Test Isolation using linux namespaces

.github/workflows/bazelized_drake_ros.yml

@@ -24,6 +24,8 @@ jobs:
         run: du -hs $(readlink -f /home/runner/.cache/ci)
       - name: Simplify apt upgrades
         run: .github/simplify_apt_and_upgrades.sh
+      - name: Get latest apt data
+        run: sudo apt-get update
       - name: Configure drake_ros Bazel for CI
         run: ln -s ../.github/ci.bazelrc ./user.bazelrc
         working-directory: drake_ros

bazel_ros2_rules/WORKSPACE

@@ -15,3 +15,7 @@ http_archive(
 load("@bazel_skylib//:workspace.bzl", "bazel_skylib_workspace")
 
 bazel_skylib_workspace()
+
+load("//deps:defs.bzl", "add_bazel_ros2_rules_dependencies")
+
+add_bazel_ros2_rules_dependencies()

bazel_ros2_rules/network_isolation/BUILD.bazel

@@ -0,0 +1,33 @@
+cc_library(
+    name = "network_isolation_cc",
+    srcs = ["network_isolation.cc"],
+    hdrs = ["network_isolation.h"],
+    visibility = ["//visibility:public"],
+)
+
+cc_binary(
+    name = "isolate",
+    srcs = ["isolate.cc"],
+    visibility = ["//visibility:public"],
+    deps = [
+        ":network_isolation_cc",
+    ],
+)
+
+# Create a CPython extension
+cc_binary(
+    name = "network_isolation_py.so",
+    srcs = ["network_isolation_py.cc"],
+    linkshared = True,
+    linkstatic = False,
+    deps = [
+        ":network_isolation_cc",
+        "@python_dev//:headers",
+    ],
+)
+
+py_library(
+    name = "network_isolation_py",
+    data = [":network_isolation_py.so"],
+    visibility = ["//visibility:public"],
+)

bazel_ros2_rules/network_isolation/isolate.cc

@@ -0,0 +1,35 @@
+#include <unistd.h>
+
+#include <iostream>
+#include <vector>
+
+#include "network_isolation.h"
+
+void die(const char * message) {
+    std::cerr << "isolate: " << message << ".\n";
+    exit(-1);
+}
+
+int main(int argc, char ** argv) {
+    if (argc < 2) {
+        die("shim must be given a command to execute");
+    }
+
+    if (!network_isolation::create_linux_namespaces()) {
+        die("Failed to fully create isolated environment");
+    }
+
+    // Copy to a new array that terminates with a null pointer at the end.
+    std::vector<char *> new_argv;
+    for (int i = 1; i < argc; ++i) {
+        new_argv.push_back(argv[i]);
+    }
+    new_argv.push_back(nullptr);
+
+    // Exec a new process - should never return!
+    execv(new_argv.at(0), &new_argv.at(0));
+
+    perror("execv");
+    die("Call to execv failed");
+    return -1;
+}

bazel_ros2_rules/network_isolation/network_isolation.cc

@@ -0,0 +1,87 @@
+#include "network_isolation.h"
+
+#include <errno.h>
+#include <sched.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h>
+#include <ifaddrs.h>
+#include <string.h>
+
+#include <iostream>
+
+namespace network_isolation {
+
+void error(const char * message)
+{
+    std::cerr << "create_linux_namesapces: "
+        << message << ":" << strerror(errno) << "\n";
+}
+
+bool create_linux_namespaces()
+{
+    int result = unshare(CLONE_NEWUSER | CLONE_NEWNET | CLONE_NEWIPC);
+
+    if (result != 0) {
+        error("failed to call unshare");
+        return false;
+    }
+
+    // Assert there is exactly one network interface
+    struct ifaddrs *ifaddr;
+
+    if (-1 == getifaddrs(&ifaddr)) {
+        error("could not get network interfaces");
+        return false;
+    }
+    if (nullptr == ifaddr) {
+        error("there are no network interfaces");
+        return false;
+    }
+    if (nullptr != ifaddr->ifa_next) {
+        error("there are multiple network interfaces");
+        return false;
+    }
+
+    // Need a socket to do ioctl stuff on
+    int fd = socket(AF_INET, SOCK_DGRAM, 0);
+    if( fd < 0 ){
+        error("could not open a socket");
+        freeifaddrs(ifaddr);
+        return false;
+    }
+
+    struct ifreq ioctl_request;
+
+    // Check what flags are set on the interface
+    strncpy(ioctl_request.ifr_name, ifaddr->ifa_name, IFNAMSIZ);
+    int err = ioctl(fd, SIOCGIFFLAGS, &ioctl_request);
+    if (0 != err) {
+        freeifaddrs(ifaddr);
+        error("failed to get interface flags");
+        return false;
+    }
+
+    // Expecting a loopback interface.
+    if (!(ioctl_request.ifr_flags & IFF_LOOPBACK)) {
+        error("the only interface is not a loopback interface");
+        freeifaddrs(ifaddr);
+        return false;
+    }
+
+    // Enable multicast
+    ioctl_request.ifr_flags |= IFF_MULTICAST;
+    // Bring up interface
+    ioctl_request.ifr_flags |= IFF_UP;
+
+    err = ioctl(fd, SIOCSIFFLAGS, &ioctl_request);
+    if (0 != err) {
+        error("failed to set interface flags");
+        freeifaddrs(ifaddr);
+        return false;
+    }
+
+    freeifaddrs(ifaddr);
+    return true;
+}
+}  // namespace network_isolation

