//! Sandbox-escape regression suite (§8.3, §15.2 accept-gate row). //! //! Each test attempts a known sandbox escape technique via the docker backend. //! The assertion is: harness exit ≠ 0 OR `SandboxOutcome.timed_out` OR //! `Err(SandboxError::BackendUnavailable)`. No test may produce //! `NYX_ESCAPE_SUCCESS` in stdout/stderr; the host marker file must remain //! absent. //! //! Tests skip automatically when docker is not available on the host //! (`docker info` fails). The `linux-with-docker` CI matrix row is the //! authoritative gate; `linux-without` and `macos` rows skip this suite. //! //! Run with: `cargo nextest run --features dynamic --test dynamic_sandbox_escape` #[cfg(feature = "dynamic")] mod escape_tests { use nyx_scanner::dynamic::harness::BuiltHarness; use nyx_scanner::dynamic::sandbox::{self, SandboxBackend, SandboxError, SandboxOptions}; use std::fs; use std::path::{Path, PathBuf}; use std::time::Duration; // ── Helpers ─────────────────────────────────────────────────────────────── fn docker_available() -> bool { std::process::Command::new("docker") .arg("info") .stdout(std::process::Stdio::null()) .stderr(std::process::Stdio::null()) .status() .map(|s| s.success()) .unwrap_or(false) } /// Copy a fixture script to a fresh temp workdir and return a BuiltHarness. fn harness_for_fixture(fixture_name: &str) -> (tempfile::TempDir, BuiltHarness) { let tmpdir = tempfile::TempDir::new().expect("temp dir"); let script_src = Path::new(env!("CARGO_MANIFEST_DIR")) .join("tests/dynamic_fixtures/escape") .join(fixture_name); let script_dst = tmpdir.path().join(fixture_name); fs::copy(&script_src, &script_dst).expect("copy fixture"); let harness = BuiltHarness { workdir: tmpdir.path().to_path_buf(), command: vec!["python3".into(), fixture_name.into()], env: vec![], source: String::new(), entry_source: String::new(), }; (tmpdir, harness) } fn escape_opts() -> SandboxOptions { SandboxOptions { timeout: Duration::from_secs(10), memory_mib: 256, backend: SandboxBackend::Docker, env_passthrough: vec![], output_limit: 65536, } } /// Minimal no-op payload (escape scripts ignore NYX_PAYLOAD). fn noop_payload() -> nyx_scanner::dynamic::corpus::Payload { nyx_scanner::dynamic::corpus::Payload { bytes: b"", label: "escape-noop", oracle: nyx_scanner::dynamic::corpus::Oracle::ExitStatus(1), is_benign: true, } } /// Assert that an escape fixture did not escape. /// /// Accepts three outcomes as "blocked": /// 1. `Err(SandboxError::BackendUnavailable)` — docker absent, no escape possible. /// 2. `Ok(outcome)` where `exit_code != Some(0)` — script hit an error (blocked). /// 3. `Ok(outcome)` where `timed_out` — script ran into sandbox timeout. /// /// Rejects: `Ok(outcome)` with `exit_code == Some(0)` and stdout/stderr /// containing `NYX_ESCAPE_SUCCESS`. fn assert_no_escape( result: Result, fixture: &str, marker_path: Option<&PathBuf>, ) { match result { Err(SandboxError::BackendUnavailable(_)) => { // Docker not available — escape impossible. Pass. return; } Err(_) => { // Other errors (spawn failure, I/O) — process didn't complete // successfully, so no escape occurred. return; } Ok(ref outcome) => { // Check for escape sentinel in output. let stdout = std::str::from_utf8(&outcome.stdout).unwrap_or(""); let stderr = std::str::from_utf8(&outcome.stderr).unwrap_or(""); assert!( !stdout.contains("NYX_ESCAPE_SUCCESS") && !stderr.contains("NYX_ESCAPE_SUCCESS"), "fixture {fixture}: escape succeeded!\nstdout: {stdout}\nstderr: {stderr}" ); // exit_code == Some(0) AND no sentinel = highly suspicious but not // an escape. Accept; the fixture may have exited 0 on a partial failure. // The sentinel check above is the authoritative guard. let _ = outcome; } } // Check host marker file (for file_write_outside_workdir). if let Some(marker) = marker_path { assert!( !marker.exists(), "fixture {fixture}: host marker file appeared at {marker:?