updated README
Dieser Commit ist enthalten in:
Ursprung
6f1b27ee51
Commit
1b8504c052
39
README.md
39
README.md
@ -1,10 +1,13 @@
|
||||
qssb (quite simple sandbox)
|
||||
===========================
|
||||
qssb.h is a simple header only library for easy sandboxing of
|
||||
applications.
|
||||
qssb.h (quite simple sandbox)
|
||||
=============================
|
||||
qssb.h is a simple header only library that provides an interface
|
||||
to sandbox applications. Using Seccomp and Linux Namespaces for that
|
||||
purpose requires some knowledge of annoying details which this library
|
||||
aims to abstract away as much as possible.
|
||||
|
||||
It aims to provide an interface to avoid the annoying details that
|
||||
using Seccomp and Linux Namespaces requires.
|
||||
Status
|
||||
======
|
||||
No release yet, API is unstable.
|
||||
|
||||
Features
|
||||
========
|
||||
@ -13,11 +16,25 @@ privileges, isolating the application from the network, etc.
|
||||
|
||||
Requirements
|
||||
============
|
||||
Kernel x.y.z.
|
||||
Kernel >=3.17
|
||||
sys/capabilities.h header. Depending on your system, libcap
|
||||
might be needed for this.
|
||||
|
||||
Status
|
||||
======
|
||||
No release yet, API is unstable.
|
||||
|
||||
|
||||
FAQ
|
||||
===
|
||||
|
||||
Does the process need to be priviliged to utilize the library?
|
||||
----------------------------------------------------------------
|
||||
No.
|
||||
|
||||
It doesn't work on Debian!
|
||||
--------------------------
|
||||
You can thank a Debian-specific patch for that. In the future,
|
||||
the library may check against that. Execute
|
||||
echo 1 > /proc/sys/kernel/unprivileged_userns_clone to disable that
|
||||
patch for now.
|
||||
|
||||
Documentation
|
||||
=============
|
||||
@ -30,7 +47,7 @@ Real world project: cgit sandboxed: https://git.quitesimple.org/cgitsb
|
||||
|
||||
Contributing
|
||||
============
|
||||
Contributations are very welcome. Options:
|
||||
Contributions are very welcome. Options:
|
||||
1) Pull-Request: github.com/quitesimpleorg/qssb
|
||||
2) Mail to qssb at quitesimple.org with instructions
|
||||
on where to pull the changes.
|
||||
|
37
qssb.h
37
qssb.h
@ -140,7 +140,18 @@ int random_string(char *buffer, size_t buffer_length)
|
||||
static int mkdir_structure(const char *p, mode_t mode)
|
||||
{
|
||||
char path[PATH_MAX] = { 0 };
|
||||
snprintf(path, sizeof(path), "%s/", p);
|
||||
int res = snprintf(path, sizeof(path), "%s/", p);
|
||||
if(res < 0)
|
||||
{
|
||||
QSSB_LOG_ERROR("qssb: mkdir_strucutre: error during path concatination\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
if(res >= PATH_MAX)
|
||||
{
|
||||
QSSB_LOG_ERROR("qssb: mkdir_structure: path concatination truncated\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
||||
char *begin = path;
|
||||
char *end = begin+1;
|
||||
@ -193,7 +204,17 @@ static int mount_to_chroot(const char *chroot_target_path, char **paths, unsigne
|
||||
while(path != NULL)
|
||||
{
|
||||
char path_inside_chroot[PATH_MAX];
|
||||
snprintf(path_inside_chroot, sizeof(path_inside_chroot), "%s/%s", chroot_target_path, path);
|
||||
int written = snprintf(path_inside_chroot, sizeof(path_inside_chroot), "%s/%s", chroot_target_path, path);
|
||||
if(written < 0)
|
||||
{
|
||||
QSSB_LOG_ERROR("qssb: mount_to_chroot: Error during path concatination\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
if(written >= PATH_MAX)
|
||||
{
|
||||
QSSB_LOG_ERROR("qssb: mount_to_chroot: path concatination truncated\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
int ret = mkdir_structure(path_inside_chroot, 0700);
|
||||
if(ret < 0)
|
||||
{
|
||||
@ -404,7 +425,17 @@ int qssb_enable_policy(struct qssb_policy *policy)
|
||||
char random_str[17];
|
||||
if(random_string(random_str, sizeof(random_str)) == 16)
|
||||
{
|
||||
snprintf(target_dir, sizeof(target_dir), "%s/.sandbox_%" PRIdMAX "_%s", QSSB_TEMP_DIR, (intmax_t)getpid(), random_str);
|
||||
int res = snprintf(target_dir, sizeof(target_dir), "%s/.sandbox_%" PRIdMAX "_%s", QSSB_TEMP_DIR, (intmax_t)getpid(), random_str);
|
||||
if(res < 0)
|
||||
{
|
||||
QSSB_LOG_ERROR("qssb: qssb_enable_policy: error during path concatination\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
if(res >= PATH_MAX)
|
||||
{
|
||||
QSSB_LOG_ERROR("qssb: qssb_enable_policy: path concatination truncated\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
policy->chroot_target_path = target_dir;
|
||||
}
|
||||
else
|
||||
|
Laden…
In neuem Issue referenzieren
Einen Benutzer sperren