From f5c8a71698d0a7a16c68be220e49fe64bfee7f5c Mon Sep 17 00:00:00 2001
From: Chris <ccbrown112@gmail.com>
Date: Mon, 15 Jan 2018 11:21:06 -0600
Subject: ABC-22: Plugin sandboxing for linux/amd64 (#8068)

* plugin sandboxing

* remove unused type

* better symlink handling, better remounting, better test, whitespace
fixes, and comment on the remounting

* fix test compile error

* big simplification for getting mount flags

* mask statfs flags to the ones we're interested in
---
 plugin/rpcplugin/sandbox/supervisor.go | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 plugin/rpcplugin/sandbox/supervisor.go

(limited to 'plugin/rpcplugin/sandbox/supervisor.go')

diff --git a/plugin/rpcplugin/sandbox/supervisor.go b/plugin/rpcplugin/sandbox/supervisor.go
new file mode 100644
index 000000000..0e63954fd
--- /dev/null
+++ b/plugin/rpcplugin/sandbox/supervisor.go
@@ -0,0 +1,33 @@
+// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package sandbox
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"path/filepath"
+	"strings"
+
+	"github.com/mattermost/mattermost-server/model"
+	"github.com/mattermost/mattermost-server/plugin"
+	"github.com/mattermost/mattermost-server/plugin/rpcplugin"
+)
+
+func SupervisorProvider(bundle *model.BundleInfo) (plugin.Supervisor, error) {
+	return rpcplugin.SupervisorWithNewProcessFunc(bundle, func(ctx context.Context) (rpcplugin.Process, io.ReadWriteCloser, error) {
+		executable := filepath.Clean(filepath.Join(".", bundle.Manifest.Backend.Executable))
+		if strings.HasPrefix(executable, "..") {
+			return nil, nil, fmt.Errorf("invalid backend executable")
+		}
+		return NewProcess(ctx, &Configuration{
+			MountPoints: []*MountPoint{{
+				Source:      bundle.Path,
+				Destination: "/plugin",
+				ReadOnly:    true,
+			}},
+			WorkingDirectory: "/plugin",
+		}, filepath.Join("/plugin", executable))
+	})
+}
-- 
cgit v1.2.3-1-g7c22