mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
30 lines
970 B
Python
30 lines
970 B
Python
"""Escape attempt: create a new user namespace to gain capabilities.
|
|
|
|
Expected outcome: EPERM (Docker no-new-privileges blocks unshare).
|
|
"""
|
|
import ctypes
|
|
import ctypes.util
|
|
import sys
|
|
|
|
CLONE_NEWUSER = 0x10000000
|
|
NR_unshare = 272 # x86_64
|
|
|
|
try:
|
|
libc_name = ctypes.util.find_library("c")
|
|
if not libc_name:
|
|
raise OSError("libc not found")
|
|
libc = ctypes.CDLL(libc_name, use_errno=True)
|
|
ret = libc.unshare(CLONE_NEWUSER)
|
|
if ret == -1:
|
|
errno = ctypes.get_errno()
|
|
raise OSError(errno, f"unshare(CLONE_NEWUSER) blocked errno={errno}")
|
|
# If we get here, we're in a new user namespace — check if we're root.
|
|
uid = libc.getuid()
|
|
if uid == 0:
|
|
print("NYX_ESCAPE_SUCCESS: gained root in new user namespace")
|
|
sys.exit(0)
|
|
print(f"PARTIAL: unshare succeeded but uid={uid}", file=sys.stderr)
|
|
sys.exit(1)
|
|
except (PermissionError, OSError) as e:
|
|
print(f"BLOCKED: {e}", file=sys.stderr)
|
|
sys.exit(1)
|