Landlock sandboxing is too lax on logger file and too strict on report file

[jcrussell]

Getting a permission denied error when using something like:

unblob -e /tmp/foo --report /tmp/bar/report.json /path/to/file

But it works when I do something like:

unblob -e /tmp/foo --report /tmp/foo/report.json /path/to/file

This:

https://github.com/onekey-sec/unblob/blob/main/python/unblob/sandbox.py#L62

Should be AccessFS.make_dir?

[qkaiser]

I wanted to look at sandboxing this week-end to make sure it works in a variety of scenarios, specifically with logging and reporting. Thanks for bringing this up.

Interestingly, the current implementation allows unblob to create a zero-size file, but not write to it:

[pid 14722] newfstatat(AT_FDCWD, "/tmp/bar/report.json", 0x7f33ce9fedb0, 0) = -1 ENOENT (No such file or directory)
[pid 14722] openat(AT_FDCWD, "/tmp/bar/report.json", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = -1 EACCES (Permission denied)
[pid 14722] write(1, "2025-02-08 10:49.12 [error    ] "..., 1582025-02-08 10:49.12 [error    ] Can not write JSON report      msg="[Errno 13] Permission denied: '/tmp/bar/report.json'" path=/tmp/bar/report.json pid=14719

ls -al /tmp/bar/report.json 
-rw-rw-r-- 1 quentin quentin 0 feb  8 11:49 /tmp/bar/report.json

I initially thought applying the same sandboxing to the logging file would be sufficient but surprise surprise, the file descriptor to the log file is obtained before sandboxing takes place. So landlock has no effect on the report file.

execve("/home/quentin/.local/bin/uv", ["uv", "run", "unblob", "-vvv", "--log", "/tmp/logger/bar/unblob.log", "--report", "/tmp/report/bar/report.json", "tests/integration/archive/zip/re"...], 0x7ffc973776b8 /* 81 vars */) = 0
[pid 17105] execve("/home/quentin/unblob/.venv/bin/unblob", ["unblob", "-vvv", "--log", "/tmp/logger/bar/unblob.log", "--report", "/tmp/report/bar/report.json", "tests/integration/archive/zip/re"...], 0x7a8183bbc800 /* 82 vars */ <unfinished ...>
[pid 17105] newfstatat(AT_FDCWD, "/tmp/logger/bar/unblob.log", {st_mode=S_IFREG|0664, st_size=3369, ...}, 0) = 0
[pid 17105] access("/tmp/logger/bar/unblob.log", R_OK) = 0
[pid 17105] mkdir("/tmp/logger/bar", 0777) = -1 EEXIST (File exists)
[pid 17105] newfstatat(AT_FDCWD, "/tmp/logger/bar", {st_mode=S_IFDIR|0775, st_size=4096, ...}, 0) = 0
[pid 17105] unlink("/tmp/logger/bar/unblob.log") = 0
[pid 17105] openat(AT_FDCWD, "/tmp/logger/bar/unblob.log", O_WRONLY|O_CREAT|O_APPEND|O_CLOEXEC, 0666) = 3
[pid 17105] newfstatat(AT_FDCWD, "/tmp/logger/bar/unblob.log", {st_mode=S_IFREG|0664, st_size=0, ...}, 0) = 0
[pid 17105] newfstatat(AT_FDCWD, "/tmp/logger/bar/unblob.log", {st_mode=S_IFREG|0664, st_size=105, ...}, 0) = 0
[pid 17108] openat(AT_FDCWD, "/tmp/logger/bar/unblob.log", O_RDONLY|O_CLOEXEC|O_PATH) = 5
2025-02-08 11:01.57 [info     ] Activated FS access restrictions; rules=[Read("/"), ReadWrite("/dev/shm"), ReadWrite("/home/quentin/unblob"), MakeDir("/home/quentin"), ReadWrite("/tmp/logger/bar/unblob.log"), ReadWrite("/tmp/report/bar/report.json")], status=FullyEnforced pid=17105
[pid 17108] newfstatat(AT_FDCWD, "/tmp/logger/bar/unblob.log", {st_mode=S_IFREG|0664, st_size=241, ...}, 0) = 0
[pid 17109] newfstatat(AT_FDCWD, "/tmp/logger/bar/unblob.log", {st_mode=S_IFREG|0664, st_size=524, ...}, 0) = 0
[pid 17109] newfstatat(AT_FDCWD, "/tmp/logger/bar/unblob.log", {st_mode=S_IFREG|0664, st_size=888, ...}, 0) = 0

I'll do some root-cause analysis and get back to you :)

[qkaiser]

solved by #1127