bazel_ros2_rules/network_isolation/network_isolation.h

@@ -0,0 +1,22 @@
+#pragma once
+
+namespace network_isolation {
+/// Creates linux namespaces suitable for isolating ROS 2 traffic.
+///
+/// The new namespaces are:
+/// * A new user namespace to avoid needing CAP_SYS_ADMIN to create
+///   network and IPC namespaces
+/// * A new network namespace to prevent cross-talk via the network
+/// * A new IPC namespaces to prevent cross-talk via shared memory
+///
+/// It also configures network namespace to enable ROS 2 traffic.
+/// At the end of a successful call the current process will be in
+/// the created namespaces.
+/// Depending on what part of the process fails, an unsuccessful
+/// call may also leave the current process in new namespaces.
+/// There is no way to undo this.
+///
+/// \return true iff the namespaces were created successfully.
+bool create_linux_namespaces();
+
+}  // namespace network_isolation

bazel_ros2_rules/network_isolation/network_isolation_py.cc

@@ -0,0 +1,35 @@
+#define PY_SSIZE_T_CLEAN
+#include <Python.h>
+
+#include "network_isolation/network_isolation.h"
+
+extern "C" {
+static PyObject *
+create_linux_namespaces(PyObject *, PyObject *)
+{
+    if (!network_isolation::create_linux_namespaces()) {
+        Py_RETURN_FALSE;
+    }
+    Py_RETURN_TRUE;
+}
+
+static PyMethodDef methods[] = {
+    {"create_linux_namespaces", &create_linux_namespaces, METH_NOARGS,
+     "Isolate the current process using linux namespaces."},
+    {NULL, NULL, 0, NULL}   /* sentinel */
+};
+
+static PyModuleDef module = {
+    PyModuleDef_HEAD_INIT,
+    .m_name = "network_isolation_py",
+    .m_doc = "Tools to isolate network traffic on linux.",
+    .m_size = -1,
+    methods,
+};
+
+PyMODINIT_FUNC
+PyInit_network_isolation_py(void)
+{
+    return PyModule_Create(&module);
+}
+}

bazel_ros2_rules/ros2/ros_cc.bzl

@@ -166,6 +166,7 @@ def ros_cc_test(
         cc_binary_rule = native.cc_binary,
         cc_library_rule = native.cc_library,
         cc_test_rule = native.cc_test,
+        network_isolation = True,
         **kwargs):
     """
     Builds a C/C++ test and wraps it with a shim that will inject the minimal
@@ -211,6 +212,7 @@ def ros_cc_test(
         name = shim_name,
         target = ":" + noshim_name,
         env_changes = shim_env_changes,
+        network_isolation = network_isolation,
         **shim_kwargs
     )
 
