harden sandbox isolation default user and vsock peer policy

lightsofapollo · lightsofapollo · commit 2713e82e0ba8 · 2026-02-24T11:38:52.000-07:00
diff --git a/crates/vz-guest-agent/src/listener.rs b/crates/vz-guest-agent/src/listener.rs
@@ -14,6 +14,7 @@ use std::sync::Arc;
 use std::task::{Context, Poll};
 
 use tokio::io::{AsyncRead, AsyncWrite};
+use tracing::warn;
 use tonic::transport::server::Connected;
 
 /// AF_VSOCK listener that accepts connections from the host.
@@ -85,6 +86,8 @@ struct SockaddrVm {
 
 /// VMADDR_CID_ANY: accept connections from any CID (i.e., the host).
 const VMADDR_CID_ANY: u32 = u32::MAX; // -1 as u32
+/// VMADDR_CID_HOST: standard host CID for AF_VSOCK.
+const VMADDR_CID_HOST: u32 = 2;
 
 /// AF_VSOCK address family on macOS.
 #[cfg(target_os = "macos")]
@@ -165,40 +168,82 @@ impl VsockListener {
 
         let listener_fd = self.fd.as_raw_fd();
 
-        // Use tokio's blocking task pool for the accept() syscall since
-        // we can't easily register a vsock fd with epoll/kqueue through tokio.
-        let conn_fd = tokio::task::spawn_blocking(move || -> io::Result<RawFd> {
-            let mut addr: SockaddrVm = unsafe { std::mem::zeroed() };
-            let mut addr_len = std::mem::size_of::<SockaddrVm>() as libc::socklen_t;
-
-            // SAFETY: accept() with a valid listening fd.
-            let fd = unsafe {
-                libc::accept(
-                    listener_fd,
-                    &mut addr as *mut SockaddrVm as *mut libc::sockaddr,
-                    &mut addr_len,
-                )
-            };
-            if fd < 0 {
-                return Err(io::Error::last_os_error());
+        loop {
+            // Use tokio's blocking task pool for the accept() syscall since
+            // we can't easily register a vsock fd with epoll/kqueue through tokio.
+            let (conn_fd, source_cid) = tokio::task::spawn_blocking(
+                move || -> io::Result<(RawFd, u32)> {
+                    let mut addr: SockaddrVm = unsafe { std::mem::zeroed() };
+                    let mut addr_len = std::mem::size_of::<SockaddrVm>() as libc::socklen_t;
+
+                    // SAFETY: accept() with a valid listening fd.
+                    let fd = unsafe {
+                        libc::accept(
+                            listener_fd,
+                            &mut addr as *mut SockaddrVm as *mut libc::sockaddr,
+                            &mut addr_len,
+                        )
+                    };
+                    if fd < 0 {
+                        return Err(io::Error::last_os_error());
+                    }
+
+                    Ok((fd, source_cid_from_addr(&addr)))
+                },
+            )
+            .await
+            .map_err(io::Error::other)??;
+
+            if !is_host_peer(source_cid) {
+                // SAFETY: close accepted fd on explicit rejection.
+                let close_result = unsafe { libc::close(conn_fd) };
+                if close_result != 0 {
+                    warn!(
+                        source_cid = source_cid,
+                        error = %io::Error::last_os_error(),
+                        "failed to close rejected vsock connection"
+                    );
+                } else {
+                    warn!(
+                        source_cid = source_cid,
+                        "rejected vsock connection from non-host CID"
+                    );
+                }
+                continue;
             }
 
-            Ok(fd)
-        })
-        .await
-        .map_err(io::Error::other)??;
-
-        // Convert the raw fd to a tokio UnixStream for async I/O.
-        // vsock fds are regular file descriptors that support read/write,
-        // and UnixStream is the simplest tokio wrapper for arbitrary fds.
-        // SAFETY: conn_fd is a valid, newly accepted file descriptor.
-        let std_stream = unsafe { std::os::unix::net::UnixStream::from_raw_fd(conn_fd) };
-        std_stream.set_nonblocking(true)?;
-        let tokio_stream = tokio::net::UnixStream::from_std(std_stream)?;
-
-        Ok(VsockStream {
-            inner: tokio_stream,
-        })
+            // Convert the raw fd to a tokio UnixStream for async I/O.
+            // vsock fds are regular file descriptors that support read/write,
+            // and UnixStream is the simplest tokio wrapper for arbitrary fds.
+            // SAFETY: conn_fd is a valid, newly accepted file descriptor.
+            let std_stream = unsafe { std::os::unix::net::UnixStream::from_raw_fd(conn_fd) };
+            std_stream.set_nonblocking(true)?;
+            let tokio_stream = tokio::net::UnixStream::from_std(std_stream)?;
+
+            return Ok(VsockStream {
+                inner: tokio_stream,
+            });
+        }
+    }
+}
+
+fn source_cid_from_addr(addr: &SockaddrVm) -> u32 {
+    addr.svm_cid
+}
+
+fn is_host_peer(cid: u32) -> bool {
+    cid == VMADDR_CID_HOST
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn source_cid_accepted_only_for_host() {
+        assert!(is_host_peer(VMADDR_CID_HOST));
+        assert!(!is_host_peer(3));
+        assert!(!is_host_peer(1024));
     }
 }
 
diff --git a/crates/vz-sandbox/src/session.rs b/crates/vz-sandbox/src/session.rs
@@ -23,6 +23,8 @@ use vz_linux::grpc_client::{ExecOptions, GrpcAgentClient, GrpcExecStream};
 
 use crate::error::SandboxError;
 
