mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-12 19:55:14 +02:00
288 lines
13 KiB
Rust
288 lines
13 KiB
Rust
//! Sandbox-escape regression suite (§8.3, §15.2 accept-gate row).
|
|
//!
|
|
//! Each test attempts a known sandbox escape technique via the docker backend.
|
|
//! The assertion is: harness exit ≠ 0 OR `SandboxOutcome.timed_out` OR
|
|
//! `Err(SandboxError::BackendUnavailable)`. No test may produce
|
|
//! `NYX_ESCAPE_SUCCESS` in stdout/stderr; the host marker file must remain
|
|
//! absent.
|
|
//!
|
|
//! Tests skip automatically when docker is not available on the host
|
|
//! (`docker info` fails). The `linux-with-docker` CI matrix row is the
|
|
//! authoritative gate; `linux-without` and `macos` rows skip this suite.
|
|
//!
|
|
//! Run with: `cargo nextest run --features dynamic --test dynamic_sandbox_escape`
|
|
|
|
#[cfg(feature = "dynamic")]
|
|
mod escape_tests {
|
|
use nyx_scanner::dynamic::harness::BuiltHarness;
|
|
use nyx_scanner::dynamic::sandbox::{self, SandboxBackend, SandboxError, SandboxOptions};
|
|
use std::fs;
|
|
use std::path::{Path, PathBuf};
|
|
use std::time::Duration;
|
|
|
|
// ── Helpers ───────────────────────────────────────────────────────────────
|
|
|
|
fn docker_available() -> bool {
|
|
std::process::Command::new("docker")
|
|
.arg("info")
|
|
.stdout(std::process::Stdio::null())
|
|
.stderr(std::process::Stdio::null())
|
|
.status()
|
|
.map(|s| s.success())
|
|
.unwrap_or(false)
|
|
}
|
|
|
|
/// Copy a fixture script to a fresh temp workdir and return a BuiltHarness.
|
|
fn harness_for_fixture(fixture_name: &str) -> (tempfile::TempDir, BuiltHarness) {
|
|
let tmpdir = tempfile::TempDir::new().expect("temp dir");
|
|
let script_src = Path::new(env!("CARGO_MANIFEST_DIR"))
|
|
.join("tests/dynamic_fixtures/escape")
|
|
.join(fixture_name);
|
|
let script_dst = tmpdir.path().join(fixture_name);
|
|
fs::copy(&script_src, &script_dst).expect("copy fixture");
|
|
|
|
let harness = BuiltHarness {
|
|
workdir: tmpdir.path().to_path_buf(),
|
|
command: vec!["python3".into(), fixture_name.into()],
|
|
env: vec![],
|
|
source: String::new(),
|
|
entry_source: String::new(),
|
|
};
|
|
(tmpdir, harness)
|
|
}
|
|
|
|
fn escape_opts() -> SandboxOptions {
|
|
SandboxOptions {
|
|
timeout: Duration::from_secs(10),
|
|
memory_mib: 256,
|
|
backend: SandboxBackend::Docker,
|
|
env_passthrough: vec![],
|
|
output_limit: 65536,
|
|
}
|
|
}
|
|
|
|
/// Minimal no-op payload (escape scripts ignore NYX_PAYLOAD).
|
|
fn noop_payload() -> nyx_scanner::dynamic::corpus::Payload {
|
|
nyx_scanner::dynamic::corpus::Payload {
|
|
bytes: b"",
|
|
label: "escape-noop",
|
|
oracle: nyx_scanner::dynamic::corpus::Oracle::ExitStatus(1),
|
|
is_benign: true,
|
|
}
|
|
}
|
|
|
|
/// Assert that an escape fixture did not escape.
|
|
///
|
|
/// Accepts three outcomes as "blocked":
|
|
/// 1. `Err(SandboxError::BackendUnavailable)` — docker absent, no escape possible.
|
|
/// 2. `Ok(outcome)` where `exit_code != Some(0)` — script hit an error (blocked).
|
|
/// 3. `Ok(outcome)` where `timed_out` — script ran into sandbox timeout.
|
|
///
|
|
/// Rejects: `Ok(outcome)` with `exit_code == Some(0)` and stdout/stderr
|
|
/// containing `NYX_ESCAPE_SUCCESS`.
|
|
fn assert_no_escape(
|
|
result: Result<sandbox::SandboxOutcome, SandboxError>,
|
|
fixture: &str,
|
|
marker_path: Option<&PathBuf>,
|
|
) {
|
|
match result {
|
|
Err(SandboxError::BackendUnavailable(_)) => {
|
|
// Docker not available — escape impossible. Pass.
|
|
return;
|
|
}
|
|
Err(_) => {
|
|
// Other errors (spawn failure, I/O) — process didn't complete
|
|
// successfully, so no escape occurred.
