Experimental Landlock based sandboxing #597
Conversation
|
I would be in favor of option 1 since it's how unblob works. The extraction path provided with As long as we're clear about the fact that unblob limits itself to the path provided with |
We need this for the parent of extraction directory:
And this for the parent directory of report file:
The latter seems a bit much to me |
vlaci
force-pushed
the
landlock
branch
4 times, most recently
from
d2138c8 to
3c51313
Compare
|
Hehe, this change is incompatible with code coverage measurement :D |
qkaiser
force-pushed
the
landlock
branch
6 times, most recently
from
e92d6e3 to
52e9322
Compare
|
Two things to do before tagging as ready for review:
|
qkaiser
added
enhancement
qkaiser
force-pushed
the
landlock
branch
3 times, most recently
from
59659a3 to
c71c40a
Compare
|
Will rebase once version |
|
Even though it seems to be supported by QEMU on aarch64 since qemu/qemu@3a2f19b, landlock syscalls are actually not supported in user mode emulation. For demo purposes, let's write this quick-and-dirty PoC: #include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <errno.h>
int main() {
int result = syscall(SYS_landlock_create_ruleset, NULL, 0, 0);
if (result == -1) {
printf("System call failed: %d (errno: %d)\n", result, errno);
} else {
printf("System call succeeded.\n");
}
return 0;
}Compile it, make sure it's aarch64, run it in user mode emulation: errno So problem is on QEMU user mode emulation not doing the translation for landlock syscalls. However, it should be handled gracefully by unblob-native I think. Note: tested with qemu version 6.2.0 and 8.2.94 |
|
I built the So the bug is probably in unblob-native or between unblob-native Rust and unblob-native Python. The exception is giving me the same feeling: |
|
I'll add tests on the rust side as well then :) |
Ahh, we need this error check at the end... |
Please note that kernels not supporting Landlock should not be an error for programs sandboxing themselves, only for sandboxers that must create sandboxes or error out (like this example). It can be a warning though. |
Yep, unblob itself already just logs the problem, but I like clear failures in tests. |
|
Failing build resolved-by onekey-sec/unblob-native#65 |
vlaci
force-pushed
the
landlock
branch
2 times, most recently
from
01db1b2 to
71eac4c
Compare
|
The one thing requires thorough manual testing is keeping exit on CTRL-C and SIGTERM working. Many shenanigans are added for that purpose. |
|
@vlaci we're one conflict away from a merge I think :) |
|
We need #1013 for tests to run :) |
all other tests in this file assert on `process_file` being called with correct arguments. We need specific tests which test that the configuration is interpreted correctly
Instead of juggling with signal handlers and hoping that `ShutDownRequired` will be fired in the appropriate place in `multiprocessing.BasePool`, on exceptional termination, we signal workers via `SIGTERM`. As a side-effect this makes it possible to run `process_file` in non-main thread.
Co-authored-by: Quentin Kaiser <[email protected]>
Implementation of #594 together with onekey-sec/unblob-native#11
Having to first create the extraction directory complicates things a lot.
I am unsure what approach we should take here but it can be seen, that the first directory needs somewhat special treatment.
Alternative integration approaches:
LANDLOCK_ACCESS_FS_MAKE_DIRon the parent of the extraction root as an escape hatch