From f332200ca4a18ae098e4c42509ba1256d8562cf9 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Fri, 14 Mar 2025 02:18:44 +0900 Subject: [PATCH] sandbox: mount container /dev Signed-off-by: Ophestra --- internal/sandbox/container_test.go | 31 ++++++++--- internal/sandbox/sequential.go | 84 ++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+), 6 deletions(-) diff --git a/internal/sandbox/container_test.go b/internal/sandbox/container_test.go index 648e88c..1579dba 100644 --- a/internal/sandbox/container_test.go +++ b/internal/sandbox/container_test.go @@ -13,6 +13,7 @@ import ( "time" "git.gensokyo.uk/security/fortify/fst" + "git.gensokyo.uk/security/fortify/helper/seccomp" "git.gensokyo.uk/security/fortify/internal" "git.gensokyo.uk/security/fortify/internal/fmsg" "git.gensokyo.uk/security/fortify/internal/sandbox" @@ -28,18 +29,34 @@ func TestContainer(t *testing.T) { } testCases := []struct { - name string - ops *sandbox.Ops - mnt []*check.Mntent - host string + name string + flags sandbox.HardeningFlags + ops *sandbox.Ops + mnt []*check.Mntent + host string }{ - {"minimal", new(sandbox.Ops), nil, "test-minimal"}, - {"tmpfs", + {"minimal", 0, new(sandbox.Ops), nil, "test-minimal"}, + {"allow", sandbox.FAllowUserns | sandbox.FAllowNet | sandbox.FAllowTTY, + new(sandbox.Ops), nil, "test-minimal"}, + {"tmpfs", 0, new(sandbox.Ops). Tmpfs(fst.Tmp, 0, 0755), []*check.Mntent{ {FSName: "tmpfs", Dir: fst.Tmp, Type: "tmpfs", Opts: "\x00"}, }, "test-tmpfs"}, + {"dev", sandbox.FAllowTTY, // go test output is not a tty + new(sandbox.Ops). + Dev("/dev"), + []*check.Mntent{ + {FSName: "devtmpfs", Dir: "/dev", Type: "tmpfs", Opts: "\x00"}, + {FSName: "devtmpfs", Dir: "/dev/null", Type: "devtmpfs", Opts: "\x00", Freq: -1, Passno: -1}, + {FSName: "devtmpfs", Dir: "/dev/zero", Type: "devtmpfs", Opts: "\x00", Freq: -1, Passno: -1}, + {FSName: "devtmpfs", Dir: "/dev/full", Type: "devtmpfs", Opts: "\x00", Freq: -1, Passno: -1}, + {FSName: "devtmpfs", Dir: "/dev/random", Type: "devtmpfs", Opts: "\x00", Freq: -1, Passno: -1}, + {FSName: "devtmpfs", Dir: "/dev/urandom", Type: "devtmpfs", Opts: "\x00", Freq: -1, Passno: -1}, + {FSName: "devtmpfs", Dir: "/dev/tty", Type: "devtmpfs", Opts: "\x00", Freq: -1, Passno: -1}, + {FSName: "devpts", Dir: "/dev/pts", Type: "devpts", Opts: "rw,nosuid,noexec,relatime,mode=620,ptmxmode=666", Freq: 0, Passno: 0}, + }, ""}, } for _, tc := range testCases { @@ -54,6 +71,8 @@ func TestContainer(t *testing.T) { return exec.CommandContext(ctx, os.Args[0], "-test.v", "-test.run=TestHelperInit", "--", "init") } + container.Seccomp |= seccomp.FlagExt + container.Flags |= tc.flags container.Stdout, container.Stderr = os.Stdout, os.Stderr container.Ops = tc.ops if container.Args[5] == "" { diff --git a/internal/sandbox/sequential.go b/internal/sandbox/sequential.go index 719af5f..93cc74c 100644 --- a/internal/sandbox/sequential.go +++ b/internal/sandbox/sequential.go @@ -7,6 +7,7 @@ import ( "os" "path" "syscall" + "unsafe" "git.gensokyo.uk/security/fortify/internal/fmsg" ) @@ -62,6 +63,89 @@ func (p *MountProc) apply(*InitParams) error { fmt.Sprintf("cannot mount proc on %q:", p.Path)) } +func init() { gob.Register(new(MountDev)) } + +// MountDev mounts dev on container Path. +type MountDev struct { + Path string +} + +func (d *MountDev) apply(params *InitParams) error { + if !path.IsAbs(d.Path) { + return fmsg.WrapError(syscall.EBADE, + fmt.Sprintf("path %q is not absolute", d.Path)) + } + target := toSysroot(d.Path) + + if err := mountTmpfs("devtmpfs", d.Path, 0, 0755); err != nil { + return err + } + + for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} { + if err := bindMount( + "/dev/"+name, path.Join(d.Path, name), + BindSource|BindDevices, + ); err != nil { + return err + } + } + for i, name := range []string{"stdin", "stdout", "stderr"} { + if err := os.Symlink( + "/proc/self/fd/"+string(rune(i+'0')), + path.Join(target, name), + ); err != nil { + return fmsg.WrapError(err, err.Error()) + } + } + for _, pair := range [][2]string{ + {"/proc/self/fd", "fd"}, + {"/proc/kcore", "core"}, + {"pts/ptmx", "ptmx"}, + } { + if err := os.Symlink(pair[0], path.Join(target, pair[1])); err != nil { + return fmsg.WrapError(err, err.Error()) + } + } + + devPtsPath := path.Join(target, "pts") + for _, name := range []string{path.Join(target, "shm"), devPtsPath} { + if err := os.Mkdir(name, 0755); err != nil { + return fmsg.WrapError(err, err.Error()) + } + } + + if err := syscall.Mount("devpts", devPtsPath, "devpts", + syscall.MS_NOSUID|syscall.MS_NOEXEC, + "newinstance,ptmxmode=0666,mode=620"); err != nil { + return fmsg.WrapErrorSuffix(err, + fmt.Sprintf("cannot mount devpts on %q:", devPtsPath)) + } + + if params.Flags&FAllowTTY != 0 { + var buf [8]byte + if _, _, errno := syscall.Syscall( + syscall.SYS_IOCTL, 1, syscall.TIOCGWINSZ, + uintptr(unsafe.Pointer(&buf[0])), + ); errno == 0 { + if err := bindMount( + "/proc/self/fd/1", path.Join(d.Path, "console"), + BindDevices, + ); err != nil { + return err + } + } + } + + return nil +} + +func (d *MountDev) Is(op Op) bool { vd, ok := op.(*MountDev); return ok && *d == *vd } +func (d *MountDev) String() string { return fmt.Sprintf("dev on %q", d.Path) } +func (f *Ops) Dev(dest string) *Ops { + *f = append(*f, &MountDev{dest}) + return f +} + func (p *MountProc) Is(op Op) bool { vp, ok := op.(*MountProc); return ok && *p == *vp } func (p *MountProc) String() string { return fmt.Sprintf("proc on %q", p.Path) } func (f *Ops) Proc(dest string) *Ops {