feat: add execute and execute-file flags#576
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces explicit execution permissions across the sandbox core, CLI, and policy definitions, effectively decoupling execution rights from read access. Key updates include refined Landlock and Seatbelt profile generation, new CLI flags, and updated C bindings. Review feedback highlights an inconsistency in how CLI flags map to internal access modes and identifies logic duplication. Security concerns were raised regarding the macOS implementation, where certain modes still implicitly grant execution or mapping privileges, and a significant permission expansion in the node_runtime policy. Finally, an undocumented breaking change to the why command's argument structure was identified.
|
I have updated the code! |
|
thanks @hanshal101 , I just landed the multiplexing lifecycle PR (a significant rework), my apologies this would have left you with a bit of a merge conflict to iron out - appreciate your contributions and welcome to the community ! |
Cool! I'll try to update the PR and resolve the merge conflicts |
|
are you working on this still @hanshal101 ? |
Hello @lukehinds sorry for the delay, yes i am still working got some issues with merge conflicts here. Will do it soon |
6e5f14f to
2d31992
Compare
|
Hello @lukehinds lets run the CI once again! |
af1aa22 to
e1abd48
Compare
|
hello @lukehinds I have rebased and resolved the changes, lets try running the CI once more! |
Signed-off-by: hanshal101 <hanshalmehta10@gmail.com>
Signed-off-by: hanshal101 <hanshalmehta10@gmail.com>
Signed-off-by: hanshal101 <hanshalmehta10@gmail.com>
Signed-off-by: hanshal101 <hanshalmehta10@gmail.com>
e1abd48 to
97c49d8
Compare
Signed-off-by: hanshal101 <hanshalmehta10@gmail.com>
97c49d8 to
e007d9d
Compare
Fixes #491
Closes #491
Description
This PR decouples file execution from read access within the nono sandbox to enforce a more robust least-privilege security model. Currently, granting a process permission to read a directory (via --read) inadvertently allows it to execute binaries or load shared libraries from that same path, creating a potential vector for exploitation. By introducing a dedicated AccessMode::Execute variant and corresponding --execute CLI flags, the sandbox can distinguish between data-only paths (like configuration folders) and binary-only paths (like /usr/bin), mapping these granular rights to Linux Landlock’s AccessFs::Execute and macOS Seatbelt’s file-map-executable and process-exec primitives.
Examples