Add 17 new sandbox security exploit tests (batch 2)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: koki-develop

AGENTS.md

@@ -122,6 +122,23 @@ codize run --json tests/rlimit_override.py     # Resource limit override test
 codize run --json tests/signal_resistance.py   # Signal resistance test
 codize run --json tests/readonly_write.py      # Read-only filesystem write test
 codize run --json tests/proc_info_leak.py      # /proc information leakage test
+codize run --json tests/unix_socket.py         # Unix domain socket cross-sandbox test
+codize run --json tests/sysv_shm.py            # SysV shared memory cross-sandbox test
+codize run --json tests/sysv_msg.py            # SysV message queue and semaphore cross-sandbox test
+codize run --json tests/ptrace_attach.py       # ptrace attach process manipulation test
+codize run --json tests/mount_escape.py        # mount syscall filesystem escape test
+codize run --json tests/chroot_escape.py       # Double chroot escape technique test
+codize run --json tests/namespace_escape.py    # unshare namespace escape test
+codize run --json tests/thread_bomb.py         # Thread bomb resource exhaustion test
+codize run --json tests/fd_exhaustion.py       # File descriptor exhaustion test
+codize run --json tests/pipe_exhaustion.py     # Pipe and kernel buffer exhaustion test
+codize run --json tests/core_dump.py           # Core dump information leak test
+codize run --json tests/sysfs_info.py          # /sys filesystem information leak test
+codize run --json tests/timing_side_channel.py # CPU cache timing side channel test
+codize run --json tests/kernel_module.py       # Kernel module loading test
+codize run --json tests/raw_syscall.py         # Raw restricted syscall invocation test
+codize run --json tests/cross_process_kill.py  # Cross-process signal delivery test
+codize run --json tests/raw_socket.py          # Raw and packet socket creation test
 ```
 
 Package tests are automatically executed via GitHub Actions (`package-pr.yaml`).

tests/chroot_escape.py

@@ -0,0 +1,36 @@
+"""
+Description
+    Using the classic double-chroot escape technique: create a new chroot,
+    then chdir to the original root via relative path traversal to break
+    out of the sandbox chroot
+
+    The sandbox should prevent chroot by running as an unprivileged user
+    without CAP_SYS_CHROOT capability
+
+"""
+
+import ctypes
+import ctypes.util
+import os
+
+libc = ctypes.CDLL(ctypes.util.find_library("c"), use_errno=True)
+
+try:
+    os.makedirs("/tmp/escape", exist_ok=True)
+except OSError:
+    pass
+
+ret = libc.chroot(b"/tmp/escape")
+if ret == 0:
+    try:
+        os.chdir("/" + "../" * 20)
+        ret2 = libc.chroot(b".")
+        if ret2 == 0:
+            try:
+                entries = os.listdir("/")
+                if "etc" in entries and "home" in entries:
+                    print(f"CHROOT ESCAPED - see real root: {entries[:10]} (CRITICAL)")
+            except:
+                pass
+    except:
+        pass

tests/core_dump.py

@@ -0,0 +1,48 @@
+"""
+Description
+    Triggering a crash to generate a core dump file that might contain
+    sensitive information from the process memory such as environment
+    variables or runtime secrets
+
+    The sandbox should prevent core dump generation via RLIMIT_CORE=0,
+    ensuring no core files are written to disk
+
+"""
+
+import os
+import ctypes
+import ctypes.util
+import resource
+
+soft, hard = resource.getrlimit(resource.RLIMIT_CORE)
+print(f"RLIMIT_CORE: soft={soft}, hard={hard}")
+
+if hard > 0:
+    print(f"WARNING: RLIMIT_CORE hard limit is {hard}, core dumps may be possible")
+
+try:
+    resource.setrlimit(resource.RLIMIT_CORE, (hard + 1, hard + 1))
+    new_soft, new_hard = resource.getrlimit(resource.RLIMIT_CORE)
+    print(f"RAISED RLIMIT_CORE to {new_hard} (CRITICAL)")
+except (ValueError, resource.error):
+    pass
+
