Skip to content

bench(pier): root-run git against candidate-owned .git executes core.fsmonitor/filter programs (sandbox escape) #559

Description

@drewstone

Reported by the PR-review audit on #555 (against pre-existing main code that the PR's inflated diff pulled into review scope — see the PR thread). Filing separately since it is not part of that PR's contribution.

Vector: prepare_identity chown -R's the workspace roots including .git/ to the candidate uid (bench/pier_agents/process_boundary.py:100-103), so candidate code can write .git/config during run(). Afterwards _restore_profile_and_capture_solution (bench/pier_agents/tangle_candidate.py) runs git reset --mixed / add -A -- . / rm --cached / diff --cached / commit as root with only -c core.hooksPath=/dev/null neutralized. A candidate that sets core.fsmonitor=<script> (or a [filter] clean command + .gitattributes) gets that program executed as root by the evaluator's index refresh.

Precedent in-repo: the TS side already treats this as live — src/candidate-execution/git-materialize.ts:472-478 forces -c core.fsmonitor=false -c core.untrackedCache=false (+ protect flags) on every git invocation against untrusted worktrees. The Python bench evaluator should mirror that neutralization set on all post-run git commands, and candidate_git_env (bench/pier_agents/workspace_boundary.py:111-122) sets safe.directory but never core.fsmonitor.

Related (same trust boundary, from the same audit):

  • .sidecar metadata in the task root is staged by git add -A -- . into the candidate solution commit (':(exclude).sidecar' missing).
  • The isolated-user execution path (setpriv watchdog, uid kill loop, chown, uid-in-use probe) has no test coverage — every e2e test runs ISOLATE_CANDIDATE_USER=False.

Audit trace: https://gist.github.com/tangletools/ab779794ad57a8eb7b15acbcd7c85834

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions