ABC-22: Plugin sandboxing for linux/amd64 (#8068)

* plugin sandboxing

* remove unused type

* better symlink handling, better remounting, better test, whitespace
fixes, and comment on the remounting

* fix test compile error

* big simplification for getting mount flags

* mask statfs flags to the ones we're interested in

1 files changed, 33 insertions, 0 deletions

diff --git a/plugin/rpcplugin/sandbox/supervisor.go b/plugin/rpcplugin/sandbox/supervisor.go
new file mode 100644
index 000000000..0e63954fd
--- /dev/null
+++ b/plugin/rpcplugin/sandbox/supervisor.go
@@ -0,0 +1,33 @@
+// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package sandbox
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"path/filepath"
+	"strings"
+
+	"github.com/mattermost/mattermost-server/model"
+	"github.com/mattermost/mattermost-server/plugin"
+	"github.com/mattermost/mattermost-server/plugin/rpcplugin"
+)
+
+func SupervisorProvider(bundle *model.BundleInfo) (plugin.Supervisor, error) {
+	return rpcplugin.SupervisorWithNewProcessFunc(bundle, func(ctx context.Context) (rpcplugin.Process, io.ReadWriteCloser, error) {
+		executable := filepath.Clean(filepath.Join(".", bundle.Manifest.Backend.Executable))
+		if strings.HasPrefix(executable, "..") {
+			return nil, nil, fmt.Errorf("invalid backend executable")
+		}
+		return NewProcess(ctx, &Configuration{
+			MountPoints: []*MountPoint{{
+				Source:      bundle.Path,
+				Destination: "/plugin",
+				ReadOnly:    true,
+			}},
+			WorkingDirectory: "/plugin",
+		}, filepath.Join("/plugin", executable))
+	})
+}