From de01e5396137015ea8f6e3681440286e7e8ce73a Mon Sep 17 00:00:00 2001 From: Saksham Mittal Date: Wed, 13 Sep 2023 11:00:49 +0530 Subject: [PATCH 1/4] feat: add pipe() for ForkAndExec --- src/builtins/danger_zone.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/builtins/danger_zone.rs b/src/builtins/danger_zone.rs index 582e19f..f40a117 100644 --- a/src/builtins/danger_zone.rs +++ b/src/builtins/danger_zone.rs @@ -97,6 +97,7 @@ impl RuleSet for ForkAndExec { Sysno::execve, Sysno::execveat, Sysno::wait4, Sysno::waitid, Sysno::clone, Sysno::clone3, + Sysno::pipe, Sysno::pipe2 ] } From 4d2a722fbbc5e8a00e9dd1502272386221d34a86 Mon Sep 17 00:00:00 2001 From: Saksham Mittal Date: Fri, 15 Sep 2023 11:09:14 +0530 Subject: [PATCH 2/4] fix: create a separate Pipes ruleset --- src/builtins/danger_zone.rs | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/builtins/danger_zone.rs b/src/builtins/danger_zone.rs index f40a117..72f5743 100644 --- a/src/builtins/danger_zone.rs +++ b/src/builtins/danger_zone.rs @@ -97,7 +97,6 @@ impl RuleSet for ForkAndExec { Sysno::execve, Sysno::execveat, Sysno::wait4, Sysno::waitid, Sysno::clone, Sysno::clone3, - Sysno::pipe, Sysno::pipe2 ] } @@ -126,3 +125,20 @@ impl RuleSet for ForkAndExec { "ForkAndExec" } } + +/// [`Pipes`] is in the danger zone because it can be used to send input to another process. That process will still be under seccomp's restrictions (see +/// `tests/inherit_filters.rs`) but depending on your filter it could still do bad things. +pub struct Pipes; +impl RuleSet for Pipes { + fn simple_rules(&self) -> Vec { + vec![Sysno::pipe, Sysno::pipe2] + } + + fn conditional_rules(&self) -> HashMap> { + HashMap::new() + } + + fn name(&self) -> &'static str { + "Pipes" + } +} From dec9ac204104d03ba75a469a3c5f412b60deabfa Mon Sep 17 00:00:00 2001 From: Saksham Mittal Date: Sun, 17 Sep 2023 14:10:08 +0530 Subject: [PATCH 3/4] fix: doc --- src/builtins/danger_zone.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/builtins/danger_zone.rs b/src/builtins/danger_zone.rs index 72f5743..e3e8220 100644 --- a/src/builtins/danger_zone.rs +++ b/src/builtins/danger_zone.rs @@ -126,8 +126,14 @@ impl RuleSet for ForkAndExec { } } -/// [`Pipes`] is in the danger zone because it can be used to send input to another process. That process will still be under seccomp's restrictions (see +/// [`Pipes`] is in the danger zone because it can be used create a pipe for IPC. +/// That process will still be under seccomp's restrictions (see /// `tests/inherit_filters.rs`) but depending on your filter it could still do bad things. +/// +/// # Security Considerations +/// +/// An attacker could pipe arbitrary data to a vulnerable utility and attempt +/// to escape the sandbox. pub struct Pipes; impl RuleSet for Pipes { fn simple_rules(&self) -> Vec { From eb90d2aebbcb0856ed59e81861eaa0b7c3c73ffe Mon Sep 17 00:00:00 2001 From: Saksham Mittal Date: Mon, 25 Sep 2023 11:57:33 +0530 Subject: [PATCH 4/4] fix: doc comment --- src/builtins/danger_zone.rs | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/builtins/danger_zone.rs b/src/builtins/danger_zone.rs index e3e8220..95bd158 100644 --- a/src/builtins/danger_zone.rs +++ b/src/builtins/danger_zone.rs @@ -127,13 +127,10 @@ impl RuleSet for ForkAndExec { } /// [`Pipes`] is in the danger zone because it can be used create a pipe for IPC. -/// That process will still be under seccomp's restrictions (see -/// `tests/inherit_filters.rs`) but depending on your filter it could still do bad things. /// /// # Security Considerations -/// -/// An attacker could pipe arbitrary data to a vulnerable utility and attempt -/// to escape the sandbox. +/// The piped process will still be under seccomp's restrictions (see +/// `tests/inherit_filters.rs`) but depending on your filter it could still do bad things. pub struct Pipes; impl RuleSet for Pipes { fn simple_rules(&self) -> Vec {