You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The seccomp BPF filter in crates/openshell-sandbox/src/sandbox/linux/seccomp.rs (lines 37–65) only blocks SYS_socket for specific address families (AF_PACKET, AF_BLUETOOTH, AF_VSOCK, and optionally AF_INET/AF_INET6/AF_NETLINK). The default action is SeccompAction::Allow.
The following dangerous syscalls are not blocked:
ptrace — attach to sibling processes, read memory, inject code
mount / umount2 / pivot_root — overlay filesystems, escape Landlock
unshare / clone (with namespace flags) — create new mount namespaces
Additionally, when NetworkMode::Allow is set (lines 16–19), the entire seccomp filter is skipped, including PR_SET_NO_NEW_PRIVS. This means setuid binaries could escalate privileges.
Impact
Severity: High
Combined with SYS_ADMIN capability (see related issue), a sandboxed process can call ptrace(PTRACE_ATTACH) on siblings, mount to overlay filesystems, or unshare(CLONE_NEWNS) to escape Landlock restrictions.
Proposed Fix
Switch to allowlist-based seccomp or add explicit blocks for high-risk syscalls
Always set PR_SET_NO_NEW_PRIVS and apply a baseline seccomp filter regardless of network mode
Block at minimum: ptrace, mount, umount2, pivot_root, chroot, unshare, clone3 (with namespace flag checks), keyctl, bpf, userfaultfd, perf_event_open
graph LR
subgraph "Current seccomp"
A[Default: ALLOW] --> B[Block AF_PACKET]
A --> C[Block AF_BLUETOOTH]
A --> D[Block AF_VSOCK]
A --> E["Everything else: ✅ allowed"]
end
subgraph "Proposed seccomp"
F[Default: ALLOW] --> G[Block dangerous sockets]
F --> H["Block ptrace, mount, unshare, bpf, keyctl"]
F --> I["Always set PR_SET_NO_NEW_PRIVS"]
end
Summary
The seccomp BPF filter in
crates/openshell-sandbox/src/sandbox/linux/seccomp.rs(lines 37–65) only blocksSYS_socketfor specific address families (AF_PACKET, AF_BLUETOOTH, AF_VSOCK, and optionally AF_INET/AF_INET6/AF_NETLINK). The default action isSeccompAction::Allow.The following dangerous syscalls are not blocked:
ptrace— attach to sibling processes, read memory, inject codemount/umount2/pivot_root— overlay filesystems, escape Landlockunshare/clone(with namespace flags) — create new mount namespacesbpf— load BPF programskeyctl— kernel keyring manipulationkexec_load,init_module,finit_module— kernel module loadingreboot,sethostname,setdomainnameAdditionally, when
NetworkMode::Allowis set (lines 16–19), the entire seccomp filter is skipped, includingPR_SET_NO_NEW_PRIVS. This means setuid binaries could escalate privileges.Impact
SYS_ADMINcapability (see related issue), a sandboxed process can callptrace(PTRACE_ATTACH)on siblings,mountto overlay filesystems, orunshare(CLONE_NEWNS)to escape Landlock restrictions.Proposed Fix
PR_SET_NO_NEW_PRIVSand apply a baseline seccomp filter regardless of network modeptrace,mount,umount2,pivot_root,chroot,unshare,clone3(with namespace flag checks),keyctl,bpf,userfaultfd,perf_event_opengraph LR subgraph "Current seccomp" A[Default: ALLOW] --> B[Block AF_PACKET] A --> C[Block AF_BLUETOOTH] A --> D[Block AF_VSOCK] A --> E["Everything else: ✅ allowed"] end subgraph "Proposed seccomp" F[Default: ALLOW] --> G[Block dangerous sockets] F --> H["Block ptrace, mount, unshare, bpf, keyctl"] F --> I["Always set PR_SET_NO_NEW_PRIVS"] end