Add 12 new sandbox security exploit tests

Cover additional attack vectors: memory/CPU/inode exhaustion, stderr
flood, symlink escape, privilege escalation, device access, rlimit
override, signal resistance, read-only write, /proc info leak, and
environment variable leakage.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: koki-develop

AGENTS.md

@@ -110,6 +110,18 @@ codize run --json tests/network.py             # Network access test
 codize run --json tests/runaway_output.py      # Infinite output test
 codize run --json tests/file_persistance.py    # File persistence test (run twice)
 codize run --json tests/mqueue_persistance.py  # Mqueue persistence test (run twice)
+codize run --json tests/memory_exhaustion.py   # Memory exhaustion test
+codize run --json tests/inode_exhaustion.py    # Inode exhaustion test
+codize run --json tests/symlink_escape.py      # Symlink escape test
+codize run --json tests/privilege_escalation.py # Privilege escalation test
+codize run --json tests/device_access.py       # Device access test
+codize run --json tests/stderr_flood.py        # Stderr flood test
+codize run --json tests/cpu_exhaustion.py      # CPU exhaustion test
+codize run --json tests/env_leakage.py         # Environment variable leakage test
+codize run --json tests/rlimit_override.py     # Resource limit override test
+codize run --json tests/signal_resistance.py   # Signal resistance test
+codize run --json tests/readonly_write.py      # Read-only filesystem write test
+codize run --json tests/proc_info_leak.py      # /proc information leakage test
 ```
 
 Package tests are automatically executed via GitHub Actions (`package-pr.yaml`).

tests/cpu_exhaustion.py

@@ -0,0 +1,13 @@
+"""
+Description
+    Pure CPU busy-loop with no I/O or sleep, designed to exhaust the
+    CPU time limit enforced by the sandbox cgroup controller
+
+    The sandbox should terminate the process once the CPU time limit
+    is exceeded, returning a timeout status
+
+"""
+
+x = 0
+while True:
+    x = (x * 6364136223846793005 + 1442695040888963407) & 0xFFFFFFFFFFFFFFFF

tests/device_access.py

@@ -0,0 +1,32 @@
+"""
+Description
+    Attempting to open raw hardware devices including disk, memory, and
+    kernel message devices that are bind-mounted from the host
+
+    The sandbox should prevent access to hardware device files by running
+    as an unprivileged user without the necessary capabilities to open
+    raw devices
+
+"""
+
+import os
+
+devices = [
+    "/dev/sda",
+    "/dev/mem",
+    "/dev/kmsg",
+    "/dev/port",
+]
+
+for dev in devices:
+    if not os.path.exists(dev):
+        continue
+    try:
+        fd = os.open(dev, os.O_RDONLY)
+        data = os.read(fd, 16)
+        os.close(fd)
+        print(f"{dev}: READ SUCCEEDED - {repr(data)} (CRITICAL)")
+    except PermissionError:
+        pass
+    except OSError:
+        pass

tests/env_leakage.py

@@ -0,0 +1,16 @@
+"""
+Description
+    Enumerating all environment variables visible inside the sandbox to
+    check whether host environment variables are unintentionally leaked
+
+    The sandbox should only expose explicitly configured environment
+    variables, with no host-origin secrets or credentials present
+
+"""
+
+import os
+
+env = dict(os.environ)
+print(f"Total env vars: {len(env)}")
+for key in sorted(env.keys()):
+    print(f"{key}={env[key]}")

tests/inode_exhaustion.py

@@ -0,0 +1,21 @@
+"""
+Description
+    Creating a large number of small files to exhaust filesystem inodes
+    on the shared tmpfs, potentially denying service to other jobs
+
+    The sandbox should terminate the process via timeout or filesystem
+    quota before inode exhaustion can affect the host system
+
+"""
+
+import os
+
+i = 0
+while True:
+    try:
+        with open(f"/tmp/f{i}", "w") as f:
+            f.write("x")
+        i += 1
+    except OSError:
+        print(f"Stopped at {i} files")
+        break

tests/memory_exhaustion.py

@@ -0,0 +1,15 @@
+"""
+Description
+    Unbounded memory allocation to exhaust available RAM and potentially
+    trigger an OOM condition on the host system
