test

runtime_locking_shard0_raft_log_0/CURRENT

@@ -0,0 +1 @@
+MANIFEST-000031

runtime_locking_shard0_raft_log_0/LOG

@@ -0,0 +1,13 @@
+2024/07/08-14:18:30.020061 281473338888224 Recovering log #29
+2024/07/08-14:18:30.023908 281473338888224 Level-0 table #32: started
+2024/07/08-14:18:30.028947 281473338888224 Level-0 table #32: 82539 bytes OK
+2024/07/08-14:18:30.034582 281473338888224 Delete type=2 #26
+2024/07/08-14:18:30.034603 281473338888224 Delete type=0 #29
+2024/07/08-14:18:30.034613 281473338888224 Delete type=2 #28
+2024/07/08-14:18:30.034621 281473338888224 Delete type=3 #27
+2024/07/08-14:18:33.667887 281473284431232 Compacting 1@0 + 1@1 files
+2024/07/08-14:18:33.748399 281473284431232 Generated table #34@0: 13095 keys, 1048184 bytes
+2024/07/08-14:18:33.748433 281473284431232 Compacted 1@0 + 1@1 files => 1048184 bytes
+2024/07/08-14:18:33.749657 281473284431232 compacted to: files[ 0 1 0 0 0 0 0 ]
+2024/07/08-14:18:33.749738 281473284431232 Delete type=2 #32
+2024/07/08-14:18:33.749808 281473284431232 Delete type=2 #30

runtime_locking_shard0_raft_log_0/LOG.old

@@ -0,0 +1,11 @@
+2024/07/08-14:16:41.564949 281472876269600 Recovering log #25
+2024/07/08-14:16:41.568609 281472876269600 Level-0 table #28: started
+2024/07/08-14:16:41.574979 281472876269600 Level-0 table #28: 66590 bytes OK
+2024/07/08-14:16:41.581514 281472876269600 Delete type=3 #23
+2024/07/08-14:16:41.581556 281472876269600 Delete type=0 #25
+2024/07/08-14:16:41.581566 281472876269600 Delete type=2 #22
+2024/07/08-14:16:41.581572 281472876269600 Delete type=2 #24
+2024/07/08-14:16:44.568411 281472821964160 Compacting 1@0 + 1@1 files
+2024/07/08-14:16:44.646131 281472821964160 Generated table #30@0: 12222 keys, 965789 bytes
+2024/07/08-14:16:44.646179 281472821964160 Compacted 1@0 + 1@1 files => 965789 bytes
+2024/07/08-14:16:44.648008 281472821964160 compacted to: files[ 0 1 0 0 0 0 0 ]

scripts/build.sh

@@ -62,3 +62,7 @@ echo "Building $CMAKE_BUILD_TYPE"
 eval "cmake -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} ${CMAKE_FLAGS} .."
 make -j$CPUS
 
+# which build file would the executable for src/parsec/agent/runners/lua/impl.cpp lua_runner::run() actually exist?
+sudo setcap cap_sys_chroot=ep "/home/nicoli/Desktop/opencbdc-tx/build/tests/unit/run_unit_tests"
+sudo setcap cap_sys_chroot=ep "/home/nicoli/Desktop/opencbdc-tx/build/tests/integration/run_integration_tests"
+sudo setcap cap_sys_chroot=ep "/home/nicoli/Desktop/opencbdc-tx/build/src/parsec/agent/agentd"

scripts/parsec-run-local.sh

@@ -55,6 +55,12 @@ sleep 1
     --ticket_machine_count=1 --ticket_machine0_endpoint=$IP:7777 \
     --loglevel=$LOGLEVEL > logs/ticket_machined.log &
 sleep 1
+# create jail
+# copy any desired binaries/dependencies - /agentd, /dev/urandom
+# enter chroot environment and call agentd
+sudo chroot --userspec=$(id -u $USER):$(id -u $USER) /sandbox /busybox sh
+
+
 ./scripts/wait-for-it.sh -s $IP:7777 -t 60 -- ./scripts/wait-for-it.sh -s \
     $IP:5556 -t 60 -- ./build/src/parsec/agent/agentd --shard_count=1 \
     --shard0_count=1 --shard00_endpoint=$IP:5556 --node_id=0 --component_id=0 \

