chore: minor refactor

dnsdummy/server.go

@@ -12,6 +12,10 @@ const DummyA = "6.6.6.6"
 // DummyAAAA is the IPv6 address returned for every AAAA record query (documentation prefix).
 const DummyAAAA = "2001:db8::1"
 
+// DefaultDummyDNSPort is the port the dummy DNS server listens on (high port to avoid CAP_NET_BIND_SERVICE).
+// Traffic to port 53 is DNAT'd to this port in the namespace.
+const DefaultDummyDNSPort = "5353"
+
 // Server is a minimal DNS server that responds to every query with a dummy A record.
 // Used inside the network namespace to prevent DNS exfiltration.
 type Server struct {
@@ -89,7 +93,3 @@ func (s *Server) Shutdown() {
 		s.logger.Error("dummy DNS TCP server shutdown failed", "error", err)
 	}
 }
-
-// DefaultDummyDNSPort is the port the dummy DNS server listens on (high port to avoid CAP_NET_BIND_SERVICE).
-// Traffic to port 53 is DNAT'd to this port in the namespace.
-const DefaultDummyDNSPort = "5353"

nsjail_manager/child.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/cenkalti/backoff/v5"
+	"github.com/coder/boundary/config"
 	"github.com/coder/boundary/nsjail_manager/nsjail"
 	"golang.org/x/sys/unix"
 )
@@ -47,7 +48,7 @@ func waitForInterface(interfaceName string, timeout time.Duration) error {
 	return nil
 }
 
-func RunChild(logger *slog.Logger, targetCMD []string) error {
+func RunChild(logger *slog.Logger, cfg config.AppConfig) error {
 	logger.Info("boundary CHILD process is started")
 
 	vethNetJail := os.Getenv("VETH_JAIL_NAME")
@@ -66,7 +67,7 @@ func RunChild(logger *slog.Logger, targetCMD []string) error {
 	}
 	logger.Info("child networking is successfully configured")
 
-	if os.Getenv("USE_REAL_DNS") == "true" {
+	if cfg.UseRealDNS {
 		logger.Info("using real DNS in namespace (--use-real-dns)")
 	} else {
 		// Run dummy DNS server in namespace and redirect all DNS to it to prevent DNS exfiltration
@@ -78,6 +79,7 @@ func RunChild(logger *slog.Logger, targetCMD []string) error {
 	}
 
 	// Program to run
+	targetCMD := cfg.TargetCMD
 	bin := targetCMD[0]
 	args := targetCMD[1:]
 

nsjail_manager/nsjail/jail.go

@@ -23,7 +23,6 @@ type Config struct {
 	HomeDir       string
 	ConfigDir     string
 	CACertPath    string
-	UseRealDNS    bool
 }
 
 // LinuxJail implements Jailer using Linux network namespaces
@@ -34,7 +33,6 @@ type LinuxJail struct {
 	httpProxyPort int
 	configDir     string
 	caCertPath    string
-	useRealDNS    bool
 }
 
 func NewLinuxJail(config Config) (*LinuxJail, error) {
@@ -43,7 +41,6 @@ func NewLinuxJail(config Config) (*LinuxJail, error) {
 		httpProxyPort: config.HttpProxyPort,
 		configDir:     config.ConfigDir,
 		caCertPath:    config.CACertPath,
-		useRealDNS:    config.UseRealDNS,
 	}, nil
 }
 
@@ -71,9 +68,6 @@ func (l *LinuxJail) Command(command []string) *exec.Cmd {
 	cmd.Env = getEnvsForTargetProcess(l.configDir, l.caCertPath)
 	cmd.Env = append(cmd.Env, "CHILD=true")
 	cmd.Env = append(cmd.Env, fmt.Sprintf("VETH_JAIL_NAME=%v", l.vethJailName))
-	if l.useRealDNS {
-		cmd.Env = append(cmd.Env, "USE_REAL_DNS=true")
-	}
 	cmd.Stderr = os.Stderr
 	cmd.Stdout = os.Stdout
 	cmd.Stdin = os.Stdin

nsjail_manager/parent.go

@@ -58,7 +58,6 @@ func RunParent(ctx context.Context, logger *slog.Logger, config config.AppConfig
 		HomeDir:       config.UserInfo.HomeDir,
 		ConfigDir:     config.UserInfo.ConfigDir,
 		CACertPath:    config.UserInfo.CACertPath(),
-		UseRealDNS:    config.UseRealDNS,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to create jailer: %v", err)

nsjail_manager/run.go

@@ -18,7 +18,7 @@ func isChild() bool {
 // proxy server, and managing the child process lifecycle.
 func Run(ctx context.Context, logger *slog.Logger, config config.AppConfig) error {
 	if isChild() {
-		return RunChild(logger, config.TargetCMD)
+		return RunChild(logger, config)
 	}
 
 	return RunParent(ctx, logger, config)