+
+    The sandbox should terminate the process before host memory is exhausted,
+    either via a memory cgroup limit or a wall-time/CPU-time timeout
+
+"""
+
+import sys
+
+chunks = []
+while True:
+    chunks.append(b'x' * (1024 * 1024))  # Allocate 1 MB at a time

tests/privilege_escalation.py

@@ -0,0 +1,42 @@
+"""
+Description
+    Attempting to escalate to root privileges using setuid, setgid,
+    and seteuid system calls from within the sandbox
+
+    The sandbox should run as an unprivileged user with no capabilities,
+    making all privilege escalation attempts fail with permission errors
+
+"""
+
+import os
+import ctypes
+
+results = {}
+
+try:
+    os.setuid(0)
+    results["setuid(0)"] = "SUCCEEDED (CRITICAL)"
+except PermissionError:
+    results["setuid(0)"] = "blocked"
+
+try:
+    os.setgid(0)
+    results["setgid(0)"] = "SUCCEEDED (CRITICAL)"
+except PermissionError:
+    results["setgid(0)"] = "blocked"
+
+try:
+    libc = ctypes.CDLL("libc.so.6", use_errno=True)
+    ret = libc.seteuid(0)
+    if ret == 0:
+        results["seteuid(0)"] = "SUCCEEDED (CRITICAL)"
+    else:
+        results["seteuid(0)"] = f"blocked (errno={ctypes.get_errno()})"
+except Exception as e:
+    results["seteuid(0)"] = f"error: {e}"
+
+results["uid"] = os.getuid()
+results["gid"] = os.getgid()
+
+for key, val in results.items():
+    print(f"{key}: {val}")

tests/proc_info_leak.py

@@ -0,0 +1,30 @@
+"""
+Description
+    Reading /proc entries to check if host process information or
+    sensitive kernel data is exposed through the procfs interface
+
+    The sandbox should isolate /proc with hidepid=2 and PID namespace,
+    preventing access to host process information
+
+"""
+
+import os
+
+# Try to list processes visible in /proc
+pids = [d for d in os.listdir("/proc") if d.isdigit()]
+print(f"Visible PIDs: {pids}")
+
+# Try to read PID 1's info (outside PID namespace, this would be host init)
+sensitive_paths = [
+    "/proc/1/cmdline",
+    "/proc/1/environ",
+    "/proc/1/maps",
+]
+
+for path in sensitive_paths:
+    try:
+        with open(path, "r") as f:
+            content = f.read(100)
+        print(f"{path}: {repr(content[:50])}")
+    except (PermissionError, FileNotFoundError, ProcessLookupError):
+        pass

tests/readonly_write.py

@@ -0,0 +1,31 @@
+"""
+Description
+    Attempting to write files to read-only bind-mounted directories
+    including /usr, /bin, /lib, and /etc
+
+    The sandbox should enforce read-only mount restrictions, causing all
+    write attempts to these paths to fail with filesystem or permission
+    errors
+
+"""
+
+import os
+
+readonly_paths = [
+    "/usr/local/pwned",
+    "/bin/pwned",
+    "/lib/pwned",
+    "/etc/pwned",
+]
+
+for path in readonly_paths:
+    parent = os.path.dirname(path)
+    if not os.path.exists(parent):
+        continue
+    try:
+        with open(path, "w") as f:
+            f.write("pwned")
+        print(f"{path}: WRITE SUCCEEDED (CRITICAL)")
+        os.unlink(path)
+    except (PermissionError, OSError):
+        pass

tests/rlimit_override.py

@@ -0,0 +1,29 @@
+"""
+Description
+    Attempting to raise resource limits using Python's resource module to
+    bypass the rlimits set by the sandbox, such as increasing the maximum
+    process count or file size limit beyond the configured hard limits
+
+    The sandbox should prevent raising resource limits beyond the hard
+    limits configured by isolate, as the process has no CAP_SYS_RESOURCE
+    capability
+
+"""
+
+import resource
+
+limits_to_try = [
+    ("RLIMIT_NPROC", resource.RLIMIT_NPROC),
+    ("RLIMIT_FSIZE", resource.RLIMIT_FSIZE),
+    ("RLIMIT_NOFILE", resource.RLIMIT_NOFILE),
+]
+
+for name, res in limits_to_try:
+    soft, hard = resource.getrlimit(res)
+    print(f"{name}: soft={soft}, hard={hard}")
+    try:
+        resource.setrlimit(res, (hard + 1, hard + 1))
+        new_soft, new_hard = resource.getrlimit(res)
+        print(f"  RAISED to soft={new_soft}, hard={new_hard} (CRITICAL)")
+    except (ValueError, resource.error):
+        pass