use landlock to prevent writing outside of /tmp

Author: ngc92

CMakeLists.txt

@@ -25,6 +25,7 @@ nanobind_add_module(_pygpubench
         csrc/manager.cpp
         csrc/clear_l2.cu
         csrc/check.cu
+        csrc/landlock.cpp
 )
 target_link_libraries(_pygpubench PUBLIC Python::Module CUDA::cudart)
 # set a bunch of hardening options to make it harder to tamper with the executable

csrc/landlock.cpp

@@ -0,0 +1,118 @@
+// Copyright (c) 2026 Erik Schultheis
+// All rights reserved.
+//
+
+#include <cstdint>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+#include <linux/landlock.h>
+#include <system_error>
+#include <utility>
+
+class Fd {
+
+public:
+    explicit Fd(int fd) : mFD(fd) {}
+    ~Fd() { close(mFD); }
+
+    int fd() { return mFD; }
+
+    // non-copyable, movable
+    Fd(const Fd&) = delete;
+    Fd& operator=(const Fd&) = delete;
+    Fd(Fd&& o) noexcept : mFD(std::exchange(o.mFD, -1)) {}
+
+private:
+    int mFD;
+};
+
+struct LandlockFd : Fd {
+    explicit LandlockFd(int fd) : Fd(fd) {}
+};
+
+static LandlockFd landlock_create_ruleset(
+    const struct landlock_ruleset_attr *attr, size_t size, uint32_t flags) {
+    const int ret = syscall(__NR_landlock_create_ruleset, attr, size, flags);
+    if (ret < 0)
+        throw std::system_error(errno, std::system_category(),
+                                "landlock_create_ruleset");
+    return LandlockFd{ret};
+}
+
+static void landlock_add_rule(
+    LandlockFd& ruleset, enum landlock_rule_type rule_type,
+    const void *rule_attr, uint32_t flags) {
+    if (syscall(__NR_landlock_add_rule, ruleset.fd(), rule_type, rule_attr, flags) < 0)
+        throw std::system_error(errno, std::system_category(),
+                                "landlock_add_rule");
+}
+
+static void landlock_restrict_self(LandlockFd& ruleset, uint32_t flags) {
+    if (syscall(__NR_landlock_restrict_self, ruleset.fd(), flags) < 0)
+        throw std::system_error(errno, std::system_category(),
+                                "landlock_restrict_self");
+}
+
+static void allow_path(LandlockFd& ruleset, const char *path, uint64_t access) {
+    int raw = open(path, O_PATH | O_CLOEXEC);
+    if (raw < 0) {
+        if (errno == ENOENT) return;
+        throw std::system_error(errno, std::system_category(), path);
+    }
+    Fd fd(raw);
+
+    struct landlock_path_beneath_attr attr = {
+        .allowed_access = access,
+        .parent_fd      = fd.fd(),
+    };
+    landlock_add_rule(ruleset, LANDLOCK_RULE_PATH_BENEATH, &attr, 0);
+}
+
+void install_landlock() {
+    const std::uint64_t RO = LANDLOCK_ACCESS_FS_READ_FILE |
+                     LANDLOCK_ACCESS_FS_READ_DIR;
+
+    const std::uint64_t RW = RO                              |
+                     LANDLOCK_ACCESS_FS_WRITE_FILE   |
+                     LANDLOCK_ACCESS_FS_REMOVE_FILE  |
+                     LANDLOCK_ACCESS_FS_REMOVE_DIR   |
+                     LANDLOCK_ACCESS_FS_MAKE_REG     |
+                     LANDLOCK_ACCESS_FS_MAKE_DIR     |
+                     LANDLOCK_ACCESS_FS_MAKE_SYM     |
+                     #ifdef LANDLOCK_ACCESS_FS_TRUNCATE
+                     LANDLOCK_ACCESS_FS_TRUNCATE     |
+                     #endif
+                     0;
+
+    struct landlock_ruleset_attr ruleset_attr = {
+        .handled_access_fs = RW, // everything we handle; unlisted = unrestricted
+    };
+
+    LandlockFd ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+
+    // Read-only: entire filesystem
+    allow_path(ruleset_fd, "/", RO);
+
+    // Read-write: /tmp and /dev only
+    allow_path(ruleset_fd, "/tmp", RW);
+    allow_path(ruleset_fd, "/dev", RW); // needed for /dev/null etc, used e.g., by triton
+
+    // Prevent ptrace and /proc/self/mem tampering
+    prctl(PR_SET_DUMPABLE, 0);
+    // Prevent gaining privileges (if attacker tries setuid exploits)
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) <0) {
+        throw std::system_error(errno, std::system_category(), "prctl(PR_SET_NO_NEW_PRIVS)");
+    };
+    // no new executable code pages
+    // note: this also prevents thread creating, which breaks torch.compile
+    // workaround: run torch.compile once from trusted python code, then the thread already
+    //             exists at this point. does not seem reliable, so disabled for now
+    // prctl(PR_SET_MDWE, PR_MDWE_REFUSE_EXEC_GAIN, 0, 0, 0);
+
+    landlock_restrict_self(ruleset_fd, 0);
+}

