security: fix guest-reachable sandbox issues + remove over-defense against trusted config#100
Merged
Merged
Conversation
…a bypass, mount path aliasing, lstat/readlink permission bypass, PTY buffer-cap DoS)
…config (s3, sandbox_agent, google_drive); keep well-formedness + credential-leak guards
NathanFlurry
added a commit
that referenced
this pull request
Jun 20, 2026
…lish) #100 force-added 4 node_modules symlinks pointing at absolute dev-machine paths (/home/nathan/secure-exec/...), bypassing the existing .gitignore node_modules/ rule. In CI pnpm aborts with ENOTDIR: mkdir node_modules. Remove them from tracking. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Audit-driven security pass against the kernel isolation boundary, plus a cleanup of validation that only guarded trusted client config. Scoped per the documented trust model (client/config trusted; in-VM executor untrusted).
Guest-reachable fixes (in-scope: untrusted executor → boundary)
kernel/overlay_fs.rs: the/.secure-exec-overlayguard was lexical; a guest symlink whose resolved target entered the reserved namespace could list whiteout markers and unlink them to resurrect deleted lower-layer files. Now resolves through symlinks before the guard.kernel/mount_table.rs:trim_start_matches(&mount.path)over-stripped repeated segments (/data/database.sqlite→/base.sqlite); replaced with single-prefix strip.kernel/permissions.rs: authorized the lexical path while operating on the parent-symlink-resolved target, leaking metadata of denied paths. Now authorizes the resolved subject.kernel/pty.rs: the waiter-handoff tail bypassedMAX_PTY_BUFFER_BYTES; now enforces the cap with backpressure.Regression tests added (overlay symlink, mount aliasing).
Remove over-defense against trusted config
Per the trust model, mount-plugin endpoints come only from the trusted client, so SSRF/denylist/DNS-rebinding guards over them are removed; well-formedness and credential-leak guards are kept.
Docs
CLAUDE.md.All affected kernel and sidecar test suites pass.