search

proot-me / proot

chroot, mount --bind, and binfmt_misc without privilege/setup for Linux
https://proot-me.github.io
GNU General Public License v2.0
1.91k stars 361 forks source link

lstat syscalls break confinement #377

Open thelamer opened 3 months ago

thelamer commented 3 months ago

Expected Behavior

When lstat is called by a process inside PRoot they would be caught and sent information on the current guest they are in.

Actual Behavior

lstat calls go directly to the host and will fail if the host lacks the files.

Steps to Reproduce the Problem

The easiest way I have to reproduce this is with proot-apps on an x86_64 linux host wrapping the signal application, on init it checks for the existence of /opt/Signal/resources using lstat and fails.

Install proot-apps: 

rm -f $HOME/.local/bin/{ncat,proot-apps,proot,jq}
mkdir -p $HOME/.local/bin
curl -L https://github.com/linuxserver/proot-apps/releases/download/$(curl -sX GET "https://api.github.com/repos/linuxserver/proot-apps/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]')/proot-apps-$(uname -m).tar.gz | tar -xzf - -C $HOME/.local/bin/
export PATH="$HOME/.local/bin:$PATH"

Install signal: 

proot-apps install signal

Run signal: 

signal-pa

Now generate the path on the host: 

sudo mkdir -p /opt/Signal/resources
signal-pa

The app will start normally as the lstat sanity check passes on init.

Specifications

Command Output

Unhandled Promise Rejection: Error: ENOENT: no such file or directory, lstat '/opt/Signal/resources'
Unhandled Promise Rejection: Error: ENOENT: no such file or directory, lstat '/opt/Signal/resources'

Notes

If this is expected behavior feel free to close this, but I think for isolating the guest, lstat syscalls need to be intercepted in some way and implementing this is a bit over my head.

Linking: https://github.com/linuxserver/proot-apps/issues/10

Avimitin commented 1 month ago

image

I am trying to copy some directory from host to proot, and cp -r shows setting permissions for ...: no such file or directory. However it did create the directory for me. So I tried strace and found that the mkdirat and newfstatat are all OK, only fchmodat2 returns no such file or directory. So I guess if this is also a similar issue that it sends syscall to host file instead of proot.