proot
proot copied to clipboard
proot-me
lstat syscalls break confinement
Expected Behavior
When lstat is called by a process inside PRoot they would be caught and sent information on the current guest they are in.
Actual Behavior
lstat calls go directly to the host and will fail if the host lacks the files.
Steps to Reproduce the Problem
The easiest way I have to reproduce this is with proot-apps on an x86_64 linux host wrapping the signal application, on init it checks for the existence of /opt/Signal/resources using lstat and fails.
Install proot-apps:
rm -f $HOME/.local/bin/{ncat,proot-apps,proot,jq}
mkdir -p $HOME/.local/bin
curl -L https://github.com/linuxserver/proot-apps/releases/download/$(curl -sX GET "https://api.github.com/repos/linuxserver/proot-apps/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]')/proot-apps-$(uname -m).tar.gz | tar -xzf - -C $HOME/.local/bin/
export PATH="$HOME/.local/bin:$PATH"
Install signal:
proot-apps install signal
Run signal:
signal-pa
Now generate the path on the host:
sudo mkdir -p /opt/Signal/resources
signal-pa
The app will start normally as the lstat sanity check passes on init.
Specifications
- Proot/Care version: v5.4.0
- Kernel version: 6.6.13, but tested on 5.10 as well
- Host distribution: Debian Bookworm
- Guest distribution: Debian Bookworm
Command Output
Unhandled Promise Rejection: Error: ENOENT: no such file or directory, lstat '/opt/Signal/resources'
Unhandled Promise Rejection: Error: ENOENT: no such file or directory, lstat '/opt/Signal/resources'
Notes
If this is expected behavior feel free to close this, but I think for isolating the guest, lstat syscalls need to be intercepted in some way and implementing this is a bit over my head.
Linking: https://github.com/linuxserver/proot-apps/issues/10
