`container_perl`

This is a wrapper around perl to recreate the environment in podman. What it does is,

Get the version of perl on the host, map it to an OCI image name.
Get the current @INC on the host.
Prepare a container that maps the host's @INC directories to the container
Clobbers the @INC of the container perl with just the mapped dirs from the host using libreplace.
exec's a copy of a Perl using Podman in a container as above.

Security

The goal of this program is to allow arbitrary code executation of perl within the context of a secure user-namespace.

Example

container-perl -E 'say "Hello World"';
container-perl ./testfile.pl

For the purpose of the demo, testfile.pl outputs the UID. This will change when run inside and outside of container-perl because user namespaces allow perl running in the namespace to think it's root. While invoking this file with regular perl will show it as the UID of the user.

Installation

Container perl requires,

usernamespaces enabled
podman installed
Perl 5's libreplace installed

Notes

Currently, all the deps directory outside the directory are mounted read-only. The working directory is mounted read-write.

Inspiration

The source of inspiration of this was Brian Scannell's talk in The Perl Conference 2022 on IDE and checking Perl syntax. In that talk Brian puts forward two methods of dealing with the insecurity of checking perl syntax, with perl -c

Trusting a project. Trust in this context would require you to audit the code before testing the syntax. I doubt anyone will do this.
Executing the syntax checking on a remote machine, over SSH.

This approach uses podman to create a ephemeral container to syntax check Perl.

EvanCarroll / container-perl