|
|
return;
|
|
}
|
|
Ok(ref outcome) => {
|
|
// Check for escape sentinel in output.
|
|
let stdout = std::str::from_utf8(&outcome.stdout).unwrap_or("");
|
|
let stderr = std::str::from_utf8(&outcome.stderr).unwrap_or("");
|
|
assert!(
|
|
!stdout.contains("NYX_ESCAPE_SUCCESS") && !stderr.contains("NYX_ESCAPE_SUCCESS"),
|
|
"fixture {fixture}: escape succeeded!\nstdout: {stdout}\nstderr: {stderr}"
|
|
);
|
|
|
|
// exit_code == Some(0) AND no sentinel = highly suspicious but not
|
|
// an escape. Accept; the fixture may have exited 0 on a partial failure.
|
|
// The sentinel check above is the authoritative guard.
|
|
let _ = outcome;
|
|
}
|
|
}
|
|
|
|
// Check host marker file (for file_write_outside_workdir).
|
|
if let Some(marker) = marker_path {
|
|
assert!(
|
|
!marker.exists(),
|
|
"fixture {fixture}: host marker file appeared at {marker:?} — escape succeeded!"
|
|
);
|
|
}
|
|
}
|
|
|
|
// ── Individual escape tests ───────────────────────────────────────────────
|
|
// All tests follow the same pattern: skip if docker absent, run fixture,
|
|
// assert no escape.
|
|
|
|
macro_rules! escape_test {
|
|
($name:ident, $fixture:literal) => {
|
|
#[test]
|
|
fn $name() {
|
|
if !docker_available() { return; }
|
|
let (_tmpdir, harness) = harness_for_fixture($fixture);
|
|
let result = sandbox::run(&harness, &noop_payload(), &escape_opts());
|
|
assert_no_escape(result, $fixture, None);
|
|
}
|
|
};
|
|
($name:ident, $fixture:literal, marker = $marker:expr) => {
|
|
#[test]
|
|
fn $name() {
|
|
if !docker_available() { return; }
|
|
let marker: PathBuf = PathBuf::from($marker);
|
|
// Remove stale marker before test.
|
|
let _ = fs::remove_file(&marker);
|
|
let (_tmpdir, harness) = harness_for_fixture($fixture);
|
|
let result = sandbox::run(&harness, &noop_payload(), &escape_opts());
|
|
assert_no_escape(result, $fixture, Some(&marker));
|
|
// Cleanup any partial writes.
|
|
let _ = fs::remove_file(&marker);
|
|
}
|
|
};
|
|
}
|
|
|
|
escape_test!(
|
|
escape_file_write_outside_workdir,
|
|
"file_write_outside_workdir.py",
|
|
marker = "/tmp/nyx_escape_file_write_marker"
|
|
);
|
|
escape_test!(escape_fork_bomb, "fork_bomb.py");
|
|
escape_test!(escape_raw_socket, "raw_socket.py");
|
|
escape_test!(escape_proc_mem_write, "proc_mem_write.py");
|
|
escape_test!(escape_ptrace_attach, "ptrace_attach.py");
|
|
escape_test!(escape_proc_root_breakout, "proc_root_breakout.py");
|
|
escape_test!(escape_mount_ns_abuse, "mount_ns_abuse.py");
|
|
escape_test!(escape_kernel_module_load, "kernel_module_load.py");
|
|
escape_test!(escape_perf_event_open, "perf_event_open.py");
|
|
escape_test!(escape_userns_breakout, "userns_breakout.py");
|
|
escape_test!(escape_tmpfs_overflow, "tmpfs_overflow.py");
|
|
escape_test!(escape_proc_sysrq, "proc_sysrq.py");
|
|
escape_test!(escape_device_file_access, "device_file_access.py");
|
|
escape_test!(escape_symlink_escape, "symlink_escape.py");
|
|
escape_test!(escape_env_injection, "env_injection.py");
|
|
escape_test!(escape_dns_leak, "dns_leak.py");
|
|
escape_test!(escape_egress_non_allowlisted, "egress_non_allowlisted.py");
|
|
escape_test!(escape_keyctl_abuse, "keyctl_abuse.py");
|
|
escape_test!(escape_setuid_abuse, "setuid_abuse.py");
|
|
escape_test!(escape_namespace_escape, "namespace_escape.py");
|
|
escape_test!(escape_cgroup_escape, "cgroup_escape.py");
|
|
escape_test!(escape_host_pid_visibility, "host_pid_visibility.py");
|
|
escape_test!(escape_icmp_flood, "icmp_flood.py");
|
|
escape_test!(escape_proc_kallsyms, "proc_kallsyms.py");
|
|
escape_test!(escape_chroot_escape, "chroot_escape.py");
|
|
escape_test!(escape_ipc_shm, "ipc_shm_escape.py");
|
|
|
|
// ── Rust build.rs escape test ─────────────────────────────────────────────
|
|
|
|
/// Verify that a malicious Rust build.rs cannot write to the host when compiled
|
|
/// inside the sandbox.