+const DEFAULT_EXEC_USER: &str = "dev";
+
 // ---------------------------------------------------------------------------
 // SandboxSession
 // ---------------------------------------------------------------------------
@@ -164,6 +166,8 @@ impl SandboxSession {
     /// Execute a command inside the sandbox and collect all output.
     ///
     /// The command string is parsed using shell-words for proper quoting.
+    /// Commands run as the sandbox's default user (`"dev"`) unless an explicit
+    /// user is requested.
     /// The working directory is set to the project's guest-side mount path.
     ///
     /// Uses the session's default timeout if `timeout` is `None`.
@@ -212,7 +216,7 @@ impl SandboxSession {
             let options = ExecOptions {
                 working_dir: Some(self.guest_project_path.clone()),
                 env: Vec::new(),
-                user: None,
+                user: Some(DEFAULT_EXEC_USER.to_string()),
             };
             let stream = client
                 .exec_stream(command, args, options)
@@ -241,7 +245,7 @@ impl SandboxSession {
 
         debug!(
             cmd = cmd,
-            user = user,
+            user = resolve_exec_user(user),
             timeout = ?timeout,
             slot = self.slot_index,
             "exec"
@@ -252,7 +256,7 @@ impl SandboxSession {
             let options = ExecOptions {
                 working_dir: Some(self.guest_project_path.clone()),
                 env: Vec::new(),
-                user: user.map(String::from),
+                user: Some(resolve_exec_user(user).to_string()),
             };
 
             let exec_future = client.exec(command, args, options);
@@ -302,6 +306,10 @@ impl SandboxSession {
     }
 }
 
+fn resolve_exec_user(user: Option<&str>) -> &str {
+    user.unwrap_or(DEFAULT_EXEC_USER)
+}
+
 // ---------------------------------------------------------------------------
 // Tests
 // ---------------------------------------------------------------------------
@@ -422,6 +430,16 @@ mod tests {
         assert_eq!(output.exit_code, 0);
     }
 
+    #[test]
+    fn resolve_exec_user_defaults_to_dev() {
+        assert_eq!(resolve_exec_user(None), "dev");
+    }
+
+    #[test]
+    fn resolve_exec_user_preserves_explicit_override() {
+        assert_eq!(resolve_exec_user(Some("root")), "root");
+    }
+
     #[test]
     fn parse_command_complex() {
         let session = make_session();
diff --git a/planning/06-sandbox-isolation-threat-model.md b/planning/06-sandbox-isolation-threat-model.md
@@ -0,0 +1,44 @@
+# Sandbox Isolation Threat Model and Hardening Closure
+
+Status: In Review
+Owner: James Lal
+Last Updated: 2026-02-24
+
+## Scope
+
+This document covers host-guest sandbox command execution security, specifically:
+
+- `vz-sandbox` host session execution (`crates/vz-sandbox/src/session.rs`)
+- guest vsock accept path (`crates/vz-guest-agent/src/listener.rs`)
+- protocol execution defaults/fields (`vz` gRPC `ExecRequest`)
+
+## Attack Surface Inventory
+
+| Surface | Vector | Notes |
+|---|---|---|
+| Host → guest vsock endpoint | AF_VSOCK listening socket (`VDADDR_CID_ANY` bind, service port) | Any peer that reaches vsock endpoint can open a connection and attempt protocol traffic unless source-validated. |
+| Exec command dispatch | gRPC `Exec` request handling | Request carries command/args/working directory/user; user controls runtime privilege in guest. |
+| Host working directory mapping | `acquire(project_dir)` path derivation to `guest_project_path` | Inputs derived from host path passed to pool API; malformed paths can become relative path expressions. |
+| gRPC user default behavior | `user` field omitted (`None`) in execution requests | `None` currently means guest default user; implementation behavior depends on host caller. |
+| Guest process lifecycle | Process spawn + stdin/signal/teardown paths | Long-lived process handles can be abused if request identity/privilege isn't constrained. |
+
+## Findings and Closure
+
+| ID | Finding | Severity | Decision | Evidence |
+|---|---|---|---|---|
+| F-01 | Non-host peers can connect to guest listener because accept path only checks no source identity | High | Remediated | `crates/vz-guest-agent/src/listener.rs`: `source_cid` extraction and host-only acceptance logic in `accept()`. Non-host CIDs are closed and logged. |
+| F-02 | Sandbox session default exec path does not set an explicit non-root user, causing root execution when peer request omits `user` | High | Remediated | `crates/vz-sandbox/src/session.rs`: `DEFAULT_EXEC_USER = "dev"` and `resolve_exec_user(None) -> "dev"` used for default execution and `exec_streaming`. |
+| F-03 | Default-user policy is not explicitly asserted by tests | Medium | Remediated | `crates/vz-sandbox/src/session.rs`: `resolve_exec_user_*` unit tests validate default and explicit override behavior. |
+| F-04 | Guest listener allows non-host CID and does not exercise explicit host allowlist in unit tests | Medium | Remediated | `crates/vz-guest-agent/src/listener.rs`: `is_host_peer` unit test and host CID helper. |
+
+## Explicit Sign-off
+
+- Accepted Risk: None.
+- Remediations applied: F-01 through F-04.
+- Pending / open items: None for this closure.
+
+## Verification Commands
+
+- `cargo check -p vz-sandbox -p vz-guest-agent`
+- `cargo clippy -p vz-sandbox -p vz-guest-agent -- -D warnings`
+- `cargo nextest run -p vz-sandbox -p vz-guest-agent`
