Skip to content

[ML] Add Sandbox2 security integration for PyTorch inference #2873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 20 commits into
base: main
Choose a base branch
from
Draft

[ML] Add Sandbox2 security integration for PyTorch inference #2873

wants to merge 20 commits into from

Conversation

@valeriy42
Copy link
Contributor

@valeriy42 valeriy42 commented Oct 28, 2025

Overview

This PR introduces Sandbox2 security integration to enhance the security posture of the PyTorch inference process in the ML-CPP codebase.

Changes

Security Enhancements

  • Sandbox2 Integration: Added comprehensive Sandbox2 security framework integration
  • Process Isolation: Implemented secure process spawning with privilege dropping
  • Security Testing: Added comprehensive test suite to validate security constraints

Build System Updates

  • CMake Integration: Updated build system to include Sandbox2 dependencies
  • Third-party Dependencies: Added Abseil and Sandbox2 as third-party dependencies
  • License Compliance: Added proper license files for all new dependencies

Key Components

  • Core implementation for secure process spawning
  • Comprehensive test suite validating security constraints
  • Updated CMakeLists.txt files across multiple components
  • Proper license attribution for all dependencies

Security Benefits

  • Process Isolation: PyTorch inference processes run in isolated sandboxes
  • Privilege Dropping: Processes run with minimal required privileges
  • Resource Constraints: Sandbox2 enforces memory, CPU, and system call limitations
  • Attack Surface Reduction: Malicious PyTorch models cannot escape sandbox constraints

Testing

  • Added comprehensive unit tests validating security constraints
  • Tests verify privilege dropping, resource limits, and sandbox enforcement
  • All existing tests continue to pass

Dependencies

  • Sandbox2: Google's sandboxing framework for Linux
  • Abseil: Google's C++ common libraries (required by Sandbox2)

This enhancement significantly improves the security posture of the ML-CPP system by ensuring that PyTorch inference processes cannot compromise the host system.

@prodsecmachine
Copy link

prodsecmachine commented Oct 28, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@valeriy42 valeriy42 changed the title Add Sandbox2 security integration for PyTorch inference [ML] Add Sandbox2 security integration for PyTorch inference Oct 28, 2025
@valeriy42 valeriy42 marked this pull request as draft October 28, 2025 14:00
@valeriy42
Enhance Sandbox2 integration tests and policy handling
2c5775e 
- Added new tests for Sandbox2 functionality, including privilege validation, filesystem isolation, and syscall filtering.
- Introduced a TestCleanup class for managing temporary files during tests.
- Updated the CDetachedProcessSpawner_Linux.cc to support new command line arguments for log handling and model path.
- Renamed modelDir to modelPath for clarity and adjusted policy building to accommodate file access.
- Improved overall test coverage for Sandbox2 features and ensured graceful degradation when Sandbox2 is not available.
@valeriy42
Refactor Sandbox2 handling in CDetachedProcessSpawner_Linux
9b8da0f 
- Improved error handling for cases when Sandbox2 is disabled or unavailable for pytorch_inference processes.
- Enhanced logging to provide clearer feedback on spawning failures with Sandbox2.
- Updated comments for clarity regarding the fallback to standard posix_spawn for non-pytorch_inference processes.
@valeriy42
Implement Sandbox2 syscall policy for ML processes
ac67539 
- Added a new function to apply standard ML syscall restrictions using Sandbox2's PolicyBuilder, ensuring consistent security across ML processes.
- Updated the CDetachedProcessSpawner_Linux to utilize the new syscall policy for pytorch_inference, eliminating the need for seccomp filtering in this context.
- Enhanced comments and documentation to outline future migration plans for other ML processes to Sandbox2.
- Noted the gradual transition from seccomp filters to Sandbox2 policies in the CSystemCallFilter_Linux implementation.
@valeriy42
formatting
b43e999
@valeriy42
fix header
5cd22f9
@valeriy42
sandbox2 library correctly linked
5c5a2a0
@valeriy42
Refactor Sandbox2 policy handling in unit tests
0fe86f5 
- Removed SetUserAndGroup from PolicyBuilder due to updates in the sandboxed-api.
- Updated AddTmpfs to include a size parameter for better resource management.
- Refactored Sandbox2 instantiation to use unique_ptr for the executor, improving memory management.
- Enhanced comments to clarify changes and provide context for future updates.
@valeriy42
test 1 passes without sandbox2
9dadd42
@valeriy42
benign model passes. policy very permissive.
404c6b5
@valeriy42
evil model generator
878fadf
@valeriy42
restrict policies.
d4adb62
@valeriy42
Refactor syscall definitions in CDetachedProcessSpawner_Linux
d60ba2f 
- Removed outdated syscall number definitions and replaced them with fallback definitions for newer syscalls, ensuring compatibility with RHEL8 headers.
- Updated the handling of input pipes in the sandbox policy to allow read and write access, improving functionality.
- Enhanced comments for better clarity on syscall handling and future maintenance.
@valeriy42
formatting
fbc3c00
@valeriy42 valeriy42 added the ci:run-qa-tests Run a subset of the QA tests label Nov 6, 2025
@valeriy42
changelog
9d5d2ba
@valeriy42
patch SAPI cmake file to make Python3 dependency optional
7506aab
@valeriy42
Merge branch 'enhancement/sandbox2' of https://github.com/valeriy42/m…
6f49269 
…l-cpp into enhancement/sandbox2
@valeriy42
fix python checks on CI
ac26ca6
@valeriy42
Remove Sandbox2 security tests and add CDetachedProcessSpawner tests …
ec5cde2 
…for Linux

- Deleted Sandbox2SecurityTest.cc as it is no longer needed.
- Updated CMakeLists.txt to remove references to the deleted test file.
- Introduced CDetachedProcessSpawnerTest_Linux.cc, which includes tests for process spawning and integration with Sandbox2.
- Enhanced CMakeLists.txt to link against Sandbox2 libraries for the new tests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci:run-qa-tests Run a subset of the QA tests >enhancement :ml v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@valeriy42 @prodsecmachine