src/parsec/agent/agentd.cpp

@@ -2,7 +2,6 @@
 //                    Federal Reserve Bank of Boston
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
 #include "broker/impl.hpp"
 #include "crypto/sha256.h"
 #include "directory/impl.hpp"
@@ -158,6 +157,9 @@ auto main(int argc, char** argv) -> int {
         running = false;
     });
 
+    // bash script chroot here (?)
+    // places the agent in chroot and then continues so no dependencies will be needed?
+
     log->info("Agent running");
 
     while(running) {

src/parsec/agent/runners/lua/CMakeLists.txt

@@ -2,3 +2,4 @@ project(lua_runner)
 
 add_library(lua_runner impl.cpp
                        server.cpp)
+

src/parsec/agent/runners/lua/chroot-forbid.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+/usr/sbin/setcap -r "./chroot-in-shell.sh"
+/usr/sbin/setcap -r "/usr/sbin/chroot"
+/usr/sbin/setcap -r "./chroot-forbid.sh"
+/usr/sbin/setcap -r "/usr/sbin/setcap"

src/parsec/agent/runners/lua/chroot-in-shell.sh

@@ -0,0 +1,33 @@
+# steps:
+# 1. create chroot environment
+# 2. create directories
+# 3. copy binaries we want
+# 4. import dependencies
+# 5. chroot in!
+
+# arg1=path, arg2=wanted binaries separated by commas
+# e.g. ./chroot-in-shell.sh /home/nicoli/Desktop/jail bash,touch,ls,rm
+
+chr="$1" # creates chroot environment
+mkdir -p $chr # creates necessary directories
+mkdir -p $chr/{bin,lib.lib64} 
+cd $chr
+
+
+# wanted binaries
+string="$2"
+IFS=',' read -r -a wanted <<< "$string"
+
+# # copies wanted binaries
+for binary in ${wanted[@]}; do cp /bin/$binary $chr/bin; done
+
+# # copies all dependencies
+for binary in ${wanted[@]}; do
+    list="$(ldd /bin/$binary | egrep -o '/lib.*\.[0-9]')"
+    for i in $list; do cp --parents "$i" "${chr}"; done
+done 
+
+
+# enter chroot
+/usr/sbin/chroot $chr /bin/bash
+# sudo chroot $chr [#insert agent here]

src/parsec/agent/runners/lua/chroot-permiss.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+sudo setcap cap_sys_chroot=ep "./chroot-in-shell.sh" # give chroot-in-shell.sh ability to chroot
+sudo setcap cap_sys_chroot=ep "/usr/sbin/chroot" # give chroot ability to chroot (?)
+sudo setcap cap_setfcap=ep "./chroot-forbid.sh" # give forbid.sh ability to remove
+sudo setcap cap_setfcap=ep "/usr/sbin/setcap" # give setcap ability to remove (?)

src/parsec/agent/runners/lua/forbid.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+/usr/sbin/setcap -r "./test"
+/usr/sbin/setcap -r "./forbid.sh"
+/usr/sbin/setcap -r "/usr/sbin/setcap"

src/parsec/agent/runners/lua/impl.cpp

@@ -29,7 +29,8 @@ namespace cbdc::parsec::agent::runner {
                            try_lock_callback_type try_lock_callback,
                            std::shared_ptr<secp256k1_context> secp,
                            std::shared_ptr<thread_pool> t_pool,
-                           ticket_number_type ticket_number)
+                           ticket_number_type ticket_number,
+                           bool is_chrooted)
         : interface(std::move(logger),
                     cfg,
                     std::move(function),
@@ -39,7 +40,7 @@ namespace cbdc::parsec::agent::runner {
                     std::move(try_lock_callback),
                     std::move(secp),
                     std::move(t_pool),
-                    ticket_number) {}
+                    ticket_number) {m_is_chrooted = is_chrooted;}
 
     auto lua_runner::run() -> bool {
         // TODO: use custom allocator to limit memory allocation
@@ -80,6 +81,26 @@ namespace cbdc::parsec::agent::runner {
             return true;
         }
 
