insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces.

Related tags

Deployment insject
Overview

Insject

insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. It supports three main use-cases:

  • LD_PRELOAD-mode using libsetns.so (LD_PRELOAD=./libsetns.so SETNS_ARGS="...")
  • Running a host command in a container (insject ... -- <cmd>...)
  • Forcing a running process into a container (insject ... -! <pid>)

When using the first two modes, the -s <symbol> option is used to place a function hook that triggers the containerization of the process. This can help with simple commands that need to load resources from the host filesystem by having them containerize on calling a specific function after initializing.

For processes with more complicated initialization routines, such as scripting languages, the third use-case may be preferable, enabling one to ensure full initialization before entering a container.

Note: insject and libsetns.so share the same limitations as setns(2) in that they may fail when a process contains multiple threads.

WARNING: Be careful when accessing or executing files in containers as they may be able to abuse the access of the joined process to escape.

Installation

$ wget https://github.com/frida/frida/releases/download/14.2.17/frida-gum-devkit-14.2.17-linux-x86_64.tar.xz
$ tar -xvJf frida-gum-devkit-14.2.17-linux-x86_64.tar.xz
$ mv frida-gum.h setns-so/frida/
$ mv libfrida-gum.a setns-so/frida/x86_64-unknown-linux-gnu/
$ pip3 install --user lief
$ cd setns-so
$ cargo build --lib --release
$ cargo build --bin insject --release
$ python3 patch.py target/release/insject

Examples

## Terminal 1
$ docker run --rm -it -v $(PWD):/FOO:ro alpine /bin/sh
/ # ls /
bin    dev    etc    FOO   home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var
## Terminal 2
$ sudo bash
# echo $$
164001
#
## Terminal 3
$ docker ps -q
acd1d4d97027
$ docker inspect acd1d4d97027 | jq .[0].State.Pid
68575
$ sudo LD_PRELOAD=./target/release/libsetns.so SETNS_ARGS="-I 68575 --user 0:85:0,1,2,3,4" ls /
setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
bin    dev    etc    FOO   home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var
## Terminal 2
# setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
# ls /
bin    dev    etc    FOO   home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var
# ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:525 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:49454 (48.2 KiB)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
## Terminal 3
$ sudo ./target/release/insject -I 68575 --user 0:85:0,1,2,3,4 -- ls /
setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
bin  dev  etc  FOO  home  lib	media  mnt  opt  proc  root  run  sbin	srv  sys  tmp  usr  var
$ sudo ./target/release/insject -I 68575 --user 0:85:0,1,2,3,4 -- id
setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
uid=0 gid=85 groups=85,0,1,2,3,4
$ sudo ./target/release/insject -I 68575 --user 0:85:0,1,2,3,4 -- sh -c id
setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
uid=0(root) gid=85(usb) groups=0(root),1(bin),2(daemon),3(sys),4(adm)

Usage

$ insject --help
insject 1.0
Jeff Dileo <[email protected]>
A tool to simplify container testing that runs an arbitrary
command in the Linux namespaces of other processes.

WARNING: Be careful when accessing or executing files in containers as they may
         be able to abuse the access of the joined process to escape.

Note: The -! instrumentation mode has several differences from the LD_PRELOAD modes:
        * Forking is not supported
        * -S,--strict is not supported
        * errno values are not returned

USAGE:
    insject [FLAGS] [OPTIONS] [setns-opts]... [-- <cmd>...]

ARGS:
    <setns-opts>...    setns.so options. For detailed information, use --help-setns
    <cmd>...

FLAGS:
    -h, --help          Prints help information
        --help-setns    Prints help information for setns.so
    -V, --version       Prints version information

OPTIONS:
    -! <pid>        PID to instrument
$ insject --help-setns
libsetns.so 1.0
Jeff Dileo <[email protected]>
An inject-/LD_PRELOAD-able shim to simplify container testing by joining an external program
run with it into the Linux namespaces of other processes.

WARNING: Be careful when accessing or executing files in containers as they may
         be able to abuse the access of the joined process to escape.

