Exec wrapper

[disconnect3d]

This PR implements the exec_wrapper as described in #143 (comment).

This can be used to wrap the jailed binary e.g. to require solving a PoW challenge or authenticate before the main binary is launched. The specified exec_wrapper needs to launch the child binary by itself.

An example exec wrapper implementation/code can be seen below.

#define _GNU_SOURCE
#include <sys/syscall.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>


int main(int argc, char* argv[], char* envp[]) {
	if (argc < 4)
		goto fail;

	for(int i=0; i<argc; ++i)
		printf("argv[%d] = '%s'\n", i, argv[i]);

	// Invoked as: exec_wrapper --file <binary-path> -- <argv0> <argv1> ...
	if (!strcmp(argv[1], "--file")) {
		printf("execve(%s)\n", argv[2]);
		return execve(argv[2], &argv[4], envp);
	}
	// Invoked as: exec_wrapper --fd <binary-fd> -- <argv0> <argv1> ...
	else if (!strcmp(argv[1], "--fd")) {
		int fd = atoi(argv[2]);
		//return execveat(fd, "", &argv[4], envp, AT_EMPTY_PATH); // some libcs are missing it...
		return syscall(SYS_execveat, fd, "", &argv[4], envp, AT_EMPTY_PATH);
	}

	fail:
	fprintf(stderr, "exec_wrapper usage: exec_wrapper (--file|--fd) <binary-path-or-fd> -- <argv0> <argv1> ...");
	return -1;
}

And the way we use it (in standard nsjail container - after docker build -t nsjail . && docker run --privileged --rm -it --net none nsjail .):

root@e7c8d0c7d074:/# gcc main.c
root@e7c8d0c7d074:/# nsjail -Mo --chroot / --exec_wrapper /a.out /bin/echo "ABC"
[I][2020-09-07T16:41:52+0000] Mode: STANDALONE_ONCE
[I][2020-09-07T16:41:52+0000] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/bin/echo', bind:[::]:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, keep_caps:false, disable_no_new_privs:false, max_cpus:0
[I][2020-09-07T16:41:52+0000] Mount: '/' -> '/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2020-09-07T16:41:52+0000] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2020-09-07T16:41:52+0000] Uid map: inside_uid:0 outside_uid:0 count:1 newuidmap:false
[W][2020-09-07T16:41:52+0000][687] void cmdline::logParams(nsjconf_t*)():255 Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files
[I][2020-09-07T16:41:52+0000] Gid map: inside_gid:0 outside_gid:0 count:1 newgidmap:false
[W][2020-09-07T16:41:52+0000][687] void cmdline::logParams(nsjconf_t*)():265 Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files
[I][2020-09-07T16:41:52+0000] Executing '/bin/echo' for '[STANDALONE MODE]'
[I][2020-09-07T16:41:52+0000] executing wrapper
argv[0] = 'exec_wrapper'
argv[1] = '--file'
argv[2] = '/bin/echo'
argv[3] = '--'
argv[4] = '/bin/echo'
argv[5] = 'ABC'
execve(/bin/echo)
ABC
[I][2020-09-07T16:41:52+0000] pid=688 ([STANDALONE MODE]) exited with status: 0, (PIDs left: 0)
root@e7c8d0c7d074:/#

[google-cla]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[google-cla]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[google-cla]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[google-cla]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[google-cla]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[disconnect3d]

@googlebot I fixed it.

[google-cla]

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

[vesim987]

@googlebot I consent.

[happyCoder92]

What is the advantage of this vs:
./nsjail --pass_fd 1023 -Mo --chroot / -- /a.out --fd 1023 -- /bin/echo "ABC" 1023</bin/echo
./nsjail -Mo --chroot / -- /a.out --file /bin/echo -- /bin/echo "ABC"
?

[happyCoder92]

s/exec_wrapper_fd/nsjconf->exec_fd/

[disconnect3d]

What is the advantage of this vs: (...)

Eventually none, as the proposed solution is enough to perform what this PR adds. In the end, I don't think its worth to make the nsjail code more complex to get a feature that can work right away.

On the other hand, it would be nice to document such use case in the README