve/resolv.conf
+      #
+      # After (bind-mount):
+      #  - /etc/resolv.conf is bind-mounted to /run/systemd/resolve/resolv.conf
+      #  - processes read upstream nameservers directly from /run/systemd/resolve/resolv.conf
+      #  Flow: /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
+      #
+      # This makes processes talk directly to the upstream DNS servers and
+      # bypasses the systemd-resolved *stub listener* (127.0.0.53).
+      #
+      # Important nuance: systemd-resolved itself is NOT stopped; it still runs and updates
+      # /run/systemd/resolve/resolv.conf. Because this is a bind (not a copy), updates to the
+      # upstream list are visible. Trade-off: we lose the stub’s features (caching,
+      # split-DNS/VPN per-interface behavior, DNSSEC/DoT/DoH mediation, mDNS/LLMNR).
+      #
+      # Reason: network namespaces have their own network stack (interfaces, routes and loopback).
+      # A process inside a network namespace resolves 127.0.0.53 against that namespace’s loopback, not the host’s,
+      # and systemd-resolved usually listens on the host loopback. As a result the stub at 127.0.0.53 is often
+      # unreachable from an isolated namespace and DNS lookups fail.
+      # Bind-mounting /run/systemd/resolve/resolv.conf over /etc/resolv.conf forces processes to use the upstream
+      # nameservers directly, avoiding that failure.
+    - name: Change DNS configuration
+      if: runner.os == 'Linux'
+      run: sudo mount --bind /run/systemd/resolve/resolv.conf /etc/resolv.conf
+
     - name: Run unit tests
       run: make unit-test
 

Makefile

@@ -62,7 +62,7 @@ e2e-test:
 		echo "E2E tests require Linux platform. Current platform: $$(uname)"; \
 		exit 1; \
 	fi
-	sudo $(shell which go) test -v -race ./e2e_tests
+	sudo $(shell which go) test -v -race ./e2e_tests -count=1
 	@echo "✓ E2E tests passed!"
 
 # Run tests with coverage (needs sudo for E2E tests)

audit/log_auditor.go

@@ -20,10 +20,13 @@ func (a *LogAuditor) AuditRequest(req Request) {
 		a.logger.Info("ALLOW",
 			"method", req.Method,
 			"url", req.URL,
+			"host", req.Host,
 			"rule", req.Rule)
 	} else {
 		a.logger.Warn("DENY",
 			"method", req.Method,
-			"url", req.URL)
+			"url", req.URL,
+			"host", req.Host,
+		)
 	}
 }

audit/request.go

@@ -8,6 +8,7 @@ type Auditor interface {
 type Request struct {
 	Method  string
 	URL     string
+	Host    string
 	Allowed bool
 	Rule    string // The rule that matched (if any)
 }

boundary.go

@@ -20,6 +20,9 @@ type Config struct {
 	TLSConfig  *tls.Config
 	Logger     *slog.Logger
 	Jailer     jail.Jailer
+	ProxyPort  int
+	PprofEnabled bool
+	PprofPort    int
 }
 
 type Boundary struct {
@@ -34,11 +37,13 @@ type Boundary struct {
 func New(ctx context.Context, config Config) (*Boundary, error) {
 	// Create proxy server
 	proxyServer := proxy.NewProxyServer(proxy.Config{
-		HTTPPort:   8080,
-		RuleEngine: config.RuleEngine,
-		Auditor:    config.Auditor,
-		Logger:     config.Logger,
-		TLSConfig:  config.TLSConfig,
+		HTTPPort:     config.ProxyPort,
+		RuleEngine:   config.RuleEngine,
+		Auditor:      config.Auditor,
+		Logger:       config.Logger,
+		TLSConfig:    config.TLSConfig,
+		PprofEnabled: config.PprofEnabled,
+		PprofPort:    config.PprofPort,
 	})
 
 	// Create cancellable context for boundary
@@ -55,8 +60,8 @@ func New(ctx context.Context, config Config) (*Boundary, error) {
 }
 
 func (b *Boundary) Start() error {
-	// Start the jailer (network isolation)
-	err := b.jailer.Start()
+	// Configure the jailer (network isolation)
+	err := b.jailer.ConfigureBeforeCommandExecution()
 	if err != nil {
 		return fmt.Errorf("failed to start jailer: %v", err)
 	}
@@ -78,6 +83,10 @@ func (b *Boundary) Command(command []string) *exec.Cmd {
 	return b.jailer.Command(command)
 }
 
+func (b *Boundary) ConfigureAfterCommandExecution(processPID int) error {
+	return b.jailer.ConfigureAfterCommandExecution(processPID)
+}
+
 func (b *Boundary) Close() error {
 	// Stop proxy server
 	if b.proxyServer != nil {

cli/cli.go

@@ -3,8 +3,10 @@ package cli
 import (
 	"context"
 	"fmt"
+	"log"
 	"log/slog"
 	"os"
+	"os/exec"
 	"os/signal"
 	"path/filepath"
 	"strings"
@@ -26,6 +28,9 @@ type Config struct {
 	LogLevel     string
 	LogDir       string
 	Unprivileged bool
+	ProxyPort    int64
+	PprofEnabled bool
+	PprofPort    int64
 }
 