@@ -220,4 +222,8 @@ def ros_cc_test(
         deps = ["@bazel_ros2_rules//ros2:dload_shim_cc"],
         tags = ["nolint"] + kwargs.get("tags", []),
     )
+    if network_isolation:
+        kwargs["deps"].append(
+            "@bazel_ros2_rules//network_isolation:network_isolation_cc",
+        )
     cc_test_rule(name = name, **kwargs)

bazel_ros2_rules/ros2/ros_py.bzl

@@ -135,6 +135,7 @@ def ros_py_test(
         rmw_implementation = None,
         py_binary_rule = native.py_binary,
         py_test_rule = native.py_test,
+        network_isolation = True,
         **kwargs):
     """
     Builds a Python test and wraps it with a shim that will inject the minimal
@@ -176,6 +177,7 @@ def ros_py_test(
         name = shim_name,
         target = ":" + noshim_name,
         env_changes = shim_env_changes,
+        network_isolation = network_isolation,
         **shim_kwargs
     )
 
@@ -186,4 +188,8 @@ def ros_py_test(
         deps = ["@bazel_ros2_rules//ros2:dload_shim_py"],
         tags = ["nolint"] + kwargs.get("tags", []),
     )
+    if network_isolation:
+        kwargs["deps"].append(
+            "@bazel_ros2_rules//network_isolation:network_isolation_py",
+        )
     py_test_rule(name = name, **kwargs)

bazel_ros2_rules/ros2/tools/dload.bzl

@@ -59,6 +59,7 @@ def get_dload_shim_attributes():
             cfg = "target",
         ),
         "env_changes": attr.string_list_dict(),
+        "network_isolation": attr.bool(default = False),
     }
 
 def do_dload_shim(ctx, template, to_list):

bazel_ros2_rules/ros2/tools/dload_cc.bzl

@@ -12,10 +12,19 @@ load(
     "get_dload_shim_attributes",
 )
 
+_ISOLATE_IMPORT = '#include "network_isolation/network_isolation.h"'
+_ISOLATE_CALL_OR_RETURN = """\
+if (!network_isolation::create_linux_namespaces()) {{
+  return -1;
+}}
+"""
+
 _REEXEC_TEMPLATE = """\
 #include "ros2/tools/dload_shim.h"
+CC_ISOLATE_IMPORT
 
 int main(int argc, const char * argv[]) {{
+  CC_ISOLATE_CALL
   const char * executable_path = "{executable_path}";
   std::vector<const char *> names = {names};
   std::vector<std::vector<const char *>> actions = {actions};
@@ -24,12 +33,23 @@ int main(int argc, const char * argv[]) {{
 }}
 """
 
+def _resolve_isolation(template, network_isolation):
+    isolate_import = ""
+    isolate_call = ""
+    if network_isolation:
+        isolate_import = _ISOLATE_IMPORT
+        isolate_call = _ISOLATE_CALL_OR_RETURN
+    template = template.replace("CC_ISOLATE_IMPORT", isolate_import)
+    template = template.replace("CC_ISOLATE_CALL", isolate_call)
+    return template
+
 def _to_cc_list(collection):
     """Turn collection into a C++ aggregate initializer expression."""
     return "{" + ", ".join(collection) + "}"
 
 def _dload_cc_reexec_impl(ctx):
-    return do_dload_shim(ctx, _REEXEC_TEMPLATE, _to_cc_list)
+    template = _resolve_isolation(_REEXEC_TEMPLATE, ctx.attr.network_isolation)
+    return do_dload_shim(ctx, template, _to_cc_list)
 
 dload_cc_reexec = rule(
     doc = """\
@@ -52,10 +72,12 @@ dload_cc_reexec = rule(
 
 _LDWRAP_TEMPLATE = """\
 #include "ros2/tools/dload_shim.h"
+CC_ISOLATE_IMPORT
 
 extern "C" int __real_main(int argc, char** argv);
 
 extern "C" int __wrap_main(int argc, char** argv) {{
+  CC_ISOLATE_CALL
   std::vector<const char*> names = {names};
   std::vector<std::vector<const char*>> actions = {actions};
   bazel_ros2_rules::ApplyEnvironmentActions(argv[0], names, actions);
@@ -64,7 +86,8 @@ extern "C" int __wrap_main(int argc, char** argv) {{
 """
 
 def _dload_cc_ldwrap_impl(ctx):
-    return do_dload_shim(ctx, _LDWRAP_TEMPLATE, _to_cc_list)
+    template = _resolve_isolation(_LDWRAP_TEMPLATE, ctx.attr.network_isolation)
+    return do_dload_shim(ctx, template, _to_cc_list)
 
 dload_cc_ldwrap = rule(
     doc = """\