Skip to content

fix(openshell-sandbox): reject symlink and non-dir read_write paths#347

Closed
drew wants to merge 1 commit intoNVIDIA:mainfrom
vincentkoc:codex/fix-symlink-vulnerability-in-sandbox-chown
Closed

fix(openshell-sandbox): reject symlink and non-dir read_write paths#347
drew wants to merge 1 commit intoNVIDIA:mainfrom
vincentkoc:codex/fix-symlink-vulnerability-in-sandbox-chown

Conversation

@drew
Copy link
Collaborator

@drew drew commented Mar 16, 2026

Motivation

  • The supervisor previously created and chowned every path in policy.filesystem.read_write while running as root, which follows symlinks and can change ownership of arbitrary targets.
  • That behavior enables a malicious image to pre-create a symlink and escalate privileges by making sensitive root-owned paths writable by the sandbox user.
  • The intent is to harden filesystem preparation so only legitimate directories declared by policy are prepared for the sandbox process.

Description

  • In crates/openshell-sandbox/src/lib.rs prepare_filesystem now uses std::fs::symlink_metadata to inspect read_write entries before calling chown and retains std::fs::create_dir_all behavior for missing paths.
  • The function returns an error if a read_write path is a symlink to prevent following and modifying arbitrary targets.
  • The function returns an error if a read_write path exists but is not a directory to avoid unexpected ownership changes on files.
  • Added unit tests that assert the function rejects a symlinked read_write path and rejects a non-directory read_write path, and kept behavior unchanged for valid directories.

Testing

  • Ran targeted unit tests with cargo test -p openshell-sandbox prepare_filesystem_rejects_ --lib, and both new tests passed.
  • cargo test -p openshell-sandbox prepare_filesystem_rejects_symlink_read_write_path --lib and cargo test -p openshell-sandbox prepare_filesystem_rejects_non_directory_read_write_path --lib succeeded.
  • mise run pre-commit and mise run test were attempted but failed in this environment due to external tool resolution/network issues (tooling warnings from mise), not due to the code changes.

Codex Task

@drew drew added integration:aardvark Aardvark integration integration:codex Codex integration labels Mar 16, 2026
@github-actions
Copy link

github-actions bot commented Mar 16, 2026

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

I have read the DCO document and I hereby sign the DCO.

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.

@johntmyers johntmyers mentioned this pull request Mar 16, 2026
Closed
@johntmyers
Copy link
Collaborator

johntmyers commented Mar 16, 2026

Closing in favor of consolidated re-implementation. See #350 for tracking.

@johntmyers johntmyers closed this Mar 16, 2026
@johntmyers johntmyers mentioned this pull request Mar 16, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

integration:aardvark Aardvark integration integration:codex Codex integration

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@drew @johntmyers @vincentkoc