The goal of this workshop is to illustrate how sandboxing can mitigate vulnerabilities. To showcase usefulness of sandboxing, we'll use an old and vulnerable version of ImageMagick which has long been fixed, but all kind of applications could still be impacted by similar vulnerabilities.

The CVE-2016-3714 vulnerability, aka ImageTragick, is caused by an insufficient shell characters filtering that can lead to (potentially remote) code execution. Thanks to Landlock, we'll restrict the convert tool's access rights before it can get exploited by opening a malicious file, and then mitigate the impact of such vulnerability.

See the slides dedicated to this Landlock workshop.

For this workshop, we will use Vagrant to set up a dedicated virtual machine (VM). Run the following commands as root according to your Linux distribution.

pacman -S vagrant libvirt base-devel dnsmasq
systemctl enable --now libvirtd.service

See the Arch Linux libvirt tutorial for more details.

apt install --no-install-recommends vagrant qemu-utils ruby-libvirt ruby-dev libvirt-daemon-system qemu-system

See the Debian KVM tutorial for more details.

dnf install vagrant qemu libvirt
systemctl enable --now virtnetworkd

Start libvirtd if needed:

systemctl start libvirtd.service

We then need to allow the developer (an unprivileged user) to use libvirt thanks to a dedicated group:

usermod -a -G libvirt <user>

This group update will take effect the next time the user logs in. Alternatively, the user can update a shell session with:

su $USER

As an unprivileged user, clone this repository:

git clone https://github.com/landlock-lsm/workshop-imagemagick
cd workshop-imagemagick

The Vagrant VM provisioning may install 2 vagrant plugins on the host system, other commands are executed in the VM. After plugins installation (if any) Vagrant may ask to execute the same command again to proceed the VM configuration:

vagrant up

If the Vagrant plugin installation failed because of a dependency issue, you might want to run this:

VAGRANT_DISABLE_STRICT_DEPENDENCY_ENFORCEMENT=1 vagrant plugin install --local

This may download a VM image (~330 MB) and packages (~230 MB). After the download is complete, it should take less than 4 minutes to install and build the requirements. It is OK to see a lot of build warnings because the ImageMagick source code is old compared to the build tools.

A virbr network interface will be created. On most systems this should work as is, but otherwise we may need to allow inbound connections (and routing) from the loopback interface according to host's firewall rules.

Just in case...

vagrant snapshot push

vagrant ssh

On the VM, run an ImageMagick command to test the attack:

convert /vagrant/exploit/malicious.mvg out.png

You should see the VM's SSH private key.

On the host system, check if you can copy files from the VM:

vagrant scp :out.png .
xdg-open out.png

You should see a white square.