-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Experimental Landlock based sandboxing #597
Conversation
I would be in favor of option 1 since it's how unblob works. The extraction path provided with As long as we're clear about the fact that unblob limits itself to the path provided with |
We need this for the parent of extraction directory:
And this for the parent directory of report file:
The latter seems a bit much to me |
d2138c8
to
3c51313
Compare
Hehe, this change is incompatible with code coverage measurement :D
|
e92d6e3
to
52e9322
Compare
Two things to do before tagging as ready for review:
|
59659a3
to
c71c40a
Compare
Will rebase once version |
Even though it seems to be supported by QEMU on aarch64 since qemu/qemu@3a2f19b, landlock syscalls are actually not supported in user mode emulation. For demo purposes, let's write this quick-and-dirty PoC: #include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <errno.h>
int main() {
int result = syscall(SYS_landlock_create_ruleset, NULL, 0, 0);
if (result == -1) {
printf("System call failed: %d (errno: %d)\n", result, errno);
} else {
printf("System call succeeded.\n");
}
return 0;
} Compile it, make sure it's aarch64, run it in user mode emulation:
errno So problem is on QEMU user mode emulation not doing the translation for landlock syscalls. However, it should be handled gracefully by unblob-native I think. Note: tested with qemu version 6.2.0 and 8.2.94 |
I built the
So the bug is probably in unblob-native or between unblob-native Rust and unblob-native Python. The exception is giving me the same feeling:
|
I'll add tests on the rust side as well then :) |
Ahh, we need this error check at the end... |
Please note that kernels not supporting Landlock should not be an error for programs sandboxing themselves, only for sandboxers that must create sandboxes or error out (like this example). It can be a warning though. |
Yep, unblob itself already just logs the problem, but I like clear failures in tests. |
Failing build resolved-by onekey-sec/unblob-native#65 |
01db1b2
to
71eac4c
Compare
The one thing requires thorough manual testing is keeping exit on CTRL-C and SIGTERM working. Many shenanigans are added for that purpose. |
@vlaci we're one conflict away from a merge I think :) |
We need #1013 for tests to run :) |
all other tests in this file assert on `process_file` being called with correct arguments. We need specific tests which test that the configuration is interpreted correctly
Instead of juggling with signal handlers and hoping that `ShutDownRequired` will be fired in the appropriate place in `multiprocessing.BasePool`, on exceptional termination, we signal workers via `SIGTERM`. As a side-effect this makes it possible to run `process_file` in non-main thread.
Co-authored-by: Quentin Kaiser <[email protected]>
Implementation of #594 together with onekey-sec/unblob-native#11
Having to first create the extraction directory complicates things a lot.
I am unsure what approach we should take here but it can be seen, that the first directory needs somewhat special treatment.
Alternative integration approaches:
LANDLOCK_ACCESS_FS_MAKE_DIR
on the parent of the extraction root as an escape hatch