diff options
author | Chris <ccbrown112@gmail.com> | 2018-01-15 11:21:06 -0600 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2018-01-15 09:21:06 -0800 |
commit | f5c8a71698d0a7a16c68be220e49fe64bfee7f5c (patch) | |
tree | 194b9cc79eceb1c91c44e39b9d797671c178fe0e /plugin/rpcplugin/sandbox/supervisor.go | |
parent | 7e5ce976681e99be6b26d428935ba1106d530efa (diff) | |
download | chat-f5c8a71698d0a7a16c68be220e49fe64bfee7f5c.tar.gz chat-f5c8a71698d0a7a16c68be220e49fe64bfee7f5c.tar.bz2 chat-f5c8a71698d0a7a16c68be220e49fe64bfee7f5c.zip |
ABC-22: Plugin sandboxing for linux/amd64 (#8068)
* plugin sandboxing
* remove unused type
* better symlink handling, better remounting, better test, whitespace
fixes, and comment on the remounting
* fix test compile error
* big simplification for getting mount flags
* mask statfs flags to the ones we're interested in
Diffstat (limited to 'plugin/rpcplugin/sandbox/supervisor.go')
-rw-r--r-- | plugin/rpcplugin/sandbox/supervisor.go | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/plugin/rpcplugin/sandbox/supervisor.go b/plugin/rpcplugin/sandbox/supervisor.go new file mode 100644 index 000000000..0e63954fd --- /dev/null +++ b/plugin/rpcplugin/sandbox/supervisor.go @@ -0,0 +1,33 @@ +// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package sandbox + +import ( + "context" + "fmt" + "io" + "path/filepath" + "strings" + + "github.com/mattermost/mattermost-server/model" + "github.com/mattermost/mattermost-server/plugin" + "github.com/mattermost/mattermost-server/plugin/rpcplugin" +) + +func SupervisorProvider(bundle *model.BundleInfo) (plugin.Supervisor, error) { + return rpcplugin.SupervisorWithNewProcessFunc(bundle, func(ctx context.Context) (rpcplugin.Process, io.ReadWriteCloser, error) { + executable := filepath.Clean(filepath.Join(".", bundle.Manifest.Backend.Executable)) + if strings.HasPrefix(executable, "..") { + return nil, nil, fmt.Errorf("invalid backend executable") + } + return NewProcess(ctx, &Configuration{ + MountPoints: []*MountPoint{{ + Source: bundle.Path, + Destination: "/plugin", + ReadOnly: true, + }}, + WorkingDirectory: "/plugin", + }, filepath.Join("/plugin", executable)) + }) +} |