Replace --new-session with seccomp TIOCSTI/TIOCLINUX filter

2026-04-12 15:58:50 +02:00
parent 8f30d28965
commit 0d0682b04e
3 changed files with 78 additions and 7 deletions
@@ -417,8 +417,8 @@ fn whitelist_sys_is_readable() {
 }

 #[test]
-fn new_session_isolates_sid() {
-    let inner_sid = read_sid_inside_sandbox(&[]);
+fn hardened_isolates_sid() {
+    let inner_sid = read_sid_inside_sandbox(&["--hardened"]);
    let outer_sid = read_sid_current_process();

    assert_ne!(
@@ -427,6 +427,17 @@ fn new_session_isolates_sid() {
    );
 }

+#[test]
+fn default_mode_shares_session() {
+    let inner_sid = read_sid_inside_sandbox(&[]);
+    let outer_sid = read_sid_current_process();
+
+    assert_eq!(
+        inner_sid, outer_sid,
+        "default-mode sandbox should share the session ID (got {inner_sid} != {outer_sid})"
+    );
+}
+
 #[test]
 fn blacklist_run_is_tmpfs() {
    let output = sandbox(&[])
@@ -1331,3 +1342,42 @@ fn seccomp_bash_pthread_fallback_works() {
        String::from_utf8_lossy(&output.stderr)
    );
 }
+
+#[test]
+fn seccomp_blocks_tiocsti() {
+    // TIOCSTI (0x5412) injects keystrokes into the terminal input queue.
+    // Without --new-session, this is the primary defense against CVE-2017-5226.
+    //
+    // On kernels >= 6.2 with CONFIG_LEGACY_TIOCSTI=n, the kernel blocks TIOCSTI
+    // before seccomp sees it. We test with --no-seccomp first to detect that and
+    // skip, so the test only asserts our filter's behaviour.
+    let baseline = sandbox(&["--no-seccomp"])
+        .args([
+            "--",
+            "python3",
+            "-c",
+            "import fcntl; fcntl.ioctl(0, 0x5412, b'x')",
+        ])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    if !baseline.status.success() {
+        // Kernel already blocks TIOCSTI; seccomp filter is untestable here.
+        return;
+    }
+
+    let output = sandbox(&[])
+        .args([
+            "--",
+            "python3",
+            "-c",
+            "import fcntl; fcntl.ioctl(0, 0x5412, b'x')",
+        ])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    assert!(
+        !output.status.success(),
+        "expected TIOCSTI to be blocked by seccomp filter"
+    );
+}