Draft: POC for libgraphicsmagick + seccomp image scaler
Reimplements the dynamic image scaler by forking into a custom binary, then calling into the GraphicsMagick C APIs.
We integrate with libsseccomp-golang in order to create an allow-list of syscalls that the Resize operation may perform. On macOS, seccomp will be disabled.
The Golang binary gitlab-resize-image is statically compiled against libseccomp and gm and its dependencies so is fully self-contained.
Since we build the gm dependency from source, build times have gone up somewhat (by ~1m it appears.) I tried to lessen the pain by vendoring anything related to cgo dependencies, so that only the first time the project is built (and until you make clean again) we download and compile gm.
TODO:
-
make GM work in seccomp filtered mode -
fix graphical artifacts introduced by image scaling -
proper error output for gm failures -
make it build on CI -
Set PR_SET_NO_NEW_PRIVSto prevent seccomp filter escalation -
test on supported platforms -
check for seccomp availability first -
make project build on macOS (by excluding seccomp related deps and code) -
get security review for allowed syscalls -
minimize syscalls necessary to run - [-] reintroduce extension vs magic bytes checks (new MR: !597 (closed))
-
create statically compiled binary -
ensure that this will work in both Omnibus and CNG when merged (we will need CNG support, see https://gitlab.slack.com/archives/C1FCTU4BE/p1599745318444500)
Open questions
-
Why does app crash with SIGSEGV instead of SIGKILL when violating seccomp rule?
Note
On Debian-ish, you need to apt install libseccomp-dev libpng-dev libjpeg-[turbo]-dev