USAGE:
    libsetns.so [FLAGS] [OPTIONS] [target-pid]

ARGS:
    <target-pid>    PID to source namespaces from by default

FLAGS:
        --help            Prints help information
    -A, --no-apparmor     Skip setting AppArmor profile
    -C, --no-cgroup       Skip setting cgroup namespace
    -F, --no-fork         Skip fork after entering PID namespace, if entering PID namespace
    -I, --no-ipc          Skip setting IPC namespace
    -M, --no-mnt          Skip setting mount namespace
    -N, --no-net          Skip setting network namespace
    -P, --no-pid          Skip setting PID namespace
    -T, --no-time         Skip setting time namespace
    -U, --no-userns       Skip setting user namespace
    -H, --no-uts          Skip setting UTS (hostname) namespace
    -S, --strict          Exit if any namespace attach fails
    -1, --userns-first    Set user namespace before other namespaces
    -V, --version         Prints version information

OPTIONS:
    -@, --raw-address <address>         Raw memory address to hook instead of a symbol
                                        Note: This is not an offset
    -c, --cgroup <cgroup>               Path to cgroup namespace to set
    -i, --ipc <ipc>                     Path to IPC namespace to set
    -m, --mnt <mnt>                     Path to mount namespace to set
    -n, --net <net>                     Path to network namespace to set
    -p, --pid <pid>                     Path to PID namespace to set
    -a, --apparmor-profile <profile>    Alternate AppArmor profile to set
    -s, --symbol <symbol>               Symbol to hook entry of instead of main
    -t, --time <time>                   Path to time namespace to set
        --user <user>                   <uid>[:<gid>[:<group,ids>]]) [default: 0:0:0]
    -u, --userns <userns>               Path to user namespace to set
    -h, --uts <uts>                     Path to UTS (hostname) namespace to set

License

insject is licensed under the 2-clause BSD license.

You might also like...
VMM-based macOS Native Container Runtime

Akari: VMM-based macOS Native Container Runtime Akari is an experimental OCI runtime aims to run macOS native containers on macOS. This runtime works

An infrastructure-as-code and deployment tool for Roblox.

Rocat 🚀 An infrastructure-as-code and deployment tool for Roblox. ⚠ Please note that this is an early release and the API is unstable. Releases follo

An infrastructure-as-code and deployment tool for Roblox.

Mantle 🚀 An infrastructure-as-code and deployment tool for Roblox. ⚠ Please note that this is an early release and the API is unstable. Releases foll

🚀Wasmer is a fast and secure WebAssembly runtime that enables super lightweight containers to run anywhere
🚀Wasmer is a fast and secure WebAssembly runtime that enables super lightweight containers to run anywhere

Wasmer is a fast and secure WebAssembly runtime that enables super lightweight containers to run anywhere: from Desktop to the Cloud, Edge and IoT devices.

rust_arango enables you to connect with ArangoDB server, access to database, execute AQL query, manage ArangoDB in an easy and intuitive way, both async and plain synchronous code with any HTTP ecosystem you love.

rust_arango enables you to connect with ArangoDB server, access to database, execute AQL query, manage ArangoDB in an easy and intuitive way, both async and plain synchronous code with any HTTP ecosystem you love.

A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.)

Angea Naming from hydrangea(アジサイ) A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.) WSL1 is not s

A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.)

Angea Naming from hydrangea(アジサイ) A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.) WSL1 is not s

Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

Shallow Container is a light-weight container tool written in Rust.
Shallow Container is a light-weight container tool written in Rust.

Shallow Container is a light-weight container tool written in Rust. It is totally for proof-of-concept and may not suit for production environment.

Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions.

Synthetic Network Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions. Dependenc

The netns-rs crate provides an ultra-simple interface for handling network namespaces in Rust.

netns-rs The netns-rs crate provides an ultra-simple interface for handling network namespaces in Rust. Changing namespaces requires elevated privileg

📱️🚫️🌝️💾️ 3FakeIM is a joke program meant to imitate various fictional characters, and the
📱️🚫️🌝️💾️ 3FakeIM is a joke program meant to imitate various fictional characters, and the "[CHARACTER] CALLED ME AT 3:00 AM" clickbait trend, while poking fun.

