[security] devcontainers and gVisor

[hellodword]

As we both know, container is not a sandbox, it shares kernel with the host, so it maybe dangerous.

And for developers, it's impossible to review and audit all dependencies and tools, how to protect people from bad guys is a real-world problem.

It's hard to do hardening for this entire ecosystem, but we can use gVisor to gain cheap security.

Here is the description about gVisor:

• https://gvisor.dev/docs/#what-does-gvisor-do
• https://gvisor.dev/docs/architecture_guide/security/

Currently this is not a feature request, I'm trying to do some tests and here are some records.

A simple usage:

{
    "image": "mcr.microsoft.com/devcontainers/base:ubuntu-22.04",
    "features": {
        "ghcr.io/devcontainers/features/common-utils": {},
        "ghcr.io/devcontainers/features/go:1": {}
    },
    "runArgs": [
        "--runtime", "runsc"
    ]
}

I must to say it works fine for normal usage, but I believe there're some issues in the corners (debugging or something else), I'll record and try to find them.

[hellodword]

Debugging:

{
    "image": "mcr.microsoft.com/devcontainers/cpp:ubuntu-22.04",
    "runArgs": [
        "--runtime", "runsc"
    ]
}

vscode ➜ /workspaces/devcontainer-gvisor $ gcc main.c
vscode ➜ /workspaces/devcontainer-gvisor $ gdb a.out 
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
(gdb) b main
Breakpoint 1 at 0x1151
(gdb) run
Starting program: /workspaces/devcontainer-gvisor/a.out 
warning: Error disabling address space randomization: Invalid argument
warning: opening /proc/PID/mem file for lwp 585.585 failed: Permission denied (13)
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x559702a43149

Follow https://stackoverflow.com/a/35860616

vscode ➜ /workspaces/devcontainer-gvisor $ gcc main.c
vscode ➜ /workspaces/devcontainer-gvisor $ gdb a.out 
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
(gdb) set disable-randomization off
(gdb) b main
Breakpoint 1 at 0x1151
(gdb) run
Starting program: /workspaces/devcontainer-gvisor/a.out 
warning: opening /proc/PID/mem file for lwp 604.604 failed: Permission denied (13)
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x55f7365fd149

[samruddhikhandale]

Hi 👋

I have tried to experiment with gVisor to prevent container escapes. I wonder if you'd need to update docker/daemon.json with something similar 👇 (provided you have gVisor already installed)

{
                ""default-runtime"": ""runsc"",
                ""runtimes"": {
                    ""runsc"": {
                        ""path"": ""/usr/local/bin/runsc"",
                        ""runtimeArgs"": [
                            ""--network=host""
                        ]
                    }
                }
            }