Trying to create a filesystem namespace

[juan pablo Miceli]

Hi Everyone,

I am trying to use minijail to sandbox nasm to assemble untrusted assembly input. I am using seccomp to allow only necessary syscalls. But within that syscalls I need to allow: * read

* write

*close

*openat

And if any bug existed in nasm, I don't want the user to be able to have access to any file other than the asm input.

Is there any way to do this with minijail? I believe I need to use -b flag in addition to chroot. But I can't figure out how to make that work. So long I am using minijail as so:

minijail0 -n -S nasm.policy nasm -f elf64 -g -F DWARF output.asm

Any help is welcome!

Thanks beforehand.

Juan Pablo

[Mike Frysinger]

it is not possible to constrain the paths to syscalls like open* currently.  it's a KI with seccomp filters and syscalls that take pointer arguments.

in CrOS, we mitigate this by setting up a brand new mount namespace where most things are read-only.  in your case, something like:

  minijail0 --profile=minimalistic-mountns -b $PWD,,1 -n -S nasm.policy nasm -f elf64 -g -F DWARF output.asm

depending on your mount layout, it might not work that smoothly.  but you could give it a try.

-mike

--
You received this message because you are subscribed to the Google Groups "minijail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to minijail+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/cb9704e8-4f3e-48d8-bd7d-49f28c7cc0e5n%40chromium.org.