+try:
+    with open("/proc/sys/kernel/core_pattern", "r") as f:
+        pattern = f.read().strip()
+        print(f"core_pattern: {pattern}")
+except (PermissionError, FileNotFoundError):
+    pass
+
+secret = "SENSITIVE_DATA_LEAK_TEST_12345"
+
+libc = ctypes.CDLL(ctypes.util.find_library("c"), use_errno=True)
+try:
+    ctypes.string_at(0, 1)
+except:
+    pass
+
+for path in ["/tmp/core", "/box/core", "core", f"/tmp/core.{os.getpid()}"]:
+    if os.path.exists(path):
+        size = os.path.getsize(path)
+        print(f"Core dump found at {path}, size={size} (CRITICAL)")

tests/cross_process_kill.py

@@ -0,0 +1,43 @@
+"""
+Description
+    Sending signals to processes outside the sandbox by targeting PID 1
+    and other process IDs, attempting to disrupt the sandbox keeper or
+    other system processes
+
+    The sandbox should confine signal delivery within the PID namespace,
+    making it impossible to signal processes outside the namespace
+
+"""
+
+import os
+import signal
+
+targets = [
+    (1, signal.SIGTERM, "PID 1 (namespace init)"),
+    (1, signal.SIGKILL, "PID 1 (namespace init)"),
+    (2, signal.SIGKILL, "PID 2"),
+]
+
+for pid, sig, desc in targets:
+    if pid == os.getpid():
+        continue
+    try:
+        os.kill(pid, sig)
+        print(f"Signal {sig} to {desc}: DELIVERED")
+    except ProcessLookupError:
+        pass
+    except PermissionError:
+        pass
+    except OSError:
+        pass
+
+for pid in [1000, 2000, 5000, 10000, 32000]:
+    try:
+        os.kill(pid, 0)
+        print(f"PID {pid} EXISTS inside namespace")
+    except ProcessLookupError:
+        pass
+    except PermissionError:
+        print(f"PID {pid} exists but permission denied")
+    except OSError:
+        pass

tests/fd_exhaustion.py

@@ -0,0 +1,33 @@
+"""
+Description
+    Opening the maximum number of file descriptors to exhaust the
+    per-process fd table, potentially causing denial of service for
+    the sandbox infrastructure that needs fds to function
+
+    The sandbox should enforce RLIMIT_NOFILE to cap the number of
+    open file descriptors per process
+
+"""
+
+import os
+
+fds = []
+i = 0
+while True:
+    try:
+        fd = os.open("/dev/null", os.O_RDONLY)
+        fds.append(fd)
+        i += 1
+    except OSError:
+        break
+
+print(f"Opened {i} file descriptors before hitting limit")
+
+if i > 10000:
+    print(f"WARNING: Opened {i} fds, limit may be too high")
+
+for fd in fds:
+    try:
+        os.close(fd)
+    except:
+        pass

tests/kernel_module.py

@@ -0,0 +1,40 @@
+"""
+Description
+    Attempting to load kernel modules via init_module and finit_module
+    syscalls, which would allow arbitrary kernel code execution
+
+    The sandbox should prevent module loading by running as an
+    unprivileged user without CAP_SYS_MODULE capability
+
+"""
+
+import ctypes
+import ctypes.util
+import os
+
+libc = ctypes.CDLL(ctypes.util.find_library("c"), use_errno=True)
+
+SYS_init_module = 175
+SYS_finit_module = 313
+SYS_delete_module = 176
+
+syscall = libc.syscall
+syscall.restype = ctypes.c_long
+
+dummy_module = b"\x00" * 64
+ret = syscall(SYS_init_module, dummy_module, len(dummy_module), b"")
+if ret == 0:
+    print("init_module SUCCEEDED (CRITICAL)")
+
+try:
+    fd = os.open("/dev/null", os.O_RDONLY)
+    ret = syscall(SYS_finit_module, fd, b"", 0)
+    if ret == 0:
+        print("finit_module SUCCEEDED (CRITICAL)")
+    os.close(fd)
+except OSError:
+    pass
+
+ret = syscall(SYS_delete_module, b"dummy_module", 0)
+if ret == 0:
+    print("delete_module SUCCEEDED (CRITICAL)")

tests/mount_escape.py

@@ -0,0 +1,38 @@
+"""
+Description
+    Using the mount syscall to attempt mounting filesystems such as proc,
+    sysfs, or bind mounts to access data outside the chroot boundary
+
+    The sandbox should prevent mount operations by running as an
+    unprivileged user without CAP_SYS_ADMIN capability
