-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Experimental Landlock based sandboxing #597
base: main
Are you sure you want to change the base?
Conversation
I would be in favor of option 1 since it's how unblob works. The extraction path provided with As long as we're clear about the fact that unblob limits itself to the path provided with |
We need this for the parent of extraction directory:
And this for the parent directory of report file:
The latter seems a bit much to me |
d2138c8
to
3c51313
Compare
Hehe, this change is incompatible with code coverage measurement :D
|
e92d6e3
to
52e9322
Compare
Two things to do before tagging as ready for review:
|
59659a3
to
c71c40a
Compare
Will rebase once version |
unblob/processing.py
Outdated
if report_file: | ||
restrictions += [ | ||
AccessFS.read_write(report_file), | ||
AccessFS.make_reg(report_file.parent), | ||
] | ||
|
||
if "pytest" in sys.modules: | ||
restrictions += [ | ||
AccessFS.read_write("/tmp"), # noqa: S108 | ||
AccessFS.read_write("/build"), | ||
AccessFS.read_write(Path(__file__).parent.parent.resolve().as_posix()), | ||
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
restrictions could be part of ExtractionConfig
we pass for process_file, so test and report specific values could be set-up in fixture and command line processing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like your thinking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Working on it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gave it a try yesterday but failed :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found an interesting thing: the only test, that actually calls the cli and does a full extraction is the tests/test_cli.py::test_skip_extension
case, everything else works with a mocked process_file :)
rebased and solved conflicts |
rebased and solved conflicts |
rebased and solved conflicts |
Monthly reminder about landlock in unblob, this time brought to you by @l0kod talk at SSTIC (https://www.sstic.org/2024/presentation/landlock-design/). Rebased and solved conflicts. |
FYI, other archive tools are sandboxing themselves too: ouch-org/ouch#723 |
Co-authored-by: Quentin Kaiser <[email protected]>
all other tests in this file assert on `process_file` being called with correct arguments. We need specific tests which test that the configuration is interpreted correctly
we should(?) have tests where sandboxing is enabled.
rebased and solved conflicts. IMO this is ready to be merged once the wip commit is validated |
Implementation of #594 together with onekey-sec/unblob-native#11
Having to first create the extraction directory complicates things a lot.
I am unsure what approach we should take here but it can be seen, that the first directory needs somewhat special treatment.
Alternative integration approaches:
LANDLOCK_ACCESS_FS_MAKE_DIR
on the parent of the extraction root as an escape hatch