+        // chroot
+        char path[1024];
+        ssize_t count = readlink("/proc/self/exe", path, sizeof(path));
+        std::cerr << "[TEST] current working directory is " << std::string(path, (count > 0) ? count : 0) << std::endl;
+
+        chdir("/var/tmp");
+        if(!m_is_chrooted) {
+            if(chroot(".")!=0) {
+                std::cerr << "[TEST] failed to chroot" << std::endl;
+            } else {
+                std::cerr << "[TEST] good chroot" << std::endl;
+            }
+            // test
+            std::ifstream inputFile("/etc/resolv.conf");
+            if (inputFile.is_open()) {
+                std::cerr << "[TEST] jail failed" << std::endl;
+            } else {
+                std::cerr << "[TEST] jail succeeded" << std::endl;
+            }
+        }
         schedule_contract();
 
         return true;

src/parsec/agent/runners/lua/impl.hpp

@@ -30,7 +30,8 @@ namespace cbdc::parsec::agent::runner {
                    try_lock_callback_type try_lock_callback,
                    std::shared_ptr<secp256k1_context> secp,
                    std::shared_ptr<thread_pool> t_pool,
-                   ticket_number_type ticket_number);
+                   ticket_number_type ticket_number,
+                   bool is_chrooted = false);
 
         /// Begins function execution. Retrieves the function bytecode using a
         /// read lock and executes it with the given parameter.
@@ -53,6 +54,8 @@ namespace cbdc::parsec::agent::runner {
         handle_try_lock(const broker::interface::try_lock_return_type& res);
 
         static auto check_sig(lua_State* L) -> int;
+
+        bool m_is_chrooted;
     };
 }
 

src/parsec/agent/runners/lua/permiss.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+sudo setcap cap_setfcap=ep "./forbid.sh" # give forbid.sh ability to remove
+sudo setcap cap_setfcap=ep "/usr/sbin/setcap" # give /setcap ability to remove
+sudo setcap cap_sys_chroot+ep "./test" # give test ability to chroot

src/parsec/agent/runners/lua/test.cpp

@@ -0,0 +1,23 @@
+#include <iostream>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <filesystem>
+
+int main() {
+	if (chroot(".")!=0) {
+        std::cout << "[TEST] failed to chroot" << std::endl;
+    } else {
+         std::cout << "[TEST] chrooted proper" << std::endl;
+    }
+
+    /* system("./forbid.sh");
+
+    if (chroot(".")!=0) {
+        std::cout << "[TEST] failed to chroot" << std::endl;
+    } else {
+         std::cout << "[TEST] chrooted proper" << std::endl;
+    }
+
+    return -1; */
+}