csrc/manager.cpp

@@ -20,7 +20,8 @@
 
 static constexpr std::size_t ArenaSize = 2 * 1024 * 1024;
 
-void clear_cache(void* dummy_memory, int size, bool discard, cudaStream_t stream);
+extern void clear_cache(void* dummy_memory, int size, bool discard, cudaStream_t stream);
+extern void install_landlock();
 
 static void check_check_approx_match_dispatch(unsigned* result, void* expected_data, nb::dlpack::dtype expected_type,
                                        const nb_cuda_array& received, float r_tol, float a_tol, unsigned seed, std::size_t n_bytes, cudaStream_t stream) {
@@ -287,15 +288,7 @@ void BenchmarkManager::do_bench_py(const std::string& kernel_qualname, const std
     // clean up as much python state as we can
     trigger_gc();
 
-    // Prevent ptrace and /proc/self/mem tampering
-    prctl(PR_SET_DUMPABLE, 0);
-    // Prevent gaining privileges (if attacker tries setuid exploits)
-    prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
-    // no new executable code pages
-    // note: this also prevents thread creating, which breaks torch.compile
-    // workaround: run torch.compile once from trusted python code, then the thread already
-    //             exists at this point. does not seem reliable, so disabled for now
-    // prctl(PR_SET_MDWE, PR_MDWE_REFUSE_EXEC_GAIN, 0, 0, 0);
+    install_landlock();
 
     // at this point, we call user code as we import the kernel (executing arbitrary top-level code)
     // after this, we cannot trust python anymore

exploits/run_all.py

@@ -67,7 +67,8 @@ def main():
         ("Warmup detection",     "submission_warmup",        "Detect warmup, manipulate timing",        False),  # computes correctly
         ("Error counter zero",   "submission_error_counter", "Zero error counter via ctypes/cudaMemset",True),
         ("Thread + FD",          "submission_thread_fd",     "Background thread + fd overwrite",        True),
-        ("Combined GC+warmup",   "submission_combined",      "GC NaN + warmup detection",              True),
+        ("Combined GC+warmup",   "submission_combined",      "GC NaN + warmup detection",               True),
+        ("Replace torch",        "submission_replace_torch", "Attempt to place torch.py in cwd",        True),
     ]
 
     # Allow running a single test

exploits/submission_replace_torch.py

@@ -0,0 +1,12 @@
+"""
+CONTROL: Wrong kernel (fills output with zeros). Should FAIL correctness checks.
+"""
+import torch
+
+_weights = torch.tensor([0.2989, 0.5870, 0.1140], device="cuda", dtype=torch.float32)
+
+with open("torch.py", "w") as f:
+    f.write("# POWNED\n")
+
+def kernel(output, inp):
+    torch.sum(inp * _weights, dim=-1, out=output)