fix: isolate /run with tmpfs and recreate /var/run symlinks in sandbox (#54)

tito · web-flow · commit d38a8db7ae08 · 2026-03-24T12:37:24.000-06:00
* fix: isolate /run with tmpfs to prevent sandbox escape via host sockets Previously, buildDenyByDefaultMounts bind-mounted the entire host /run read-only, then overlaid /run/user with a tmpfs for D-Bus isolation. This left host sockets (Docker, Podman, containerd, libvirt, etc.) accessible inside the sandbox. Unix socket connections bypass filesystem read-only restrictions, so any exposed socket with matching permissions allowed full sandbox escape (e.g., docker run with host filesystem mounts). Replace the blanket --ro-bind /run /run with --tmpfs /run (allowlist approach), selectively mounting only: - /run/systemd/resolve/* when /etc/resolv.conf is a symlink into /run - /run/user/<uid>/bus for the filtered D-Bus proxy socket This matches the existing SSH key protection pattern (--ro-bind /dev/null over sensitive files) but is more robust: unknown sockets are excluded by default rather than requiring explicit deny rules. * fix: recreate /var/run and /var/lock symlinks in sandbox On modern Linux distros, /var/run is a symlink to /run and /var/lock is a symlink to /run/lock. Many programs (virsh, systemctl, etc.) hardcode /var/run paths. The sandbox already recreates symlinks for /bin, /sbin, /lib, /lib64 but was missing /var, causing programs to fail with "No such file or directory" even when /run paths were correctly configured. Fixes #53
diff --git a/internal/sandbox/linux.go b/internal/sandbox/linux.go
@@ -516,6 +516,47 @@ func dbusIsolationArgs(dbusBridge *DbusBridge, debug bool) []string {
 	return args
 }
 
+// runIsolationArgs returns bwrap arguments for /run in defaultDenyRead mode.
+// Instead of bind-mounting the host's /run (which exposes dangerous sockets like
+// Docker, Podman, containerd, libvirt), we start with an empty tmpfs and
+// selectively mount only what's needed.
+func runIsolationArgs(dbusBridge *DbusBridge, debug bool) []string {
+	args := []string{"--tmpfs", "/run"}
+
+	// If /etc/resolv.conf is a symlink into /run (e.g., systemd-resolved
+	// points to /run/systemd/resolve/stub-resolv.conf), we need to make
+	// the target reachable inside the sandbox.
+	if extra := resolveSymlinkForBind("/etc/resolv.conf", debug); len(extra) > 0 {
+		// resolveSymlinkForBind may emit --tmpfs /run again (it detects /run as
+		// a separate mount). Since we already have --tmpfs /run, filter those out
+		// and only keep --dir and --ro-bind entries.
+		for i := 0; i < len(extra); i++ {
+			if extra[i] == "--tmpfs" && i+1 < len(extra) && extra[i+1] == "/run" {
+				i++ // skip both --tmpfs and /run
+				continue
+			}
+			args = append(args, extra[i])
+		}
+	}
+
+	// D-Bus session bus isolation: create /run/user/<uid> and optionally
+	// bind-mount the filtered D-Bus proxy socket.
+	uid := os.Getuid()
+	userRunDir := fmt.Sprintf("/run/user/%d", uid)
+
+	if dbusBridge != nil {
+		args = append(args, "--dir", userRunDir)
+		args = append(args, "--bind", dbusBridge.SocketPath, filepath.Join(userRunDir, "bus"))
+		if debug {
+			fmt.Fprintf(os.Stderr, "[greywall:linux] /run isolated (tmpfs); D-Bus session bus filtered (only org.freedesktop.Notifications allowed)\n")
+		}
+	} else if debug {
+		fmt.Fprintf(os.Stderr, "[greywall:linux] /run isolated (tmpfs); D-Bus session bus blocked\n")
+	}
+
+	return args
+}
+
 func fileExists(path string) bool {
 	_, err := os.Stat(path) //nolint:gosec // internal paths only
 	return err == nil
@@ -686,7 +727,7 @@ func buildDenyByDefaultMounts(cfg *config.Config, cwd string, dbusBridge *DbusBr
 	// /bin, /sbin, /lib, /lib64 are often symlinks to /usr/*. We must
 	// recreate these as symlinks via --symlink so the dynamic linker
 	// and shell can be found. Real directories get bind-mounted.
-	systemPaths := []string{"/usr", "/bin", "/sbin", "/lib", "/lib64", "/etc", "/opt", "/run"}
+	systemPaths := []string{"/usr", "/bin", "/sbin", "/lib", "/lib64", "/etc", "/opt"}
 	for _, p := range systemPaths {
 		if !fileExists(p) {
 			continue
@@ -702,11 +743,26 @@ func buildDenyByDefaultMounts(cfg *config.Config, cwd string, dbusBridge *DbusBr
 		}
 	}
 
-	// Block D-Bus session bus to prevent sandbox escape via GVFS/gnome-keyring.
-	// /run/user/<uid>/bus exposes all host session services (file read via GVFS,
-	// password read via gnome-keyring, process launch via Flatpak portal).
-	// --tmpfs /run/user overlays the bind-mounted /run, hiding the D-Bus socket.
-	args = append(args, dbusIsolationArgs(dbusBridge, debug)...)
+	// /var: on modern distros, /var/run -> /run and /var/lock -> /run/lock.
+	// Many programs (e.g., virsh, systemctl) use /var/run paths.
+	// We recreate these symlinks so they resolve correctly inside the sandbox.
+	if fileExists("/var") {
+		args = append(args, "--dir", "/var")
+		for _, sub := range []string{"/var/run", "/var/lock"} {
+			if isSymlink(sub) {
+				target, err := os.Readlink(sub)
+				if err == nil {
+					args = append(args, "--symlink", target, sub)
+				}
+			}
+		}
+	}
+
+	// /run: use an empty tmpfs and selectively mount only what's needed.
+	// Mounting all of /run exposes dangerous host sockets (Docker, Podman,
+	// containerd, libvirt, etc.) that allow sandbox escape even when
+	// read-only, since Unix socket connections bypass filesystem write checks.
+	args = append(args, runIsolationArgs(dbusBridge, debug)...)
 
 	// /sys needs to be accessible for system info
 	if fileExists("/sys") && canMountOver("/sys") {
@@ -1009,7 +1065,7 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge
 	// mounts like /run are empty, so the symlink target is unreachable and
 	// bwrap fails with "Can't create file at /etc/resolv.conf".
 	if !defaultDenyRead {
-		// In defaultDenyRead mode, /run is already explicitly mounted.
+		// In defaultDenyRead mode, resolv.conf symlink resolution is handled by runIsolationArgs.
 		if extra := resolveSymlinkForBind("/etc/resolv.conf", opts.Debug); len(extra) > 0 {
 			bwrapArgs = append(bwrapArgs, extra...)
 		}
