mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-30 20:39:39 +02:00
[pitboss] sweep after phase 04: 3 deferred items resolved
This commit is contained in:
parent
3ffe480660
commit
84638e7d57
6 changed files with 184 additions and 28 deletions
|
|
@ -0,0 +1,26 @@
|
|||
"""Positive control: verify the escape-detection mechanism itself.
|
||||
|
||||
Writes to /proc/sysrq-trigger, which requires CAP_SYS_ADMIN. This fixture
|
||||
is expected to SUCCEED (print NYX_ESCAPE_SUCCESS) when run in a privileged
|
||||
container (--cap-add=SYS_ADMIN) and to FAIL when run with --cap-drop=ALL.
|
||||
|
||||
CI usage (escape-positive-control job):
|
||||
Run under a container started with --cap-add=SYS_ADMIN.
|
||||
Assert NYX_ESCAPE_SUCCESS appears in output.
|
||||
If it does NOT appear, the test mechanism is broken or the capability
|
||||
was not granted, and the CI job fails.
|
||||
|
||||
Normal escape suite: this fixture is NOT included. The positive control test
|
||||
(positive_control_cap_sys_admin in dynamic_sandbox_escape.rs) is #[ignore]d
|
||||
and only un-ignored in the dedicated escape-positive-control CI job.
|
||||
"""
|
||||
import sys
|
||||
|
||||
try:
|
||||
with open("/proc/sysrq-trigger", "w") as f:
|
||||
f.write("h") # 'h' = print help, harmless
|
||||
print("NYX_ESCAPE_SUCCESS: CAP_SYS_ADMIN active, wrote to /proc/sysrq-trigger")
|
||||
sys.exit(0)
|
||||
except (PermissionError, OSError) as e:
|
||||
print(f"BLOCKED: CAP_SYS_ADMIN not present: {e}", file=sys.stderr)
|
||||
sys.exit(1)
|
||||
|
|
@ -1,9 +1,21 @@
|
|||
"""Escape attempt: open /dev/mem to read physical memory.
|
||||
|
||||
Requires CAP_SYS_RAWIO. Expected outcome: PermissionError.
|
||||
Requires CAP_SYS_RAWIO (and typically root). With --cap-drop=ALL and
|
||||
--user 65534:65534, both privilege escalation (setuid) and device access
|
||||
are blocked by distinct kernel checks, exercising two security layers.
|
||||
"""
|
||||
import os
|
||||
import sys
|
||||
|
||||
# Attempt privilege escalation first (tests CAP_SETUID independently).
|
||||
# With --cap-drop=ALL, setuid(0) requires CAP_SETUID — also dropped.
|
||||
if os.getuid() != 0:
|
||||
try:
|
||||
os.setuid(0)
|
||||
except (PermissionError, OSError) as e:
|
||||
print(f"BLOCKED (setuid): {e}", file=sys.stderr)
|
||||
# Fall through: also probe /dev/mem directly to test CAP_SYS_RAWIO.
|
||||
|
||||
try:
|
||||
with open("/dev/mem", "rb") as f:
|
||||
data = f.read(64)
|
||||
|
|
|
|||
|
|
@ -1,9 +1,21 @@
|
|||
"""Escape attempt: trigger kernel SysRq action via /proc/sysrq-trigger.
|
||||
|
||||
Expected outcome: PermissionError (read-only rootfs or missing CAP_SYS_ADMIN).
|
||||
Requires CAP_SYS_ADMIN (and typically root). With --cap-drop=ALL and
|
||||
--user 65534:65534, both privilege escalation (setuid) and the sysrq
|
||||
write are blocked by distinct kernel checks.
|
||||
"""
|
||||
import os
|
||||
import sys
|
||||
|
||||
# Attempt privilege escalation first (tests CAP_SETUID independently).
|
||||
# With --cap-drop=ALL, setuid(0) requires CAP_SETUID — also dropped.
|
||||
if os.getuid() != 0:
|
||||
try:
|
||||
os.setuid(0)
|
||||
except (PermissionError, OSError) as e:
|
||||
print(f"BLOCKED (setuid): {e}", file=sys.stderr)
|
||||
# Fall through: also probe /proc/sysrq-trigger to test CAP_SYS_ADMIN.
|
||||
|
||||
try:
|
||||
with open("/proc/sysrq-trigger", "w") as f:
|
||||
f.write("h") # 'h' = print help (harmless but requires access)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue