On Tue, Jul 7, 2026 at 7:47 AM Neal Gompa <[email protected]> wrote: > > I don't entirely agree with this assessment. Fixing the handler so > that it doesn't execute it if it's not marked executable would largely > mitigate this problem too.
This does not work. Someone did *exactly* this and I was able to leverage it to escape sandboxes (vuln report is under embargo at the moment). When you use a binfmt-misc handler, then when the sandboxed executable tries to run the program, the kernel runs it *in* the sandbox. When you use a MIME handler that gates access on the executable bit, where the handler executes outside of the sandbox, then when the sandboxed executable calls the MIME handler on a marked-executable file, the file runs outside of (and thus escapes) the sandbox. -- Aaron -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
