unblob
unblob copied to clipboard
onekey-sec
landlock sandbox: allow access to /tmp
Some handlers may require access to /tmp in order to work in temporary files (e.g. handler performing intermediate decryption or decompression).
Right now this is blocked by our landlock policy.
Ideally, we would add a tmp_dir to ExtractionConfig. This temporary directory would be created when unblob is launched and safely deleted at the end of the extraction run.
This way, we can extend the policy this way:
diff --git a/python/unblob/sandbox.py b/python/unblob/sandbox.py
index 61b02b0..689800f 100644
--- a/python/unblob/sandbox.py
+++ b/python/unblob/sandbox.py
@@ -49,6 +49,12 @@ class Sandbox:
AccessFS.read("/"),
# Multiprocessing
AccessFS.read_write("/dev/shm"), # noqa: S108
+ # Temporary directory
+ AccessFS.read_write(config.tmp_dir),
+ AccessFS.remove_dir(config.tmp_dir),
+ AccessFS.remove_file(config.tmp_dir),
+ AccessFS.make_dir(config.tmp_dir.parent),
+ AccessFS.remove_dir(config.tmp_dir.parent),
# Extracted contents
AccessFS.read_write(config.extract_root),
AccessFS.remove_dir(config.extract_root),
One open question is how we could expose that temporary directory to handlers. If it's not possible without introducing breaking changes, we can also choose to work within /tmp.
We probably can create and remove the tmp directory outside the sandbox, reducing the number of rules needed.
Probably we should set related environment variables to this directory, so traditional mktemp and similar calls work as is. It looks like, there is no one standard variable for this. For example, nix sets the following environment variables for build/shell usage:
TMPTMPDIRTEMPTEMPDIR
Agree with @vlaci I would create a temp director for unblob to operate on and handle the cleanup in unblob as well. All handlers&co can use temp files or directories within the unblob temp file, which should be accessibale with sandbox rules
