test: jail the adversary suite off /tmp so it passes honestly#2
Merged
Conversation
The breakout self-test jailed under /tmp/agent-lock-adv. But /tmp/ is a blanket system-read prefix in the kernel program (sys_prefixes[]), so the prefix-sibling case (/tmp/agent-lock-adv2) was allowed as a benign scratch read regardless of the boundary check it exists to exercise — the suite reported a LEAK for a reason unrelated to the fix in #1, and `make adversary` exited non-zero even though the boundary logic is correct. Move the jail (and its sibling) under $HOME, which is realistic and outside every system/scratch allowlist, and derive the sibling from the real cwd instead of hardcoding /tmp. With this, all three prefix-sibling variants are correctly refused. Off tmpfs, the hardlink case (a cross-device link fails to create on tmpfs) now actually runs and reads through — a genuine gap in path-based enforcement, since an in-jail hardlink resolves to an in-bounds path. Report it as a [known] limitation rather than a leak so the suite's pass/fail stays about the escapes the jail claims to stop. Closing it needs inode-level checks; out of scope here. make adversary: 17 blocked, 0 LEAKED, exit 0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The eBPF-LSM breakout self-test (
make adversary) jailed the test process under/tmp/agent-lock-adv. But/tmp/is a blanket system-read prefix in the kernel program (sys_prefixes[]insrc/bpf/jail.bpf.c), so anything under/tmpis allowed as a benign scratch read regardless of the jail boundary.That interacted badly with the prefix-sibling test added in #1:
/tmp/agent-lock-adv2/secret.txtwas allowed — not because the boundary check failed, but becauseis_system_path()matched/tmp/. So the suite reported aLEAKandmake adversaryexited non-zero even though the boundary fix from #1 is correct.Change (test-only)
$HOMEinstead of/tmp— realistic (real jailed projects live in home, not/tmp) and outside every system/scratch allowlist, so the boundary check is what's actually exercised./tmp, so it holds wherever the launcher puts the jail.[known]limitation rather than a pass/fail leak. Off tmpfs the cross-device hardlink now actually creates and reads through — a genuine gap in path-based enforcement (an in-jail hardlink resolves to an in-bounds path viabpf_d_path). Closing it needs inode-level checks and is out of scope for a test fix. It stays visible in the output; it just doesn't fail the run.No changes to
src/bpf/jail.bpf.corsrc/lib/classify.js— the enforcement logic is untouched.Verification
Built and ran on Linux (kernel 6.12,
bpfLSM active):Follow-up (not in this PR)
The hardlink vector is a real, pre-existing escape (confirmed present before #1). Closing it — or explicitly documenting it under a README "Known limitations" — is worth a separate PR.