miasm icon indicating copy to clipboard operation
miasm copied to clipboard

Published 20 hours ago verified publisher icon cea-sec

linux_env - FileSystem::resolve_path and FileSystem::readlink seems incompatible

Open Sh3idan opened this issue 5 years ago • 3 comments

My architecture:

file_sb/
├── home
│   └── user
│       └── bin.elf
└── proc
    ├── 1000
    │   └── exe -> /home/bla/[TRUNCATED]/file_sb/home/user/bin.elf
    └── self -> 1000

FileSystem::resolve_path reads link and breaks FileSystem::readlink function because of wrong return value. See below:

[syscalls][sys_x86_64_readlink][DEBUG]: sys_readlink('/proc/self/exe', 13f028, fff)
[environment][readlink][DEBUG]: readlink('/proc/self/exe')
[environment][resolve_path][DEBUG]: resolve_path(path='/proc/self/exe', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/user/bla/[TRUNCATED]/file_sb/home/user/bin.elf'
[environment][readlink][DEBUG]: '/user/bla/[TRUNCATED]/file_sb/home/user/bin.elf' is not a link
[syscalls][syscall_x86_64_exception_handler][DEBUG]: -> ffffffffffffffff

Sh3idan avatar Dec 24 '19 22:12 Sh3idan

Hi,

It might not be the best solution, but the way I saw it, the filesystem should be relative to the sandbox root. Ie, it should work the same way than a chroot, so the link should point to /home/user/bin.elf on order to work properly.

The current implementation might be buggy, but what do you think about this way of doing?

commial avatar Jan 03 '20 16:01 commial

Hi,

Right now, with symbolic which point to /home/user/bin.elf, FileSystem::resolve_path + FileSystem::readlink return a non-sandboxed link. See below.

file_sb/
├── home
│   └── user
│       └── bin.elf
└── proc
    ├── 1000
    │   └── exe -> /home/user/bin.elf
    └── self -> 1000

[syscalls][sys_x86_64_readlink][DEBUG]: sys_readlink('/proc/self/exe', 13f028, fff)
[environment][resolve_path][DEBUG]: resolve_path(path='/proc/self/exe', follow_link=False)
[environment][resolve_path][DEBUG]: -> '/home/user/bin.elf'
[syscalls][syscall_x86_64_exception_handler][DEBUG]: -> ffffffffffffffff

the filesystem should be relative to the sandbox root. Ie, it should work the same way than a chroot, so the link should point to /home/user/bin.elf on order to work properly.

It could be nice. I have one question about it : What happens if the link is valid? I think it's still good, are you agree?

What do you think about getting target of symbolic link only if follow_link is True and following these steps to solve link?

  • readlink(path)
    • sys_x86_64_readlink(path, ...)
      • FileSystem::readlink(path)
        • resolving link name (path)
          • resolve_path(path, follow_link=False)
        • getting target
          • os.readlink(sb_path)
        • resolving target
          • resolve_path(target, follow_link=False)
        • ret sb_target
      • ret sb_target
    • ret sb_target

Sh3idan avatar Jan 12 '20 16:01 Sh3idan

Hi,

I'm not sure to understand the step description, but we're maybe saying the same thing.

IMHO, we want two things:

  • A simple to understand behavior, such as the chroot one
  • Avoid Sandbox escape. By default, it should not be possible to fail yourself by copying any kind of file inside the file_sb directory, such as link to an existing, outside of file_sb, file.

So, if the follow_link is not set, it should never resolve the link. Does it seems OK to you?

commial avatar Jan 15 '20 18:01 commial