proot icon indicating copy to clipboard operation
proot copied to clipboard

Published 20 hours ago verified publisher icon proot-me

lstat syscalls break confinement

Open thelamer opened this issue 10 months ago • 1 comments

Expected Behavior

When lstat is called by a process inside PRoot they would be caught and sent information on the current guest they are in.

Actual Behavior

lstat calls go directly to the host and will fail if the host lacks the files.

Steps to Reproduce the Problem

The easiest way I have to reproduce this is with proot-apps on an x86_64 linux host wrapping the signal application, on init it checks for the existence of /opt/Signal/resources using lstat and fails.

Install proot-apps:

rm -f $HOME/.local/bin/{ncat,proot-apps,proot,jq}
mkdir -p $HOME/.local/bin
curl -L https://github.com/linuxserver/proot-apps/releases/download/$(curl -sX GET "https://api.github.com/repos/linuxserver/proot-apps/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]')/proot-apps-$(uname -m).tar.gz | tar -xzf - -C $HOME/.local/bin/
export PATH="$HOME/.local/bin:$PATH"

Install signal:

proot-apps install signal

Run signal:

signal-pa

Now generate the path on the host:

sudo mkdir -p /opt/Signal/resources
signal-pa

The app will start normally as the lstat sanity check passes on init.

Specifications

  • Proot/Care version: v5.4.0
  • Kernel version: 6.6.13, but tested on 5.10 as well
  • Host distribution: Debian Bookworm
  • Guest distribution: Debian Bookworm

Command Output

Unhandled Promise Rejection: Error: ENOENT: no such file or directory, lstat '/opt/Signal/resources'
Unhandled Promise Rejection: Error: ENOENT: no such file or directory, lstat '/opt/Signal/resources'

Notes

If this is expected behavior feel free to close this, but I think for isolating the guest, lstat syscalls need to be intercepted in some way and implementing this is a bit over my head.

Linking: https://github.com/linuxserver/proot-apps/issues/10

thelamer avatar Apr 17 '24 16:04 thelamer

image

I am trying to copy some directory from host to proot, and cp -r shows setting permissions for ...: no such file or directory. However it did create the directory for me. So I tried strace and found that the mkdirat and newfstatat are all OK, only fchmodat2 returns no such file or directory. So I guess if this is also a similar issue that it sends syscall to host file instead of proot.

Avimitin avatar May 27 '24 04:05 Avimitin