1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
// mount() syscall - Filesystem Manipulation Attack
//
// WHY MOUNT IS DANGEROUS IN SANDBOXES:
// The mount() syscall allows attaching filesystems to the directory tree.
// In a sandbox context, this can be used to:
// - Overlay sensitive files with attacker-controlled content
// - Access devices that should be restricted
// - Escape chroot/pivot_root by mounting the real root
// - Mount procfs/sysfs to gain kernel information
//
// CVEs INVOLVING MOUNT:
// - CVE-2022-0492: Mount cgroupfs to escape via release_agent
// - CVE-2022-0185: Requires mount capability in user namespace
// - Various Docker/container escapes using privileged mounts
//
// ATTACK VECTORS:
// 1. mount("none", "/tmp", "tmpfs", 0, NULL) - Create arbitrary tmpfs
// 2. mount("/dev/sda1", "/mnt", "ext4", 0, NULL) - Access host disks
// 3. mount("proc", "/proc", "proc", 0, NULL) - Access kernel info
// 4. mount("overlay", "/", "overlay", 0, opts) - Overlay root filesystem
//
// WHY BLOCK IT:
// 1. No legitimate use case for mounting in sandboxed code execution
// 2. Even with user namespaces, mount can be dangerous
// 3. Enables many container escape techniques
// 4. Bypasses filesystem isolation (Landlock)
//
// WHY THIS PAYLOAD:
// This payload attempts to call mount(). A secure sandbox must block
// this syscall entirely via seccomp.
//
// EXPECTED RESULT:
// Sandbox should kill the process with SIGSYS (signal 31) when
// mount() is attempted, as it's not in the syscall whitelist.
//
// REFERENCES:
// - https://man7.org/linux/man-pages/man2/mount.2.html
// - https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
//
int