stderr

@@ -0,0 +1,55 @@
+[ERROR] The logger pointer in locking_shard::controller is null.
+[ERROR] The logger pointer in coordinator::controller is null.
+[TEST] current working directory is /home/nicoli/Desktop/opencbdc-tx/build/tests/unit/run_unit_tests
+[TEST] moved directory
+[TEST] good chroot
+[TEST] jail succeeded
+[TEST] current working directory is 
+[TEST] failed to move directory
+[TEST] good chroot
+[TEST] jail succeeded
+[TEST] current working directory is 
+[TEST] failed to move directory
+[TEST] good chroot
+[TEST] jail succeeded
+[TEST] current working directory is 
+[TEST] failed to move directory
+[TEST] good chroot
+[TEST] jail succeeded
+[TEST] current working directory is 
+[TEST] failed to move directory
+[TEST] good chroot
+[TEST] jail succeeded
+[TEST] current working directory is 
+[TEST] failed to move directory
+[TEST] good chroot
+[TEST] jail succeeded
+Subroutine read_intermediate_text redefined at /usr/bin/geninfo line 2637.
+Subroutine read_intermediate_json redefined at /usr/bin/geninfo line 2669.
+Subroutine intermediate_text_to_info redefined at /usr/bin/geninfo line 2717.
+Subroutine intermediate_json_to_info redefined at /usr/bin/geninfo line 2806.
+Subroutine get_output_fd redefined at /usr/bin/geninfo line 2886.
+Subroutine print_gcov_warnings redefined at /usr/bin/geninfo line 2914.
+Subroutine process_intermediate redefined at /usr/bin/geninfo line 2944.
+/home/nicoli/Desktop/opencbdc-tx/build/unit_tests_coverage/3rdparty/crypto/CMakeFiles/crypto.dir/sha256_avx2.gcno:no functions found
+geninfo: WARNING: GCOV did not produce any data for /home/nicoli/Desktop/opencbdc-tx/build/unit_tests_coverage/3rdparty/crypto/CMakeFiles/crypto.dir/sha256_avx2.gcno
+/home/nicoli/Desktop/opencbdc-tx/build/unit_tests_coverage/3rdparty/crypto/CMakeFiles/crypto.dir/sha256_sse41.gcno:no functions found
+geninfo: WARNING: GCOV did not produce any data for /home/nicoli/Desktop/opencbdc-tx/build/unit_tests_coverage/3rdparty/crypto/CMakeFiles/crypto.dir/sha256_sse41.gcno
+/home/nicoli/Desktop/opencbdc-tx/build/unit_tests_coverage/3rdparty/crypto/CMakeFiles/crypto.dir/sha256_shani.gcno:no functions found
+geninfo: WARNING: GCOV did not produce any data for /home/nicoli/Desktop/opencbdc-tx/build/unit_tests_coverage/3rdparty/crypto/CMakeFiles/crypto.dir/sha256_shani.gcno
+/home/nicoli/Desktop/opencbdc-tx/build/unit_tests_coverage/3rdparty/crypto/CMakeFiles/crypto.dir/sha256_sse4.gcno:no functions found
+geninfo: WARNING: GCOV did not produce any data for /home/nicoli/Desktop/opencbdc-tx/build/unit_tests_coverage/3rdparty/crypto/CMakeFiles/crypto.dir/sha256_sse4.gcno
+Subroutine read_intermediate_text redefined at /usr/bin/geninfo line 2637.
+Subroutine read_intermediate_json redefined at /usr/bin/geninfo line 2669.
+Subroutine intermediate_text_to_info redefined at /usr/bin/geninfo line 2717.
+Subroutine intermediate_json_to_info redefined at /usr/bin/geninfo line 2806.
+Subroutine get_output_fd redefined at /usr/bin/geninfo line 2886.
+Subroutine print_gcov_warnings redefined at /usr/bin/geninfo line 2914.
+Subroutine process_intermediate redefined at /usr/bin/geninfo line 2944.
+lcov: WARNING: negative counts found in tracefile test.info
+[TEST] current working directory is /home/nicoli/Desktop/opencbdc-tx/build/tests/integration/run_integration_tests
+[TEST] moved directory
+[TEST] good chroot
+[TEST] jail succeeded
+run_integration_tests: /home/nicoli/Desktop/opencbdc-tx/src/util/common/config.cpp:767: cbdc::config::parser::parser(const std::string&): Assertion `file.good()' failed.
+./scripts/test.sh: line 136: 11152 Aborted                 "$PWD"/"$1" "${GTEST_FLAGS[@]}"