+
+"""
+
+import ctypes
+import ctypes.util
+import os
+
+libc = ctypes.CDLL(ctypes.util.find_library("c"), use_errno=True)
+
+try:
+    os.makedirs("/tmp/mnt", exist_ok=True)
+except OSError:
+    pass
+
+mount_attempts = [
+    (b"none", b"/tmp/mnt", b"proc", 0, b"", "mount proc"),
+    (b"none", b"/tmp/mnt", b"sysfs", 0, b"", "mount sysfs"),
+    (b"none", b"/tmp/mnt", b"tmpfs", 0, b"", "mount tmpfs"),
+    (b"/", b"/tmp/mnt", b"none", 4096, b"", "bind mount /"),
+]
+
+for source, target, fstype, flags, data, desc in mount_attempts:
+    ret = libc.mount(source, target, fstype, flags, data)
+    if ret == 0:
+        print(f"{desc}: SUCCEEDED (CRITICAL)")
+        try:
+            entries = os.listdir("/tmp/mnt")
+            print(f"  Contents: {entries[:5]}")
+        except:
+            pass
+        libc.umount(target)

tests/namespace_escape.py

@@ -0,0 +1,39 @@
+"""
+Description
+    Using unshare syscall to create new user, mount, or PID namespaces
+    in an attempt to gain elevated privileges or bypass sandbox
+    constraints
+
+    The sandbox should prevent unprivileged namespace creation, either
+    via lacking capabilities or kernel settings restricting
+    user namespace creation
+
+"""
+
+import ctypes
+import ctypes.util
+
+libc = ctypes.CDLL(ctypes.util.find_library("c"), use_errno=True)
+
+CLONE_NEWUSER = 0x10000000
+CLONE_NEWNS = 0x00020000
+CLONE_NEWPID = 0x20000000
+CLONE_NEWNET = 0x40000000
+CLONE_NEWIPC = 0x08000000
+
+namespaces = [
+    ("CLONE_NEWUSER", CLONE_NEWUSER),
+    ("CLONE_NEWNS", CLONE_NEWNS),
+    ("CLONE_NEWPID", CLONE_NEWPID),
+    ("CLONE_NEWNET", CLONE_NEWNET),
+    ("CLONE_NEWIPC", CLONE_NEWIPC),
+]
+
+for name, flag in namespaces:
+    ret = libc.unshare(flag)
+    if ret == 0:
+        print(f"unshare({name}) SUCCEEDED (CRITICAL)")
+
+ret = libc.unshare(CLONE_NEWUSER | CLONE_NEWNS)
+if ret == 0:
+    print("unshare(NEWUSER|NEWNS) SUCCEEDED (CRITICAL)")

tests/pipe_exhaustion.py

@@ -0,0 +1,35 @@
+"""
+Description
+    Creating a massive number of pipes and filling their buffers to
+    exhaust kernel memory allocated for pipe buffers
+
+    The sandbox should enforce RLIMIT_NOFILE to limit the number of
+    pipes, and the memory cgroup should prevent kernel buffer
+    exhaustion from affecting the host
+
+"""
+
+import os
+
+pipes = []
+i = 0
+while True:
+    try:
+        r, w = os.pipe()
+        pipes.append((r, w))
+        i += 1
+        try:
+            os.write(w, b'x' * 65536)
+        except:
+            pass
+    except OSError:
+        break
+
+print(f"Created {i} pipes before hitting limit")
+
+for r, w in pipes:
+    try:
+        os.close(r)
+        os.close(w)
+    except:
+        pass

tests/ptrace_attach.py

@@ -0,0 +1,46 @@
+"""
+Description
+    Using ptrace to attach to other processes visible in the sandbox
+    and attempt to read or manipulate their memory
+
+    The sandbox should prevent ptrace by running as an unprivileged user
+    without CAP_SYS_PTRACE, and the PID namespace limits visible targets
+
+"""
+
+import ctypes
+import ctypes.util
+import os
+
+libc = ctypes.CDLL(ctypes.util.find_library("c"), use_errno=True)
+
+PTRACE_ATTACH = 16
+PTRACE_PEEKDATA = 2
+PTRACE_DETACH = 17
+
+targets = [1, os.getppid()]
+
+for pid in targets:
+    if pid == os.getpid() or pid <= 0:
+        continue
+    ret = libc.ptrace(PTRACE_ATTACH, pid, None, None)
+    if ret == 0:
+        print(f"ptrace ATTACH to PID {pid} SUCCEEDED (CRITICAL)")
+        libc.ptrace(PTRACE_DETACH, pid, None, None)
+
+# Also try to ptrace our own child
+pid = os.fork()
+if pid == 0:
+    import time
+    time.sleep(1)
+    os._exit(0)
+else:
+    import time
+    time.sleep(0.1)
+    ret = libc.ptrace(PTRACE_ATTACH, pid, None, None)
+    if ret == 0:
+        libc.ptrace(PTRACE_DETACH, pid, None, None)
+    try:
+        os.waitpid(pid, 0)
+    except:
+        pass