feat: implement landjail (#119)

Author: evgeniy-scherbina

cli/cli.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/coder/boundary/config"
 	"github.com/coder/boundary/log"
-	"github.com/coder/boundary/nsjail_manager"
+	"github.com/coder/boundary/run"
 	"github.com/coder/serpent"
 )
 
@@ -119,9 +119,25 @@ func BaseCommand() *serpent.Command {
 				Value:       &cliConfig.ConfigureDNSForLocalStubResolver,
 				YAML:        "configure_dns_for_local_stub_resolver",
 			},
+			{
+				Flag:        "jail-type",
+				Env:         "BOUNDARY_JAIL_TYPE",
+				Description: "Jail type to use for network isolation. Options: nsjail (default), landjail.",
+				Default:     "nsjail",
+				Value:       &cliConfig.JailType,
+				YAML:        "jail_type",
+			},
 		},
 		Handler: func(inv *serpent.Invocation) error {
-			appConfig := config.NewAppConfigFromCliConfig(cliConfig)
+			appConfig, err := config.NewAppConfigFromCliConfig(cliConfig, inv.Args)
+			if err != nil {
+				return fmt.Errorf("failed to parse cli config file: %v", err)
+			}
+
+			// Get command arguments
+			if len(appConfig.TargetCMD) == 0 {
+				return fmt.Errorf("no command specified")
+			}
 
 			logger, err := log.SetupLogging(appConfig)
 			if err != nil {
@@ -134,7 +150,7 @@ func BaseCommand() *serpent.Command {
 			}
 			logger.Debug("Application config", "config", appConfigInJSON)
 
-			return nsjail_manager.Run(inv.Context(), logger, appConfig, inv.Args)
+			return run.Run(inv.Context(), logger, appConfig)
 		},
 	}
 }

config/config.go

@@ -1,9 +1,30 @@
 package config
 
 import (
+	"fmt"
+
 	"github.com/coder/serpent"
 )
 
+// JailType represents the type of jail to use for network isolation
+type JailType string
+
+const (
+	NSJailType   JailType = "nsjail"
+	LandjailType JailType = "landjail"
+)
+
+func NewJailTypeFromString(str string) (JailType, error) {
+	switch str {
+	case "nsjail":
+		return NSJailType, nil
+	case "landjail":
+		return LandjailType, nil
+	default:
+		return NSJailType, fmt.Errorf("invalid JailType: %s", str)
+	}
+}
+
 type CliConfig struct {
 	Config                           serpent.YAMLConfigPath `yaml:"-"`
 	AllowListStrings                 serpent.StringArray    `yaml:"allowlist"` // From config file
@@ -14,6 +35,7 @@ type CliConfig struct {
 	PprofEnabled                     serpent.Bool           `yaml:"pprof_enabled"`
 	PprofPort                        serpent.Int64          `yaml:"pprof_port"`
 	ConfigureDNSForLocalStubResolver serpent.Bool           `yaml:"configure_dns_for_local_stub_resolver"`
+	JailType                         serpent.String         `yaml:"jail_type"`
 }
 
 type AppConfig struct {
@@ -24,16 +46,26 @@ type AppConfig struct {
 	PprofEnabled                     bool
 	PprofPort                        int64
 	ConfigureDNSForLocalStubResolver bool
+	JailType                         JailType
+	TargetCMD                        []string
+	UserInfo                         *UserInfo
 }
 
-func NewAppConfigFromCliConfig(cfg CliConfig) AppConfig {
+func NewAppConfigFromCliConfig(cfg CliConfig, targetCMD []string) (AppConfig, error) {
 	// Merge allowlist from config file with allow from CLI flags
 	allowListStrings := cfg.AllowListStrings.Value()
 	allowStrings := cfg.AllowStrings.Value()
 
 	// Combine allowlist (config file) with allow (CLI flags)
 	allAllowStrings := append(allowListStrings, allowStrings...)
 
+	jailType, err := NewJailTypeFromString(cfg.JailType.Value())
+	if err != nil {
+		return AppConfig{}, err
+	}
+
+	userInfo := GetUserInfo()
+
 	return AppConfig{
 		AllowRules:                       allAllowStrings,
 		LogLevel:                         cfg.LogLevel.Value(),
@@ -42,5 +74,8 @@ func NewAppConfigFromCliConfig(cfg CliConfig) AppConfig {
 		PprofEnabled:                     cfg.PprofEnabled.Value(),
 		PprofPort:                        cfg.PprofPort.Value(),
 		ConfigureDNSForLocalStubResolver: cfg.ConfigureDNSForLocalStubResolver.Value(),
-	}
+		JailType:                         jailType,
+		TargetCMD:                        targetCMD,
+		UserInfo:                         userInfo,
+	}, nil
 }

util/user.go config/user_info.goutil/user.go renamed to config/user_info.go

@@ -1,4 +1,4 @@
-package util
+package config
 
 import (
 	"os"
@@ -7,8 +7,21 @@ import (
 	"strconv"
 )
 
+const (
+	CAKeyName  = "ca-key.pem"
+	CACertName = "ca-cert.pem"
+)
+
+type UserInfo struct {
+	SudoUser  string
+	Uid       int
+	Gid       int
+	HomeDir   string
+	ConfigDir string
+}
+
 // GetUserInfo returns information about the current user, handling sudo scenarios
-func GetUserInfo() (string, int, int, string, string) {
+func GetUserInfo() *UserInfo {
 	// Only consider SUDO_USER if we're actually running with elevated privileges
 	// In environments like Coder workspaces, SUDO_USER may be set to 'root'
 	// but we're not actually running under sudo
@@ -36,27 +49,39 @@ func GetUserInfo() (string, int, int, string, string) {
 
 		configDir := getConfigDir(user.HomeDir)
 
-		return sudoUser, uid, gid, user.HomeDir, configDir
+		return &UserInfo{
+			SudoUser:  sudoUser,
+			Uid:       uid,
+			Gid:       gid,
+			HomeDir:   user.HomeDir,
+			ConfigDir: configDir,
+		}
 	}
 
 	// Not actually running under sudo, use current user
 	return getCurrentUserInfo()
 }
 
 // getCurrentUserInfo gets information for the current user
-func getCurrentUserInfo() (string, int, int, string, string) {
+func getCurrentUserInfo() *UserInfo {
 	currentUser, err := user.Current()
 	if err != nil {
 		// Fallback with empty values if we can't get user info
-		return "", 0, 0, "", ""
+		return &UserInfo{}
 	}
 
 	uid, _ := strconv.Atoi(currentUser.Uid)
 	gid, _ := strconv.Atoi(currentUser.Gid)
 
 	configDir := getConfigDir(currentUser.HomeDir)
 
-	return currentUser.Username, uid, gid, currentUser.HomeDir, configDir
+	return &UserInfo{
+		SudoUser:  currentUser.Username,
+		Uid:       uid,
+		Gid:       gid,
+		HomeDir:   currentUser.HomeDir,
+		ConfigDir: configDir,
+	}
 }
 
 // getConfigDir determines the config directory based on XDG_CONFIG_HOME or fallback
@@ -67,3 +92,11 @@ func getConfigDir(homeDir string) string {
 	}
 	return filepath.Join(homeDir, ".config", "coder_boundary")
 }
+
+func (u *UserInfo) CAKeyPath() string {
+	return filepath.Join(u.ConfigDir, CAKeyName)
+}
+
+func (u *UserInfo) CACertPath() string {
+	return filepath.Join(u.ConfigDir, CACertName)
+}