3FakeIM 📱️🚫️🌝️💾️ 3FakeIM is a joke program meant to imitate various fictional characters, and the "[CHARACTER] CALLED ME AT 3:00 AM" clickbait tre

Standard Graphics is a command-line tool for printing 2D graphics from any language to any screen.
Standard Graphics is a command-line tool for printing 2D graphics from any language to any screen.

2D graphics in any programming language with just print statements!

Mix async code with CPU-heavy thread pools using Tokio + Rayon

tokio-rayon Mix async code with CPU-heavy thread pools using Tokio + Rayon Resources Documentation crates.io TL;DR Sometimes, you're doing async stuff

Using cxx to mix in Rust-code with a C++ application

Minimal application mixing C++ and Rust This example uses cxx to generate bindings between C++ and Rust, and integrates the two parts through CMake. I

Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux
Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux

libredefender Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux. libredefender is an antivirus p

This crate provides a convenient macro that allows you to generate type wrappers that promise to always uphold arbitrary invariants that you specified.

prae This crate provides a convenient macro that allows you to generate type wrappers that promise to always uphold arbitrary invariants that you spec

Traversal of tree-sitter Trees and any arbitrary tree with a TreeCursor-like interface

tree-sitter-traversal Traversal of tree-sitter Trees and any arbitrary tree with a TreeCursor-like interface. Using cursors, iteration over the tree c

Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.
Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.

jscythe abuses the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code, even if t

Owner
NCC Group Plc
Please report all security issues to security at nccgroup dot com
NCC Group Plc
Shallow Container is a light-weight container tool written in Rust.

Shallow Container is a light-weight container tool written in Rust. It is totally for proof-of-concept and may not suit for production environment.

Rui Li 14 Apr 8, 2022
Tool to monitor the statistics and the energy consumption of docker containers

Docker Activity Docker activity is a tool to monitor the statistics of your containers and output their energy consumption. Warning It's still in earl

Jérémie Drouet 39 Dec 6, 2022
Runc - CLI tool for spawning and running containers according to the OCI specification

runc Introduction runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Releases You can find official r

Open Container Initiative 9.9k Jan 5, 2023
🐳 📦 Bringing docker containers to your AUR helper since 2022

zeus Releases | CI | Issues | Installing | Building Zeus. A simple AUR helper which utilizes docker containers allowing developers and users alike to

1337 16 Dec 17, 2022
A tiny minimal container runtime written in Rust.

vas-quod A tiny minimal container runtime written in Rust. The idea is to support a minimal isolated containers without using existing runtimes, vas-q

flouthoc 438 Dec 26, 2022
A secure container runtime with OCI interface

Quark Container Welcome to Quark Container. This repository is the home of Quark Containers code. What's Quark Container Quark Container is high perfo

null 175 Dec 29, 2022
Easy to use, extendable, OCI-compliant container runtime written in pure Rust

PURA - Lightweight & OCI-compliant container runtime Pura is an experimental Linux container runtime written in pure and dependency-minimal Rust. The

Branimir Malesevic 73 Jan 9, 2023
Container monitor in Rust

Conmon-rs A pod level OCI container runtime monitor. The goal of this project is to provide a container monitor in Rust. The scope of conmon-rs encomp

Containers 84 Dec 21, 2022
Hot-plug devices into a Docker container as they are plugged.

container-hotplug Hot-plug (and unplug) devices into a Docker container as they are (un)plugged. Description Docker provides the --device flag to give

lowRISC 2 Oct 17, 2022
dedock is a container runtime, with a particular focus on enabling embedded software development across all platforms

dedock is a container runtime, with a particular focus on enabling embedded software development across all platforms. It supports native "containers" on both Linux and macOS.

Daniel Mangum 12 May 27, 2023