} — escape succeeded!" ); } } // ── Individual escape tests ─────────────────────────────────────────────── // All tests follow the same pattern: skip if docker absent, run fixture, // assert no escape. macro_rules! escape_test { ($name:ident, $fixture:literal) => { #[test] fn $name() { if !docker_available() { return; } let (_tmpdir, harness) = harness_for_fixture($fixture); let result = sandbox::run(&harness, &noop_payload(), &escape_opts()); assert_no_escape(result, $fixture, None); } }; ($name:ident, $fixture:literal, marker = $marker:expr) => { #[test] fn $name() { if !docker_available() { return; } let marker: PathBuf = PathBuf::from($marker); // Remove stale marker before test. let _ = fs::remove_file(&marker); let (_tmpdir, harness) = harness_for_fixture($fixture); let result = sandbox::run(&harness, &noop_payload(), &escape_opts()); assert_no_escape(result, $fixture, Some(&marker)); // Cleanup any partial writes. let _ = fs::remove_file(&marker); } }; } escape_test!( escape_file_write_outside_workdir, "file_write_outside_workdir.py", marker = "/tmp/nyx_escape_file_write_marker" ); escape_test!(escape_fork_bomb, "fork_bomb.py"); escape_test!(escape_raw_socket, "raw_socket.py"); escape_test!(escape_proc_mem_write, "proc_mem_write.py"); escape_test!(escape_ptrace_attach, "ptrace_attach.py"); escape_test!(escape_proc_root_breakout, "proc_root_breakout.py"); escape_test!(escape_mount_ns_abuse, "mount_ns_abuse.py"); escape_test!(escape_kernel_module_load, "kernel_module_load.py"); escape_test!(escape_perf_event_open, "perf_event_open.py"); escape_test!(escape_userns_breakout, "userns_breakout.py"); escape_test!(escape_tmpfs_overflow, "tmpfs_overflow.py"); escape_test!(escape_proc_sysrq, "proc_sysrq.py"); escape_test!(escape_device_file_access, "device_file_access.py"); escape_test!(escape_symlink_escape, "symlink_escape.py"); escape_test!(escape_hardlink_escape, "hardlink_escape.py"); escape_test!(escape_env_injection, "env_injection.py"); escape_test!(escape_dns_leak, "dns_leak.py"); escape_test!(escape_egress_non_allowlisted, "egress_non_allowlisted.py"); escape_test!(escape_keyctl_abuse, "keyctl_abuse.py"); escape_test!(escape_setuid_abuse, "setuid_abuse.py"); escape_test!(escape_namespace_escape, "namespace_escape.py"); escape_test!(escape_cgroup_escape, "cgroup_escape.py"); escape_test!(escape_host_pid_visibility, "host_pid_visibility.py"); escape_test!(escape_icmp_flood, "icmp_flood.py"); escape_test!(escape_proc_kallsyms, "proc_kallsyms.py"); escape_test!(escape_chroot_escape, "chroot_escape.py"); escape_test!(escape_ipc_shm, "ipc_shm_escape.py"); // ── Docker exec reuse test ──────────────────────────────────────────────── /// Verify that the second payload for the same spec_hash reuses the running /// container via `docker exec` rather than starting a new `docker run`. /// /// Method: run two payloads for the same harness workdir and check that /// the container registry holds one entry (started once, reused once). #[test] fn docker_exec_reuse_for_same_workdir() { if !docker_available() { return; } let (_tmpdir, harness) = harness_for_fixture("dns_leak.py"); let opts = escape_opts(); // First run — starts a new container. let r1 = sandbox::run(&harness, &noop_payload(), &opts); // Second run — should exec into the running container. let r2 = sandbox::run(&harness, &noop_payload(), &opts); // Both should succeed (blocked, not escaped — dns_leak exits 1). // The important thing is neither panics or returns an unexpected error. match r1 { Err(SandboxError::BackendUnavailable(_)) => return, _ => {} } match r2 { Err(SandboxError::BackendUnavailable(_)) => return, _ => {} } // Verify the container is still running (not torn down between calls). // Container name is derived from the workdir path. let spec_hash = _tmpdir.path().file_name() .and_then(|n| n.to_str()) .unwrap_or(""); let container_name = format!("nyx-{spec_hash}"); let out = std::process::Command::new("docker") .args(["inspect", "--format={{.State.Running}}", &container_name]) .output(); match out { Ok(o) if o.status.success() => { let running = std::str::from_utf8(&o.stdout) .unwrap_or("") .trim() == "true"; // Container should still be running (exec reuse kept it alive). assert!( running, "container {container_name} not running after second exec — exec reuse failed" ); } _ => { // Container already cleaned up or inspect failed; this is // acceptable when Docker does its own cleanup. } } } }