phylum-dev / birdcage Goto Github PK

View Code? Open in Web Editor NEW

175.0 175.0 4.0 344 KB

Cross-platform embeddable sandboxing

License: GNU General Public License v3.0

Rust 100.00%

malware sandbox secure-software-supply-chain security security-tools software-supply-chain-security

birdcage's People

Contributors

Stargazers

Watchers

Forkers

colemancda jamestiotio 5l1v3r1

birdcage's Issues

Implement macOS network filtering

Unhelpful error when Landlock is unsupported

The version of Linux used by Docker Desktop does not have Landlock enabled. (Why not? It seems like maybe linuxkit just didn't enable it when it became available…) When trying to use Birdcage, a complicated error message is returned. It seems like this particular error Ruleset(HandleAccesses(Fs(Compat(Access(Incompatible {..})))), because Birdcage is asking to filter everything and the error says that it can filter nothing, means that Landlock just isn't supported.

$ cat > Dockerfile <<EOF
FROM rust:bullseye

WORKDIR /app
COPY . /app
RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build --example sandbox
EOF
$ docker build --iidfile iid .
[+] Building 0.1s (9/9) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                                                           0.0s
 => => transferring dockerfile: 31B                                                                                                                                                                                            0.0s
 => [internal] load .dockerignore                                                                                                                                                                                              0.0s
 => => transferring context: 2B                                                                                                                                                                                                0.0s
 => [internal] load metadata for docker.io/library/rust:bullseye                                                                                                                                                               0.0s
 => [1/4] FROM docker.io/library/rust:bullseye                                                                                                                                                                                 0.0s
 => [internal] load build context                                                                                                                                                                                              0.0s
 => => transferring context: 59.56kB                                                                                                                                                                                           0.0s
 => CACHED [2/4] WORKDIR /app                                                                                                                                                                                                  0.0s
 => CACHED [3/4] COPY . /app                                                                                                                                                                                                   0.0s
 => CACHED [4/4] RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build --example sandbox                                                                                                                                  0.0s
 => exporting to image                                                                                                                                                                                                         0.0s
 => => exporting layers                                                                                                                                                                                                        0.0s
 => => writing image sha256:68cd44b8f05988120e10819c367ebf4f88439872071c6033629b4ca9eea1d521
$ docker run --rm -it "$(cat iid)" /app/target/debug/examples/sandbox /bin/sh
Error: Ruleset(HandleAccesses(Fs(Compat(Access(Incompatible { access: BitFlags<AccessFs>(0b1111111111111, Execute | WriteFile | ReadFile | ReadDir | RemoveDir | RemoveFile | MakeChar | MakeDir | MakeReg | MakeSock | MakeFifo | MakeBlock | MakeSym) })))))

$ docker run --rm -it ubuntu sh -c 'uname -a; gzip -cd < /proc/config.gz | grep LANDLOCK'
Linux 5135b4c504c4 5.15.49-linuxkit #1 SMP PREEMPT Tue Sep 13 07:51:32 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
# CONFIG_SECURITY_LANDLOCK is not set

Docker: Docker Desktop for Mac version 4.19.0 (106363) on aarch64 (M1)

Add executable tests

Tests should be added to verify that executables work.

Acceptance criteria

Execution tests/fs.rs
Execution tests in tests/full_sandbox.rs

Requires #1 to be implemented first.

Implement or circumvent `LANDLOCK_ACCESS_FS_REFER` in `rust-landlock`

Currently, renames are prevented by Landlock due to the absence of LANDLOCK_ACCESS_FS_REFER (defined as (1ULL << 13)).

This blocks some omnipresent operations in npm, such as calls to fs.rename that will fail with this counterintuitive (but documented) error:

EXDEV: cross-device link not permitted, link something -> something_else

Can we just add the constant to rust-landlock, or are there other considerations that would make that ineffective?

Add general-purpose seccomp syscall filter

A general seccomp filter should be used with the Linux sandbox to block system calls which are generally not considered "safe" to be used by sandbox clients.

A good summary on some syscalls which fit this description can be found in docker's docs:
https://docs.docker.com/engine/security/seccomp/

Cleanup temporary test directories

Many of the integration tests currently leak temporary directories (because they can't be removed once the sandbox is in place). With the new test harness in #64, we can now clean these up. See this discussion.

Does not compile on arm64

The rust-landlock crate does not compile on arm64. It fails with the following error:

error[E0425]: cannot find value `__NR_LANDLOCK_CREATE_RULESET` in this scope
Error:   --> /home/runner/.cargo/git/checkouts/rust-landlock-d80c47128915e4ea/1e09cb0/src/uapi/mod.rs:41:13
   |
41 |     syscall(__NR_LANDLOCK_CREATE_RULESET as i64, attr, size, flags) as c_int
   |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ not found in this scope

error[E0425]: cannot find value `__NR_LANDLOCK_ADD_RULE` in this scope
Error:   --> /home/runner/.cargo/git/checkouts/rust-landlock-d80c47128915e4ea/1e09cb0/src/uapi/mod.rs:47:13
   |
47 |     syscall(__NR_LANDLOCK_ADD_RULE as i64, ruleset_fd, rule_type, rule_attr, flags) as c_int
   |             ^^^^^^^^^^^^^^^^^^^^^^ not found in this scope

error[E0425]: cannot find value `__NR_LANDLOCK_RESTRICT_SELF` in this scope
Error:   --> /home/runner/.cargo/git/checkouts/rust-landlock-d80c47128915e4ea/1e09cb0/src/uapi/mod.rs:51:13
   |
51 |     syscall(__NR_LANDLOCK_RESTRICT_SELF as i64, ruleset_fd, flags) as c_int
   |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^ not found in this scope

For more information about this error, try `rustc --explain E0425`.
error: could not compile `landlock` due to 3 previous errors

Here is a link to the code where it is clear that those constants are only defined for the x86_64 architecture.

TOCTOU issue with invalid paths

We check if exception paths exist while adding them, however their existence is also required when actually locking down the sandbox. As a result a relatively unhelpful error might be presented complaining about an unknown file without specifying what exactly has gone wrong.

Add more tests to cover behaviors of the sandboxes

There are some non-intuitive use cases that should be covered by tests.
For example, asking for write permissions on a non-existent file won't work, as the permission necessary for creating a file belongs on its parent directory.

Run Linux tests on multiple kernels

Upstream Landlock already has solved all the issues when it comes to running CI on multiple different Linux kernel versions, so we should make use of this work and ensure our sandbox behaves as expected in all Kernel versions:

landlock-lsm/rust-landlock#41

Switch seccomp network filter from blacklist to whitelist

Currently the seccomp network filter will allow all system calls which are not handled. This is problematic since future syscall additions can add new ways to do networking which would automatically be allowed.

To ensure that the seccomp filter doesn't get surprised by new kernel syscalls, a whitelist-based approach should be used instead which denies all but the allowed syscalls.

Implement macOS executable filtering

Publish `birdcage` to crates.io

This crate should be published to crates.io

Use `env_clear` for environment variable reset

We're already using the Command interface on all platforms since we need to spawn a separate process on Linux. However we're still manually removing the environment variables from the process which seems fragile.

Instead, we should use the Command::env_clear method instead:
https://doc.rust-lang.org/std/process/struct.Command.html#method.env_clear

This removes all inherited environment variables, after which they can be added again with Command::env and Command::envs. The inherited variables stay cleared.

This also works on Linux with the new PID 1 init, even if PID 1 itself still has these variables set, since PID 2 cannot read /proc/1/environ based on my testing.

Remove/reword disclaimer in readme

Currently the readme includes the following statement:

This library is still under development and not ready to be used yet.

We're already using this in the CLI, which could lead people to the incorrect conclusion that the CLI's sandboxing isn't safe.

Since the Library itself is in a state where there aren't any concrete actionable steps to be taken to improve it, I think it would be best to just remove this statement. More testing and future development will always happen, but we've been successfully using it ourselves without any issues so I wouldn't expect frequent major breaking changes.

mention sandbox mechanisms and implications to changelog

In v0.4 it changed from landlock to namespaces. But it isn't mentioned in the changelog. This is a major change and should be documented, as it can't be used on a single thread, like I had to do on my pam modules, but only on a process.

`cargo audit` finding for `atty` v0.2.14

When I run cargo audit I see this issue.

Crate: atty
Version: 0.2.14
Warning: unsound
Title: Potential unaligned read
Date: 2021-07-04
ID: RUSTSEC-2021-0145
URL: https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── clap 3.2.25
└── birdcage 0.3.1

warning: 1 allowed warning found

Add networking tests

Tests should be added to verify that networking works.

Acceptance criteria

New tests/networking.rs
Networking tests in tests/full_sandbox.rs

Requires #1 to be implemented first.

Add env exceptions to sandbox example

We should add the env stuff to the CLI of the sandbox example.

Potential ways to get around networking sandbox

Hello, much appreciate your work! I tried to implement a networking sandbox here inspired by birdcage. However, I was informed that there are at least a couple ways to get around it:

io_uring (cc @alindima for further details)
Re-purposing existing sockets (an issue in our case but probably not in birdcage)

phylum-dev / birdcage Goto Github PK

birdcage's People

Contributors

Stargazers

Watchers

Forkers

birdcage's Issues

Acceptance criteria

Acceptance criteria

Recommend Projects

Recommend Topics

Recommend Org