[pitboss] sweep after phase 04: 3 deferred items resolved

This commit is contained in:
pitboss 2026-05-12 01:20:51 -04:00
parent 3ffe480660
commit 84638e7d57
6 changed files with 184 additions and 28 deletions

View file

@ -0,0 +1,26 @@
"""Positive control: verify the escape-detection mechanism itself.
Writes to /proc/sysrq-trigger, which requires CAP_SYS_ADMIN. This fixture
is expected to SUCCEED (print NYX_ESCAPE_SUCCESS) when run in a privileged
container (--cap-add=SYS_ADMIN) and to FAIL when run with --cap-drop=ALL.
CI usage (escape-positive-control job):
Run under a container started with --cap-add=SYS_ADMIN.
Assert NYX_ESCAPE_SUCCESS appears in output.
If it does NOT appear, the test mechanism is broken or the capability
was not granted, and the CI job fails.
Normal escape suite: this fixture is NOT included. The positive control test
(positive_control_cap_sys_admin in dynamic_sandbox_escape.rs) is #[ignore]d
and only un-ignored in the dedicated escape-positive-control CI job.
"""
import sys
try:
with open("/proc/sysrq-trigger", "w") as f:
f.write("h") # 'h' = print help, harmless
print("NYX_ESCAPE_SUCCESS: CAP_SYS_ADMIN active, wrote to /proc/sysrq-trigger")
sys.exit(0)
except (PermissionError, OSError) as e:
print(f"BLOCKED: CAP_SYS_ADMIN not present: {e}", file=sys.stderr)
sys.exit(1)

View file

@ -1,9 +1,21 @@
"""Escape attempt: open /dev/mem to read physical memory.
Requires CAP_SYS_RAWIO. Expected outcome: PermissionError.
Requires CAP_SYS_RAWIO (and typically root). With --cap-drop=ALL and
--user 65534:65534, both privilege escalation (setuid) and device access
are blocked by distinct kernel checks, exercising two security layers.
"""
import os
import sys
# Attempt privilege escalation first (tests CAP_SETUID independently).
# With --cap-drop=ALL, setuid(0) requires CAP_SETUID — also dropped.
if os.getuid() != 0:
try:
os.setuid(0)
except (PermissionError, OSError) as e:
print(f"BLOCKED (setuid): {e}", file=sys.stderr)
# Fall through: also probe /dev/mem directly to test CAP_SYS_RAWIO.
try:
with open("/dev/mem", "rb") as f:
data = f.read(64)

View file

@ -1,9 +1,21 @@
"""Escape attempt: trigger kernel SysRq action via /proc/sysrq-trigger.
Expected outcome: PermissionError (read-only rootfs or missing CAP_SYS_ADMIN).
Requires CAP_SYS_ADMIN (and typically root). With --cap-drop=ALL and
--user 65534:65534, both privilege escalation (setuid) and the sysrq
write are blocked by distinct kernel checks.
"""
import os
import sys
# Attempt privilege escalation first (tests CAP_SETUID independently).
# With --cap-drop=ALL, setuid(0) requires CAP_SETUID — also dropped.
if os.getuid() != 0:
try:
os.setuid(0)
except (PermissionError, OSError) as e:
print(f"BLOCKED (setuid): {e}", file=sys.stderr)
# Fall through: also probe /proc/sysrq-trigger to test CAP_SYS_ADMIN.
try:
with open("/proc/sysrq-trigger", "w") as f:
f.write("h") # 'h' = print help (harmless but requires access)