Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lstat syscalls break confinement #377

Open
thelamer opened this issue Apr 17, 2024 · 1 comment
Open

lstat syscalls break confinement #377

thelamer opened this issue Apr 17, 2024 · 1 comment

Comments

@thelamer
Copy link

thelamer commented Apr 17, 2024
edited
Loading

Expected Behavior

When lstat is called by a process inside PRoot they would be caught and sent information on the current guest they are in.

Actual Behavior

lstat calls go directly to the host and will fail if the host lacks the files.

Steps to Reproduce the Problem

The easiest way I have to reproduce this is with proot-apps on an x86_64 linux host wrapping the signal application, on init it checks for the existence of /opt/Signal/resources using lstat and fails.

Install proot-apps:

rm -f $HOME/.local/bin/{ncat,proot-apps,proot,jq}
mkdir -p $HOME/.local/bin
curl -L https://github.com/linuxserver/proot-apps/releases/download/$(curl -sX GET "https://api.github.com/repos/linuxserver/proot-apps/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]')/proot-apps-$(uname -m).tar.gz | tar -xzf - -C $HOME/.local/bin/
export PATH="$HOME/.local/bin:$PATH"

Install signal:

proot-apps install signal

Run signal:

signal-pa

Now generate the path on the host:

sudo mkdir -p /opt/Signal/resources
signal-pa

The app will start normally as the lstat sanity check passes on init.

Specifications

  • Proot/Care version: v5.4.0
  • Kernel version: 6.6.13, but tested on 5.10 as well
  • Host distribution: Debian Bookworm
  • Guest distribution: Debian Bookworm

Command Output

Unhandled Promise Rejection: Error: ENOENT: no such file or directory, lstat '/opt/Signal/resources'
Unhandled Promise Rejection: Error: ENOENT: no such file or directory, lstat '/opt/Signal/resources'

Notes

If this is expected behavior feel free to close this, but I think for isolating the guest, lstat syscalls need to be intercepted in some way and implementing this is a bit over my head.

Linking: linuxserver/proot-apps#10
@Avimitin
Copy link

Avimitin commented May 27, 2024
edited
Loading

image

I am trying to copy some directory from host to proot, and cp -r shows setting permissions for ...: no such file or directory. However it did create the directory for me. So I tried strace and found that the mkdirat and newfstatat are all OK, only fchmodat2 returns no such file or directory. So I guess if this is also a similar issue that it sends syscall to host file instead of proot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thelamer @Avimitin