550670 – sys-apps/sandbox fails to catch openpty(3) and posix_openpt(3)

Bug 550670 - sys-apps/sandbox fails to catch openpty(3) and posix_openpt(3)

Summary: sys-apps/sandbox fails to catch openpty(3) and posix_openpt(3)

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Sandbox (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Sandbox Maintainers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-05-28 17:36 UTC by Mike Gilbert
Modified:	2015-09-20 08:44 UTC (History)
CC List:	1 user (show)

See Also:	550650 413327
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike Gilbert gentoo-dev

2015-05-28 17:36:35 UTC

The two programs below indirectly call open("/dev/ptmx", O_RDWR). sandbox fails to catch this.

#include <pty.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>

int main(void)
{
        int master, slave;
        if (openpty(&master, &slave, NULL, NULL, NULL))
                perror("openpty");
        else
        {
                close(master);
                close(slave);
        }
        return 0;
}


#define _GNU_SOURCE 1
#include <stdlib.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

int main(void)
{
        int fd;
        fd = posix_openpt(O_RDWR);
        if (fd < 0)
                perror("posix_openpt");
        else
                close(fd);
        return 0;
}

Comment 1 Mike Gilbert gentoo-dev

2015-05-28 17:43:16 UTC

I would guess that the forkpty(3) function is probably also missed.

Comment 2 SpanKY gentoo-dev

2015-05-28 22:20:02 UTC

what is the problem ?  these funcs are used to create new pseudo ttys which some test harnesses use in order create ptys.  if we block that, we block the ability for tests to work.  conversely, if we don't block this, i'm not seeing what harm can be done to the system.

i guess a malicious package could allocate a crap ton of ptys and try to force resource exhaustion, but that can already be done in many other ways, and we specifically do not market sandbox as a security solution against malicious actors -- it is a tool to prevent/catch accidental bad behavior.

Comment 3 Mike Gilbert gentoo-dev

2015-05-28 23:22:57 UTC

It was just something I noticed due to experimenting in response to bug 550650.

If you don't think build processes opening /dev/ptmx is a problem, feel free to close this.

Comment 4 SpanKY gentoo-dev

2015-05-28 23:56:05 UTC

(In reply to Mike Gilbert from comment #3)

if someone can think of a case where these funcs mess with existing ptys, then we can revisit, but the act of creating new ptys shouldn't be a problem

Comment 5 Mike Gilbert gentoo-dev

2015-05-29 00:16:37 UTC

(In reply to SpanKY from comment #4)
> (In reply to Mike Gilbert from comment #3)
> 
> if someone can think of a case where these funcs mess with existing ptys,
> then we can revisit, but the act of creating new ptys shouldn't be a problem

It might be worth adding /dev/ptmx to the default SANDBOX_WRITE setting, just for consistencies sake; it is technically valid for a process to obtain a pty by calling open("/dev/ptmx", ...) directly.

Comment 6 SpanKY gentoo-dev

2015-05-29 04:25:16 UTC

(In reply to Mike Gilbert from comment #5)

that is true, but i'm not aware of any package ever having tried to do that :)

Comment 7 Alessandro Molari 2015-05-29 12:00:10 UTC

It seems we've got a usecase now: https://bugs.gentoo.org/show_bug.cgi?id=550650

Comment 8 SpanKY gentoo-dev

2015-09-20 08:44:43 UTC

i've whitelisted write access to /dev/ptmx now:
http://gitweb.gentoo.org/proj/sandbox.git/commit/?id=6b9b505f4a7716a50ff9e63c85f2c4882987a732