Skip to content

security: fix guest-reachable sandbox issues + remove over-defense against trusted config#100

Merged
NathanFlurry merged 3 commits into
mainfrom
security/sandbox-boundary-fixes
Jun 20, 2026
Merged

security: fix guest-reachable sandbox issues + remove over-defense against trusted config#100
NathanFlurry merged 3 commits into
mainfrom
security/sandbox-boundary-fixes

Conversation

@NathanFlurry

@NathanFlurry NathanFlurry commented Jun 20, 2026

Copy link
Copy Markdown
Member

Audit-driven security pass against the kernel isolation boundary, plus a cleanup of validation that only guarded trusted client config. Scoped per the documented trust model (client/config trusted; in-VM executor untrusted).

Guest-reachable fixes (in-scope: untrusted executor → boundary)

  • Overlay symlink metadata bypass (HIGH) kernel/overlay_fs.rs: the /.secure-exec-overlay guard was lexical; a guest symlink whose resolved target entered the reserved namespace could list whiteout markers and unlink them to resurrect deleted lower-layer files. Now resolves through symlinks before the guard.
  • Mount path aliasing kernel/mount_table.rs: trim_start_matches(&mount.path) over-stripped repeated segments (/data/database.sqlite/base.sqlite); replaced with single-prefix strip.
  • lstat/readlink permission bypass kernel/permissions.rs: authorized the lexical path while operating on the parent-symlink-resolved target, leaking metadata of denied paths. Now authorizes the resolved subject.
  • PTY buffer-cap DoS kernel/pty.rs: the waiter-handoff tail bypassed MAX_PTY_BUFFER_BYTES; now enforces the cap with backpressure.

Regression tests added (overlay symlink, mount aliasing).

Remove over-defense against trusted config

Per the trust model, mount-plugin endpoints come only from the trusted client, so SSRF/denylist/DNS-rebinding guards over them are removed; well-formedness and credential-leak guards are kept.

  • s3: drop IP denylist + DNS re-resolution + localhost/env escape hatch; keep URL/scheme validation.
  • sandbox_agent: drop IP denylist + DNS re-resolution; keep https-for-non-local (bearer-token guard).
  • google_drive: drop the strict host allowlist; keep https + no-embedded-credentials (replayable token/JWT guard).

Docs

  • Adds the Trust Model (client / sidecar / executor) to root CLAUDE.md.

All affected kernel and sidecar test suites pass.

…a bypass, mount path aliasing, lstat/readlink permission bypass, PTY buffer-cap DoS)
…config (s3, sandbox_agent, google_drive); keep well-formedness + credential-leak guards
@NathanFlurry NathanFlurry merged commit 0e2dec5 into main Jun 20, 2026
1 of 2 checks passed
@NathanFlurry NathanFlurry deleted the security/sandbox-boundary-fixes branch June 20, 2026 05:58
NathanFlurry added a commit that referenced this pull request Jun 20, 2026
…lish)

#100 force-added 4 node_modules symlinks pointing at absolute dev-machine
paths (/home/nathan/secure-exec/...), bypassing the existing
.gitignore node_modules/ rule. In CI pnpm aborts with
ENOTDIR: mkdir node_modules. Remove them from tracking.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant