sandlock-core 0.7.0

Lightweight process sandbox using Landlock, seccomp-bpf, and seccomp user notification
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

use sandlock_core::{Policy, Sandbox};

/// Check if user namespaces with uid mapping actually work in this environment.
/// Some CI environments (containers, restricted kernels) allow unshare but block
/// writing to /proc/self/uid_map.
fn userns_available() -> bool {
    // Fork a child that tries unshare(CLONE_NEWUSER) + uid_map write.
    let pid = unsafe { libc::fork() };
    if pid < 0 {
        return false;
    }
    if pid == 0 {
        // Child: try unshare + write uid_map
        if unsafe { libc::unshare(libc::CLONE_NEWUSER) } != 0 {
            unsafe { libc::_exit(1) };
        }
        let uid = unsafe { libc::getuid() };
        let map = format!("0 {} 1\n", uid);
        let ok = std::fs::write("/proc/self/setgroups", "deny\n").is_ok()
            && std::fs::write("/proc/self/uid_map", &map).is_ok()
            && std::fs::write("/proc/self/gid_map", &map).is_ok()
            && unsafe { libc::getuid() } == 0;
        unsafe { libc::_exit(if ok { 0 } else { 1 }) };
    }
    // Parent: wait and check exit status
    let mut status: i32 = 0;
    unsafe { libc::waitpid(pid, &mut status, 0) };
    libc::WIFEXITED(status) && libc::WEXITSTATUS(status) == 0
}

/// Test that --uid 0 makes the child appear as uid 0.
#[tokio::test]
async fn test_uid_zero() {
    if !userns_available() {
        eprintln!("Skipping: user namespaces not available in this environment");
        return;
    }

    let policy = Policy::builder()
        .fs_read("/usr")
        .fs_read("/lib")
        .fs_read_if_exists("/lib64")
        .fs_read("/bin")
        .fs_read("/etc")
        .fs_read("/proc")
        .uid(0)
        .build()
        .unwrap();

    let result = Sandbox::run(&policy, &["id", "-u"]).await.unwrap();
    assert!(result.success(), "id -u failed: {:?}", result.exit_status);
    let stdout = String::from_utf8_lossy(result.stdout.as_deref().unwrap_or_default());
    assert_eq!(stdout.trim(), "0", "Expected uid 0, got: {:?}", stdout.trim());
}

/// Test that --uid 0 makes the child appear as gid 0.
#[tokio::test]
async fn test_uid_zero_gid_zero() {
    if !userns_available() {
        eprintln!("Skipping: user namespaces not available in this environment");
        return;
    }

    let policy = Policy::builder()
        .fs_read("/usr")
        .fs_read("/lib")
        .fs_read_if_exists("/lib64")
        .fs_read("/bin")
        .fs_read("/etc")
        .fs_read("/proc")
        .uid(0)
        .build()
        .unwrap();

    let result = Sandbox::run(&policy, &["id", "-g"]).await.unwrap();
    assert!(result.success(), "id -g failed: {:?}", result.exit_status);
    let stdout = String::from_utf8_lossy(result.stdout.as_deref().unwrap_or_default());
    assert_eq!(stdout.trim(), "0", "Expected gid 0, got: {:?}", stdout.trim());
}

/// Test that without --uid, uid is NOT 0 (assuming tests don't run as root).
#[tokio::test]
async fn test_no_uid_keeps_real_uid() {
    let policy = Policy::builder()
        .fs_read("/usr")
        .fs_read("/lib")
        .fs_read_if_exists("/lib64")
        .fs_read("/bin")
        .fs_read("/etc")
        .fs_read("/proc")
        .build()
        .unwrap();

    let result = Sandbox::run(&policy, &["id", "-u"]).await.unwrap();
    assert!(result.success());
    let stdout = String::from_utf8_lossy(result.stdout.as_deref().unwrap_or_default());
    // If running as root already, skip this check
    if unsafe { libc::getuid() } != 0 {
        assert_ne!(stdout.trim(), "0", "Without --uid, uid should not be 0");
    }
}

/// Test that --uid 0 doesn't break basic command execution.
#[tokio::test]
async fn test_uid_zero_echo() {
    let policy = Policy::builder()
        .fs_read("/usr")
        .fs_read("/lib")
        .fs_read_if_exists("/lib64")
        .fs_read("/bin")
        .fs_read("/etc")
        .uid(0)
        .build()
        .unwrap();

    let result = Sandbox::run(&policy, &["echo", "hello"]).await.unwrap();
    assert!(result.success());
    let stdout = String::from_utf8_lossy(result.stdout.as_deref().unwrap_or_default());
    assert_eq!(stdout.trim(), "hello");
}

/// Test that --uid 1000 maps to the expected UID inside the namespace.
#[tokio::test]
async fn test_uid_custom() {
    if !userns_available() {
        eprintln!("Skipping: user namespaces not available in this environment");
        return;
    }

    let policy = Policy::builder()
        .fs_read("/usr")
        .fs_read("/lib")
        .fs_read_if_exists("/lib64")
        .fs_read("/bin")
        .fs_read("/etc")
        .fs_read("/proc")
        .uid(1000)
        .build()
        .unwrap();

    let result = Sandbox::run(&policy, &["id", "-u"]).await.unwrap();
    assert!(result.success(), "id -u failed: {:?}", result.exit_status);
    let stdout = String::from_utf8_lossy(result.stdout.as_deref().unwrap_or_default());
    assert_eq!(stdout.trim(), "1000", "Expected uid 1000, got: {:?}", stdout.trim());
}