Summary
The rustjail container startup flow appears to accept mount namespace paths from the OCI spec and later use the resulting file descriptor with setns. If an attacker-controlled spec can provide a host mount namespace path, the sandboxed process may join the host mount namespace and break sandbox isolation.
Affected Component
Relevant component:
Affected files:
agent/rustjail/src/container.rs
agent/rustjail/src/validator.rs
Description
The reviewed reports indicate that container.rs opens namespace paths from linux.namespaces and later calls sched::setns(mount_fd, CloneFlags::CLONE_NEWNS) for the mount namespace.
The validation logic in validator.rs appears to check for the presence of a mount namespace, but does not restrict the mount namespace path itself. This may allow a malicious OCI spec to reference an existing host mount namespace, causing the sandboxed process to join it.
Please see the linked reports for the detailed data-flow, code references, and reproduction details.
Expected Behavior
The runtime should not allow untrusted OCI specs to provide arbitrary mount namespace paths.
Mount namespace paths should either be rejected for untrusted specs or strictly limited to trusted runtime-managed namespaces.
Actual Behavior
According to the reports, the mount namespace path is opened directly and the resulting file descriptor is used with setns without sufficient validation.
Security Impact
If exploitable, this can allow a sandboxed process to join the host mount namespace, exposing the host filesystem mount view and breaking filesystem isolation. This may lead to host file access and broader sandbox escape.
Suggested Remediation
- Reject non-empty mount namespace paths for untrusted OCI specs.
- Restrict namespace paths to trusted runtime-managed locations.
- Validate namespace file descriptors before calling
setns.
- Explicitly block host namespace paths such as
/proc/<pid>/ns/mnt.
- Add regression tests for malicious mount namespace paths.
Additional Context
Detailed reports:
Summary
The
rustjailcontainer startup flow appears to accept mount namespace paths from the OCI spec and later use the resulting file descriptor withsetns. If an attacker-controlled spec can provide a host mount namespace path, the sandboxed process may join the host mount namespace and break sandbox isolation.Affected Component
Relevant component:
agent / rustjailAffected files:
agent/rustjail/src/container.rsagent/rustjail/src/validator.rsDescription
The reviewed reports indicate that
container.rsopens namespace paths fromlinux.namespacesand later callssched::setns(mount_fd, CloneFlags::CLONE_NEWNS)for the mount namespace.The validation logic in
validator.rsappears to check for the presence of a mount namespace, but does not restrict the mount namespace path itself. This may allow a malicious OCI spec to reference an existing host mount namespace, causing the sandboxed process to join it.Please see the linked reports for the detailed data-flow, code references, and reproduction details.
Expected Behavior
The runtime should not allow untrusted OCI specs to provide arbitrary mount namespace paths.
Mount namespace paths should either be rejected for untrusted specs or strictly limited to trusted runtime-managed namespaces.
Actual Behavior
According to the reports, the mount namespace path is opened directly and the resulting file descriptor is used with
setnswithout sufficient validation.Security Impact
If exploitable, this can allow a sandboxed process to join the host mount namespace, exposing the host filesystem mount view and breaking filesystem isolation. This may lead to host file access and broader sandbox escape.
Suggested Remediation
setns./proc/<pid>/ns/mnt.Additional Context
Detailed reports: