updated README

このコミットが含まれているのは:
Albert S. 2019-11-15 21:53:26 +01:00
コミット 1b8504c052
2個のファイルの変更62行の追加14行の削除

ファイルの表示

@ -1,10 +1,13 @@
qssb (quite simple sandbox)
===========================
qssb.h is a simple header only library for easy sandboxing of
applications.
qssb.h (quite simple sandbox)
=============================
qssb.h is a simple header only library that provides an interface
to sandbox applications. Using Seccomp and Linux Namespaces for that
purpose requires some knowledge of annoying details which this library
aims to abstract away as much as possible.
It aims to provide an interface to avoid the annoying details that
using Seccomp and Linux Namespaces requires.
Status
======
No release yet, API is unstable.
Features
========
@ -13,11 +16,25 @@ privileges, isolating the application from the network, etc.
Requirements
============
Kernel x.y.z.
Kernel >=3.17
sys/capabilities.h header. Depending on your system, libcap
might be needed for this.
Status
======
No release yet, API is unstable.
FAQ
===
Does the process need to be priviliged to utilize the library?
----------------------------------------------------------------
No.
It doesn't work on Debian!
--------------------------
You can thank a Debian-specific patch for that. In the future,
the library may check against that. Execute
echo 1 > /proc/sys/kernel/unprivileged_userns_clone to disable that
patch for now.
Documentation
=============
@ -30,7 +47,7 @@ Real world project: cgit sandboxed: https://git.quitesimple.org/cgitsb
Contributing
============
Contributations are very welcome. Options:
Contributions are very welcome. Options:
1) Pull-Request: github.com/quitesimpleorg/qssb
2) Mail to qssb at quitesimple.org with instructions
on where to pull the changes.

37
qssb.h
ファイルの表示

@ -140,7 +140,18 @@ int random_string(char *buffer, size_t buffer_length)
static int mkdir_structure(const char *p, mode_t mode)
{
char path[PATH_MAX] = { 0 };
snprintf(path, sizeof(path), "%s/", p);
int res = snprintf(path, sizeof(path), "%s/", p);
if(res < 0)
{
QSSB_LOG_ERROR("qssb: mkdir_strucutre: error during path concatination\n");
return -EINVAL;
}
if(res >= PATH_MAX)
{
QSSB_LOG_ERROR("qssb: mkdir_structure: path concatination truncated\n");
return -EINVAL;
}
char *begin = path;
char *end = begin+1;
@ -193,7 +204,17 @@ static int mount_to_chroot(const char *chroot_target_path, char **paths, unsigne
while(path != NULL)
{
char path_inside_chroot[PATH_MAX];
snprintf(path_inside_chroot, sizeof(path_inside_chroot), "%s/%s", chroot_target_path, path);
int written = snprintf(path_inside_chroot, sizeof(path_inside_chroot), "%s/%s", chroot_target_path, path);
if(written < 0)
{
QSSB_LOG_ERROR("qssb: mount_to_chroot: Error during path concatination\n");
return -EINVAL;
}
if(written >= PATH_MAX)
{
QSSB_LOG_ERROR("qssb: mount_to_chroot: path concatination truncated\n");
return -EINVAL;
}
int ret = mkdir_structure(path_inside_chroot, 0700);
if(ret < 0)
{
@ -404,7 +425,17 @@ int qssb_enable_policy(struct qssb_policy *policy)
char random_str[17];
if(random_string(random_str, sizeof(random_str)) == 16)
{
snprintf(target_dir, sizeof(target_dir), "%s/.sandbox_%" PRIdMAX "_%s", QSSB_TEMP_DIR, (intmax_t)getpid(), random_str);
int res = snprintf(target_dir, sizeof(target_dir), "%s/.sandbox_%" PRIdMAX "_%s", QSSB_TEMP_DIR, (intmax_t)getpid(), random_str);
if(res < 0)
{
QSSB_LOG_ERROR("qssb: qssb_enable_policy: error during path concatination\n");
return -EINVAL;
}
if(res >= PATH_MAX)
{
QSSB_LOG_ERROR("qssb: qssb_enable_policy: path concatination truncated\n");
return -EINVAL;
}
policy->chroot_target_path = target_dir;
}
else