bemoody / lightwave Goto Github PK

sandboxed-lightwave (0.71) works on glibc 2.31-13+deb11u6 (bullseye) and doesn't work on glibc 2.36-9 (bookworm).

The reason is that glibc now uses the newfstatat system call, instead of fstat or fstat64, to implement the fstat library function.

(The LightWAVE sandbox can't allow newfstatat(fd, "", &s, AT_EMPTY_PATH) - equivalent to fstat(fd, &s), which is safe - without also allowing newfstatat(fd, "foo", &s, AT_EMPTY_PATH) - roughly equivalent to fchdir(fd), stat("foo", &s), which is dangerous. The design of AT_EMPTY_PATH is silly.)

Now, this is really only a theoretical problem, for a bunch of reasons:

• As far as I know, neither WFDB nor LightWAVE currently requires fstat. libFLAC does, but not if the caller provides its own file I/O callbacks (which WFDB does.) glibc uses fstat in an advisory fashion and has sensible fallback behavior when it fails.

• If sandboxed-lightwave is invoked by a trusted caller (which can guarantee not to pass any directory file descriptors), then there isn't any problem with allowing newfstatat. Note, for example, that physionet-build uses the close_fds argument to subprocess.Popen. The sandbox doesn't allow execve, and sets no-new-privs, so sandboxed-lightwave can't invoke itself.

• The reason directory FDs are dangerous to begin with is that they allow escaping from an external chroot. We don't use chroot for security at the system level, and probably anybody else should be using a filesystem namespace rather than chroot alone.

• On PhysioNet, if somebody is able to find some incredibly complicated exploit that lets them reveal the existence / size / modification time of some known filesystem path? Big deal.

That said, I don't like the idea of releasing lightwave with a known security vulnerability. These are the options I see:

• Make newfstatat fail with ENOSYS or something.

• Use lightwave in unprivileged (user-namespace) mode.

• Link sandboxed-lightwave with some other libc, or with a hacked version of glibc.

• Add more complicated contortions to sandbox.c, to prevent callers from passing any directory FD.

• Add more complicated contortions to sandbox.c, to refuse to run in a chrooted environment.

Would be good to explicitly specify the versions of the following dependencies:

• WFDB
• Various jquery files

Hello,

I'm trying to run lightwave locally with our own database of ECG signals that we've been collecting. When our database is loaded on lightwave, is there a way for one to annotate the signals, and download the data with annotations?