Description

BoxLite: Permission Bypass Allows Modification of Read-Only Files #### Summary Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. One of the core security features claimed by Boxlite is the ability to mount host directories in read-only mode (read_only=True) into the VM via the virtiofs protocol (a host-guest shared filesystem protocol designed specifically for virtual machines), so that untrusted code can only read but not modify host data. Since the underlying function of the lightweight VM library libkrun used by Boxlite does not support mounting in read-only mode, Boxlite chooses to implement read-only by adding the MS_RDONLY flag when mounting the directory after the VM starts. However, because Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. In typical usage scenarios of Boxlite, an attacker can leverage this vulnerability to gain code execution capability on the host. For example, in AI Agent scenarios, user code, virtual environments, credentials, configuration files, and other content are often mounted in read-only mode into the container. Malicious code inside the sandbox can modify this information, such as planting malicious code, to gain code execution capability on the host, which may further introduce supply chain risks. #### Details 1. User-Facing API Documents Read-Only Guarantee File: boxlite/src/runtime/options.rs Function: VolumeSpec (line 223) Code: rust /// Filesystem mount specification. pub struct VolumeSpec { pub host_path: String, pub guest_path: String, pub read_only: bool, // <-- operator sets this to restrict guest write access } Issue: The read_only field is documented (and in user-facing guides) as preventing the guest from writing to the host directory. The guarantee is "Agent can read but not write." This expectation is not met. 2. read_only Stored in FsShare — Passed to krun Without Enforcement File: boxlite/src/vmm/krun/engine.rs Function: Krun::create() (line 334) Code: rust for share in config.fs_shares.shares() { let path_str = share.host_path.to_str().ok_or_else(|| { ... })?; tracing::info!( " {} → {} ({})", share.tag, share.host_path.display(), if share.read_only { "ro" } else { "rw" } // Logged but NOT passed to krun ); ctx.add_virtiofs(&share.tag, path_str)?; // <-- read_only silently dropped } Issue: share.read_only is logged as "ro" or "rw" but is never passed to add_virtiofs. The actual hypervisor call receives only tag and host path. 3. Hypervisor FFI Has No Read-Only Parameter File: boxlite/src/vmm/krun/context.rs Function: add_virtiofs() (line 423) Code: rust pub unsafe fn add_virtiofs(&self, mount_tag: &str, host_path: &str) -> BoxliteResult<()> { let host_path_c = CString::new(host_path) .map_err(|e| BoxliteError::Engine(format!("invalid host path: {e}")))?; let mount_tag_c = CString::new(mount_tag) .map_err(|e| BoxliteError::Engine(format!("invalid mount tag: {e}")))?; check_status("krun_add_virtiofs", unsafe { krun_add_virtiofs(self.ctx_id, mount_tag_c.as_ptr(), host_path_c.as_ptr()) // No read_only parameter — libkrun exposes the share as read-write to the guest }) } Issue: krun_add_virtiofs in the FFI (deps/libkrun-sys/src/lib.rs:35) takes only ctx_id, mount_tag, and host_path. There is no read-only flag. Libkrun exposes the virtiofs share to the guest with full read-write access at the device level. 4. Read-Only Enforcement Is Delegated to Guest Agent (Zone 0) File: boxlite/src/volumes/guest_volume.rs Function: build_guest_mounts() (line 184) Code: rust for entry in &self.fs_shares { let mount_point = entry.guest_path.as_deref().unwrap_or(""); volumes.push(VolumeConfig::virtiofs( &entry.tag, mount_point, entry.read_only, // <-- sent to guest agent as instruction entry.container_id.clone(), )); } Issue: The read_only flag is sent to the guest agent via gRPC as a mount instruction. The guest agent is expected to pass -o ro to the mount syscall. But the guest runs Zone 0 code — untrusted, assumed malicious. A compromised or malicious guest simply ignores this instruction. 5. FFI Declaration Confirms No Read-Only Variant Exists File: boxlite/deps/libkrun-sys/src/lib.rs Function: krun_add_virtiofs extern declaration (line 35) Code: rust extern "C" { pub fn krun_add_virtiofs( ctx_id: u32, mount_tag: *const c_char, host_path: *const c_char, ) -> i32; // No krun_add_virtiofs_ro or equivalent declared } Issue: There is no alternative read-only virtiofs FFI function declared. The entire codebase has no krun_add_virtiofs_ro or read-only parameter variant. Enforcement at the hypervisor level does not exist. 6. OCI Spec Builder Grants All Capabilities File: guest/src/container/capabilities.rs Function: all_capabilities() (line 19) Code: rust pub fn all_capabilities() -> HashSet<Capability> { [ // ... Capability::SysModule, // 16: load/unload kernel modules Capability::SysRawio, // 17: perform I/O port operations Capability::SysAdmin, // 21: various admin operations Capability::NetAdmin, // 12: network administration Capability::NetRaw, // 13: use RAW/PACKET sockets Capability::MacOverride, // 32: override MAC Capability::Bpf, // 39: BPF operations // ... all 41 capabilities ] .into_iter() .collect() } Issue: Returns all 41 capabilities including the most dangerous ones, like Capability::SysAdmin. The function comment itself says "maximum compatibility but reduced security isolation." #### PoC 1. Install Boxlite following the official tutorial. 2. Run the following Python script: ```python import asyncio import os import tempfile import sys from boxlite import Boxlite, BoxOptions async def run(box, cmd): """Run shell command via native box.exec API.""" execution = await box.exec("sh", ["-c", cmd], None) stdout_stream = execution.stdout() stderr_stream = execution.stderr() stdout_lines, stderr_lines = [], [] async def read_stdout(): async for line in stdout_stream: stdout_lines.append(line if isinstance(line, str) else line.decode('utf-8', errors='replace')) async def read_stderr(): async for line in stderr_stream: stderr_lines.append(line if isinstance(line, str) else line.decode('utf-8', errors='replace')) await asyncio.gather(read_stdout(), read_stderr()) result = await execution.wait() return { 'exit_code': result.exit_code, 'stdout': ''.join(stdout_lines), 'stderr': ''.join(stderr_lines), } async def main(): # Step 1: Set up host directory with a read-only file host_dir = tempfile.mkdtemp(prefix="virtiofs_ro_poc_") ro_file = os.path.join(host_dir, "read_only.txt") with open(ro_file, "w") as f: f.write("original content\n") print(f"[+] Step 1: Host directory created: {host_dir}") print(f" read_only.txt: {open(ro_file).read().strip()}") print() guest_mount = "/mnt/sensitive" print(f"[+] Step 2: Launching BoxLite VM with:") print(f" volumes=[('{host_dir}', '{guest_mount}', True)] # read_only=True") print() try: runtime = Boxlite.default() opts = BoxOptions( image="alpine:latest", volumes=[(host_dir, guest_mount, True)], # <-- read_only=True memory_mib=512, cpus=1, auto_remove=True, ) box = await runtime.create(opts) async with box: print("[+] Step 3: VM booted. Checking virtiofs mount state...") r = await run(box, f"cat /proc/mounts | grep sensitive") print(f" /proc/mounts: {r['stdout'].strip()}") print() print("[+] Step 4: Testing write protection (initial state)...") r2 = await run(box, f"echo 'modified content' > {guest_mount}/read_only.txt 2>&1; echo write_exit:$?") out = r2['stdout'].strip() print(f" Write attempt:

Mitigation

Aliases

References