sec(sandbox): seccomp filter allows dangerous syscalls (ptrace, mount, unshare, bpf) #578
Closed as not planned
Description
Summary
The seccomp BPF filter in crates/openshell-sandbox/src/sandbox/linux/seccomp.rs (lines 37–65) only blocks SYS_socket for specific address families (AF_PACKET, AF_BLUETOOTH, AF_VSOCK, and optionally AF_INET/AF_INET6/AF_NETLINK). The default action is SeccompAction::Allow.
The following dangerous syscalls are not blocked:
ptrace— attach to sibling processes, read memory, inject codemount/umount2/pivot_root— overlay filesystems, escape Landlockunshare/clone(with namespace flags) — create new mount namespacesbpf— load BPF programskeyctl— kernel keyring manipulationkexec_load,init_module,finit_module— kernel module loadingreboot,sethostname,setdomainname
Additionally, when NetworkMode::Allow is set (lines 16–19), the entire seccomp filter is skipped, including PR_SET_NO_NEW_PRIVS. This means setuid binaries could escalate privileges.
Impact
- Severity: High
- Combined with
SYS_ADMINcapability (see related issue), a sandboxed process can callptrace(PTRACE_ATTACH)on siblings,mountto overlay filesystems, orunshare(CLONE_NEWNS)to escape Landlock restrictions.
Proposed Fix
- Switch to allowlist-based seccomp or add explicit blocks for high-risk syscalls
- Always set
PR_SET_NO_NEW_PRIVSand apply a baseline seccomp filter regardless of network mode - Block at minimum:
ptrace,mount,umount2,pivot_root,chroot,unshare,clone3(with namespace flag checks),keyctl,bpf,userfaultfd,perf_event_open
graph LR
subgraph "Current seccomp"
A[Default: ALLOW] --> B[Block AF_PACKET]
A --> C[Block AF_BLUETOOTH]
A --> D[Block AF_VSOCK]
A --> E["Everything else: ✅ allowed"]
end
subgraph "Proposed seccomp"
F[Default: ALLOW] --> G[Block dangerous sockets]
F --> H["Block ptrace, mount, unshare, bpf, keyctl"]
F --> I["Always set PR_SET_NO_NEW_PRIVS"]
end