|
|
///
|
|
/// NOTE (Phase 04): Docker + Rust compilation is deferred to Phase 05.
|
|
/// `prepare_rust()` currently runs `cargo build` via the process backend on
|
|
/// the host, so Docker isolation does NOT protect the build step yet.
|
|
///
|
|
/// This test documents the expected behaviour once Phase 05 is complete:
|
|
/// - Docker available + Rust compilation in Docker → marker absent (BLOCKED).
|
|
/// - No Docker or Phase 05 not yet implemented → test is skipped.
|
|
///
|
|
/// The fixture is at `tests/dynamic_fixtures/escape/rust_build_rs/`.
|
|
///
|
|
/// Ignored until Phase 05 wires real Docker-isolated cargo builds — the
|
|
/// current body would always pass (it removes the marker, then asserts it
|
|
/// is absent) so leaving it active gives a false-green signal.
|
|
#[test]
|
|
#[ignore = "Phase 05: Docker-isolated cargo build not yet implemented"]
|
|
fn escape_rust_malicious_build_rs() {
|
|
if !docker_available() {
|
|
// Docker required for build isolation; skip on machines without it.
|
|
return;
|
|
}
|
|
|
|
// Phase 05 TODO: wire Docker-isolated cargo build and re-enable this body.
|
|
// When Docker + Rust compilation is implemented:
|
|
// 1. Copy rust_build_rs/ to a temp workdir.
|
|
// 2. Run prepare_rust_in_docker(spec, workdir).
|
|
// 3. Assert !Path::new("/tmp/pwned_build_rs").exists().
|
|
//
|
|
// For now: assert the marker is absent (it always is because we don't run
|
|
// the malicious build here), establishing the baseline for regression tracking.
|
|
let marker = std::path::PathBuf::from("/tmp/pwned_build_rs");
|
|
let _ = fs::remove_file(&marker);
|
|
|
|
// No build is triggered yet (Docker + Rust deferred).
|
|
// The marker must remain absent.
|
|
assert!(
|
|
!marker.exists(),
|
|
"host marker /tmp/pwned_build_rs must not exist before Docker+Rust compilation is implemented"
|
|
);
|
|
}
|
|
|
|
// ── Docker exec reuse test ────────────────────────────────────────────────
|
|
|
|
/// Verify that the second payload for the same spec_hash reuses the running
|
|
/// container via `docker exec` rather than starting a new `docker run`.
|
|
///
|
|
/// Method: run two payloads for the same harness workdir and check that
|
|
/// the container registry holds one entry (started once, reused once).
|
|
#[test]
|
|
fn docker_exec_reuse_for_same_workdir() {
|
|
if !docker_available() { return; }
|
|
|
|
let (_tmpdir, harness) = harness_for_fixture("dns_leak.py");
|
|
let opts = escape_opts();
|
|
|
|
// First run — starts a new container.
|
|
let r1 = sandbox::run(&harness, &noop_payload(), &opts);
|
|
// Second run — should exec into the running container.
|
|
let r2 = sandbox::run(&harness, &noop_payload(), &opts);
|
|
|
|
// Both should succeed (blocked, not escaped — dns_leak exits 1).
|
|
// The important thing is neither panics or returns an unexpected error.
|
|
match r1 {
|
|
Err(SandboxError::BackendUnavailable(_)) => return,
|
|
_ => {}
|
|
}
|
|
match r2 {
|
|
Err(SandboxError::BackendUnavailable(_)) => return,
|
|
_ => {}
|
|
}
|
|
|
|
// Verify the container is still running (not torn down between calls).
|
|
// Container name is derived from the workdir path.
|
|
let spec_hash = _tmpdir.path().file_name()
|
|
.and_then(|n| n.to_str())
|
|
.unwrap_or("");
|
|
let container_name = format!("nyx-{spec_hash}");
|
|
|
|
let out = std::process::Command::new("docker")
|
|
.args(["inspect", "--format={{.State.Running}}", &container_name])
|
|
.output();
|
|
|
|
match out {
|
|
Ok(o) if o.status.success() => {
|
|
let running = std::str::from_utf8(&o.stdout)
|
|
.unwrap_or("")
|
|
.trim()
|
|
== "true";
|
|
// Container should still be running (exec reuse kept it alive).
|
|
assert!(
|
|
running,
|
|
"container {container_name} not running after second exec — exec reuse failed"
|
|
);
|
|
}
|
|
_ => {
|
|
// Container already cleaned up or inspect failed; this is
|
|
// acceptable when Docker does its own cleanup.
|
|
}
|
|
}
|
|
}
|
|
}
|