spindle/microvm: dont enable sandboxing in slirp4netns · tangled.org/core@1f34ccc

Monorepo for Tangled tangled.org

spindle/microvm: dont enable sandboxing in slirp4netns

slirp4netns has a bug where it will break host devices on root user
if this is enabled. so to avoid this, let's disable it. the sandboxing
doesn't matter here because slirp4netns runs next to spindle anyway
so if slirp is compromised you have bigger issues, and seccomp is still
enabled, and if you really care your spindle should be a hardened
systemd service anyway.

Signed-off-by: dawn <dawn@tangled.org>

author

dawn date 5 days ago (Jun 19, 2026, 10:03 PM +0300) commit 1f34ccc0 1f34ccc00973f6209bff3540cb02829557e1708d parent 9434781d 9434781d9bf32fde6f23c0a4ce637a3a6844674b

+19 -14

1 changed file

Expand all

spindle

engines

microvm

networking.go

+19 -14

spindle/engines/microvm/networking.go

··· 122 122 return nil, nil, fmt.Errorf("slirp4netns command not found in PATH: %w", err) 123 123 } 124 124 125 + args := slirpArgs(n.dev, pid) 126 + 127 + cmd := exec.CommandContext(ctx, slirpPath, args...) 128 + cmd.ExtraFiles = []*os.File{exitR} 129 + cmd.Stdout = logFile 130 + cmd.Stderr = logFile 131 + if err := cmd.Start(); err != nil { 132 + return nil, nil, fmt.Errorf("start slirp4netns: %w", err) 133 + } 134 + logger.Info("started slirp4netns network namespace", "pid", pid, "cidr", outerSlirpCIDR, "tap", netnsTapName) 135 + 136 + ok = true 137 + return cmd, exitW, nil 138 + } 139 + 140 + func slirpArgs(dev bool, pid string) []string { 125 141 args := []string{ 126 142 "--configure", 127 143 "--mtu=" + netnsMTU, 128 144 } 129 - if !n.dev { 145 + if !dev { 130 146 args = append(args, "--disable-host-loopback") 131 147 } 132 148 args = append(args, 133 - "--enable-sandbox", 149 + "--disable-dns", 134 150 "--enable-seccomp", 135 151 "--exit-fd=3", 136 152 "--cidr="+outerSlirpCIDR, 137 153 pid, 138 154 netnsTapName, 139 155 ) 140 - 141 - cmd := exec.CommandContext(ctx, slirpPath, args...) 142 - cmd.ExtraFiles = []*os.File{exitR} 143 - cmd.Stdout = logFile 144 - cmd.Stderr = logFile 145 - if err := cmd.Start(); err != nil { 146 - return nil, nil, fmt.Errorf("start slirp4netns: %w", err) 147 - } 148 - logger.Info("started slirp4netns network namespace", "pid", pid, "cidr", outerSlirpCIDR, "tap", netnsTapName) 149 - 150 - ok = true 151 - return cmd, exitW, nil 156 + return args 152 157 }

Configure Feed

Configure Feed