 // NewCommand creates and returns the root serpent command
@@ -84,6 +89,26 @@ func BaseCommand() *serpent.Command {
 				Description: "Run in unprivileged mode (no network isolation, uses proxy environment variables).",
 				Value:       serpent.BoolOf(&config.Unprivileged),
 			},
+			{
+				Flag:        "proxy-port",
+				Env:         "PROXY_PORT",
+				Description: "Set a port for HTTP proxy.",
+				Default:     "8080",
+				Value:       serpent.Int64Of(&config.ProxyPort),
+			},
+			{
+				Flag:        "pprof",
+				Env:         "BOUNDARY_PPROF",
+				Description: "Enable pprof profiling server.",
+				Value:       serpent.BoolOf(&config.PprofEnabled),
+			},
+			{
+				Flag:        "pprof-port",
+				Env:         "BOUNDARY_PPROF_PORT",
+				Description: "Set port for pprof profiling server.",
+				Default:     "6060",
+				Value:       serpent.Int64Of(&config.PprofPort),
+			},
 		},
 		Handler: func(inv *serpent.Invocation) error {
 			args := inv.Args
@@ -92,15 +117,47 @@ func BaseCommand() *serpent.Command {
 	}
 }
 
+func isChild() bool {
+	return os.Getenv("CHILD") == "true"
+}
+
 // Run executes the boundary command with the given configuration and arguments
 func Run(ctx context.Context, config Config, args []string) error {
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
 	logger, err := setupLogging(config)
 	if err != nil {
 		return fmt.Errorf("could not set up logging: %v", err)
 	}
+
+	if isChild() {
+		logger.Info("boundary CHILD process is started")
+
+		vethNetJail := os.Getenv("VETH_JAIL_NAME")
+		err := jail.SetupChildNetworking(vethNetJail)
+		if err != nil {
+			return fmt.Errorf("failed to setup child networking: %v", err)
+		}
+		logger.Info("child networking is successfully configured")
+
+		// Program to run
+		bin := args[0]
+		args = args[1:]
+
+		cmd := exec.Command(bin, args...)
+		cmd.Stdin = os.Stdin
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		err = cmd.Run()
+		if err != nil {
+			log.Printf("failed to run %s: %v", bin, err)
+			return err
+		}
+
+		return nil
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
 	username, uid, gid, homeDir, configDir := util.GetUserInfo()
 
 	// Get command arguments
@@ -147,7 +204,7 @@ func Run(ctx context.Context, config Config, args []string) error {
 	// Create jailer with cert path from TLS setup
 	jailer, err := createJailer(jail.Config{
 		Logger:        logger,
-		HttpProxyPort: 8080,
+		HttpProxyPort: int(config.ProxyPort),
 		Username:      username,
 		Uid:           uid,
 		Gid:           gid,
@@ -161,11 +218,14 @@ func Run(ctx context.Context, config Config, args []string) error {
 
 	// Create boundary instance
 	boundaryInstance, err := boundary.New(ctx, boundary.Config{
-		RuleEngine: ruleEngine,
-		Auditor:    auditor,
-		TLSConfig:  tlsConfig,
-		Logger:     logger,
-		Jailer:     jailer,
+		RuleEngine:   ruleEngine,
+		Auditor:      auditor,
+		TLSConfig:    tlsConfig,
+		Logger:       logger,
+		Jailer:       jailer,
+		ProxyPort:    int(config.ProxyPort),
+		PprofEnabled: config.PprofEnabled,
+		PprofPort:    int(config.PprofPort),
 	})
 	if err != nil {
 		return fmt.Errorf("failed to create boundary instance: %v", err)
@@ -191,15 +251,26 @@ func Run(ctx context.Context, config Config, args []string) error {
 	// Execute command in boundary
 	go func() {
 		defer cancel()
-		cmd := boundaryInstance.Command(args)
-		cmd.Stderr = os.Stderr
-		cmd.Stdout = os.Stdout
-		cmd.Stdin = os.Stdin
+		cmd := boundaryInstance.Command(os.Args)
+
+		logger.Debug("Executing command in boundary", "command", strings.Join(os.Args, " "))
+		err := cmd.Start()
+		if err != nil {
+			logger.Error("Command failed to start", "error", err)
+			return
+		}
+
+		err = boundaryInstance.ConfigureAfterCommandExecution(cmd.Process.Pid)
+		if err != nil {
+			logger.Error("configuration after command execution failed", "error", err)
+			return
+		}
 
-		logger.Debug("Executing command in boundary", "command", strings.Join(args, " "))
-		err := cmd.Run()
+		logger.Debug("waiting on a child process to finish")
+		err = cmd.Wait()
 		if err != nil {
 			logger.Error("Command execution failed", "error", err)
+			return
 		}
 	}()