Experimental Landlock based sandboxing #597
Conversation
|
I would be in favor of option 1 since it's how unblob works. The extraction path provided with As long as we're clear about the fact that unblob limits itself to the path provided with |
We need this for the parent of extraction directory:
And this for the parent directory of report file:
The latter seems a bit much to me |
vlaci
force-pushed
the
landlock
branch
4 times, most recently
from
d2138c8
to
3c51313
Compare
|
Hehe, this change is incompatible with code coverage measurement :D |
qkaiser
force-pushed
the
landlock
branch
6 times, most recently
from
e92d6e3
to
52e9322
Compare
|
Two things to do before tagging as ready for review:
|
qkaiser
added
enhancement
qkaiser
force-pushed
the
landlock
branch
3 times, most recently
from
59659a3
to
c71c40a
Compare
|
Will rebase once version |
unblob/processing.py
Outdated
| if report_file: | ||
| restrictions += [ | ||
| AccessFS.read_write(report_file), | ||
| AccessFS.make_reg(report_file.parent), | ||
| ] | ||
|
|
||
| if "pytest" in sys.modules: | ||
| restrictions += [ | ||
| AccessFS.read_write("/tmp"), # noqa: S108 | ||
| AccessFS.read_write("/build"), | ||
| AccessFS.read_write(Path(__file__).parent.parent.resolve().as_posix()), | ||
| ] |
There was a problem hiding this comment.
restrictions could be part of ExtractionConfig we pass for process_file, so test and report specific values could be set-up in fixture and command line processing.
There was a problem hiding this comment.
gave it a try yesterday but failed :)
There was a problem hiding this comment.
I found an interesting thing: the only test, that actually calls the cli and does a full extraction is the tests/test_cli.py::test_skip_extension case, everything else works with a mocked process_file :)
| restrict_access(*config.sandbox_access_restrictions) | ||
| except SandboxError: | ||
| logger.warning("Sandboxing FS access is unavailable on this system, skipping.") | ||
| restrict_access(*config.sandbox_access_restrictions) |
There was a problem hiding this comment.
This will lead to an unhandled SandboxError on non supported platforms.
|
rebased and solved conflicts |
|
rebased and solved conflicts |
Co-authored-by: Quentin Kaiser <quentin.kaiser@onekey.com>
all other tests in this file assert on `process_file` being called with correct arguments. We need specific tests which test that the configuration is interpreted correctly
we should(?) have tests where sandboxing is enabled.
|
rebased and solved conflicts |
Implementation of #594 together with onekey-sec/unblob-native#11
Having to first create the extraction directory complicates things a lot.
I am unsure what approach we should take here but it can be seen, that the first directory needs somewhat special treatment.
Alternative integration approaches:
LANDLOCK_ACCESS_FS_MAKE_DIRon the parent of the extraction root as an escape hatch