exile.h/README.md

# qssb.h (quite simple sandbox)
`qssb.h` is a simple header-only library that provides an interface to sandbox processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end. 

## Status
No release yet, expiremental, API is unstable, builds will break on updates of this library. 

## Features

  - Systemcall filtering (using seccomp-bpf)
  - restricting file system access (using Landlock and/or Namespaces)
  - dropping privileges 
  - isolating the application from the network, etc.

## Requirements

Kernel >=3.17

``sys/capabilities.h`` header. Depending on your distribution, libcap
might be needed for this.

While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock.


## FAQ


### Does the process need to be priviliged to utilize the library?

No. 

### It doesn't work on Debian!

You can thank a Debian-specific kernel patch for that. In the future,
the library may check against that. Execute
`echo 1 > /proc/sys/kernel/unprivileged_userns_clone` to disable that patch for now.

### Examples

  - qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
  - cgit sandboxed: https://gitea.quitesimple.org/crtxcr/cgitsb
  - qpdfviewsb sandboxed (quick and dirty): https://gitea.quitesimple.org/crtxcr/qpdfviewsb


### Contributing

Contributions are very welcome. Options: 

1. Pull-Request on [github](https://github.com/quitesimpleorg/qssb.h)
2. Mail to `qssb at quitesimple.org` with instructions on where to pull the changes from.
3. Mailing a classic patch/diff to the same address.


License
=======
ISC
update README 2021-05-22 20:51:09 +02:00			`# qssb.h (quite simple sandbox)`
			`qssb.h` is a simple header-only library that provides an interface to sandbox processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end.

			`## Status`
			`No release yet, expiremental, API is unstable, builds will break on updates of this library.`

			`## Features`

			`- Systemcall filtering (using seccomp-bpf)`
			`- restricting file system access (using Landlock and/or Namespaces)`
Update README.md: Update example projects links, minor improvements 2020-09-26 17:21:28 +02:00			`- dropping privileges`
			`- isolating the application from the network, etc.`
Initial commit 2019-10-13 17:57:12 +02:00
update README 2021-05-22 20:51:09 +02:00			`## Requirements`

updated README 2019-11-15 21:53:26 +01:00			`Kernel >=3.17`
update README 2021-05-22 20:51:09 +02:00
			``sys/capabilities.h`` header. Depending on your distribution, libcap
updated README 2019-11-15 21:53:26 +01:00			`might be needed for this.`
Initial commit 2019-10-13 17:57:12 +02:00
update README 2021-05-22 20:51:09 +02:00			`While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock.`

updated README 2019-11-15 21:53:26 +01:00

update README 2021-05-22 20:51:09 +02:00			`## FAQ`
updated README 2019-11-15 21:53:26 +01:00

update README 2021-05-22 20:51:09 +02:00			`### Does the process need to be priviliged to utilize the library?`

			`No.`

			`### It doesn't work on Debian!`

			`You can thank a Debian-specific kernel patch for that. In the future,`
updated README 2019-11-15 21:53:26 +01:00			`the library may check against that. Execute`
update README 2021-05-22 20:51:09 +02:00			`echo 1 > /proc/sys/kernel/unprivileged_userns_clone` to disable that patch for now.
Initial commit 2019-10-13 17:57:12 +02:00
update README 2021-05-22 20:51:09 +02:00			`### Examples`
Initial commit 2019-10-13 17:57:12 +02:00
Update README.md: Update example projects links, minor improvements 2020-09-26 17:21:28 +02:00			`- qswiki: https://gitea.quitesimple.org/crtxcr/qswiki`
			`- cgit sandboxed: https://gitea.quitesimple.org/crtxcr/cgitsb`
			`- qpdfviewsb sandboxed (quick and dirty): https://gitea.quitesimple.org/crtxcr/qpdfviewsb`
Initial commit 2019-10-13 17:57:12 +02:00

update README 2021-05-22 20:51:09 +02:00			`### Contributing`

updated README 2019-11-15 21:53:26 +01:00			`Contributions are very welcome. Options:`
update README 2021-05-22 20:51:09 +02:00
			`1. Pull-Request on [github](https://github.com/quitesimpleorg/qssb.h)`
			2. Mail to `qssb at quitesimple.org` with instructions on where to pull the changes from.
			`3. Mailing a classic patch/diff to the same address.`

Initial commit 2019-10-13 17:57:12 +02:00
			`License`
			`=======`
			`ISC`