Summary
The else branch of symlinkat_syscall (when a specific dirfd is provided) passes the raw, untranslated guest linkpath string directly to the host kernel. This allows a malicious guest to escape the cage sandbox by supplying an absolute path.
Background
Per POSIX, all *at syscalls (e.g. openat, symlinkat, renameat) ignore the dirfd argument entirely when the provided path is absolute. The current code assumes that dirfd confinement is sufficient to keep the guest's path within the sandbox — but this assumption silently breaks for any path beginning with /.
Vulnerable Code
// The kernel handles that resolution, so we pass the original guest pointer.
let raw_linkpath = match get_cstr(linkpath_arg) { ... }
unsafe {
libc::symlinkat(
target.as_ptr() as *const libc::c_char,
kernel_fd,
raw_linkpath.as_ptr() as *const c_char,
)
}Attack Scenario
A malicious guest executes:
symlinkat("payload", any_valid_fd, "/etc/cron.d/backdoor");
- The shim extracts the raw string
/etc/cron.d/backdoor.
- It passes it directly to the host kernel's
symlinkat.
- The host kernel sees an absolute path, ignores
kernel_fd, and creates the symlink at /etc/cron.d/backdoor on the host filesystem — fully outside the cage.
No memory corruption or exploit chain is required. A single syscall is sufficient.
Fix
Before passing raw_linkpath to the host kernel, check for absolute paths and either reject them or re-route through sc_convert_path_to_host + AT_FDCWD (the same path the dirfd == AT_FDCWD branch already takes):
if raw_linkpath.to_bytes().starts_with(b"/") {
return syscall_error(Errno::EACCES, "symlinkat", "absolute path bypasses dirfd sandbox");
}Other syscalls to be inspected
Any other *at syscall in this codebase using the same pattern — passing raw guest paths to the host kernel and relying on dirfd for confinement — is vulnerable to the same escape. The following should be audited:
openatrenameatunlinkatfchownat- Any other
*at variant
Severity
High — allows an unprivileged guest process to write arbitrary symlinks to the host filesystem with no preconditions beyond a valid file descriptor.
Summary
The
elsebranch ofsymlinkat_syscall(when a specificdirfdis provided) passes the raw, untranslated guestlinkpathstring directly to the host kernel. This allows a malicious guest to escape the cage sandbox by supplying an absolute path.Background
Per POSIX, all
*atsyscalls (e.g.openat,symlinkat,renameat) ignore thedirfdargument entirely when the provided path is absolute. The current code assumes thatdirfdconfinement is sufficient to keep the guest's path within the sandbox — but this assumption silently breaks for any path beginning with/.Vulnerable Code
Attack Scenario
A malicious guest executes:
/etc/cron.d/backdoor.symlinkat.kernel_fd, and creates the symlink at/etc/cron.d/backdooron the host filesystem — fully outside the cage.No memory corruption or exploit chain is required. A single syscall is sufficient.
Fix
Before passing
raw_linkpathto the host kernel, check for absolute paths and either reject them or re-route throughsc_convert_path_to_host+AT_FDCWD(the same path thedirfd == AT_FDCWDbranch already takes):Other syscalls to be inspected
Any other
*atsyscall in this codebase using the same pattern — passing raw guest paths to the host kernel and relying ondirfdfor confinement — is vulnerable to the same escape. The following should be audited:openatrenameatunlinkatfchownat*atvariantSeverity
High — allows an unprivileged guest process to write arbitrary symlinks to the host filesystem with no preconditions beyond a valid file descriptor.