update README

This commit is contained in:
Albert S. 2021-05-22 20:51:09 +02:00
parent 946492c28e
commit 4b8aa4b7e1

View File

@ -1,61 +1,63 @@
qssb.h (quite simple sandbox)
=============================
qssb.h is a simple header only library that provides an interface
to sandbox applications on Linux. Using Seccomp and Linux Namespaces for that
purpose requires some knowledge of annoying details which this library
aims to abstract away as much as possible.
# qssb.h (quite simple sandbox)
`qssb.h` is a simple header-only library that wants to provides an interface to sandbox applications on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable.
Status
======
No release yet, API is unstable.
Hence, the goal is to provide an easy way to processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to achieve this end.
In the end, sandboxing must be considered in the software architecture, e. g. by employing the common multi-process model that offloads certain computations to individual, restricted processes. This library does not directly address those architecture related questions.
## Status
No release yet, expiremental, API is unstable, builds will break on updates of this library.
## Documentation
See [docs](./docs/)
## Features
Features
========
- Systemcall filtering
- restricting file system access
- dropping privileges
- isolating the application from the network, etc.
Requirements
============
## Requirements
Kernel >=3.17
sys/capabilities.h header. Depending on your system, libcap
``sys/capabilities.h`` header. Depending on your distribution, libcap
might be needed for this.
While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock.
FAQ
===
Does the process need to be priviliged to utilize the library?
----------------------------------------------------------------
No.
## FAQ
It doesn't work on Debian!
--------------------------
You can thank a Debian-specific patch for that. In the future,
### Does the process need to be priviliged to utilize the library?
No.
### It doesn't work on Debian!
You can thank a Debian-specific kernel patch for that. In the future,
the library may check against that. Execute
echo 1 > /proc/sys/kernel/unprivileged_userns_clone to disable that
patch for now.
`echo 1 > /proc/sys/kernel/unprivileged_userns_clone` to disable that patch for now.
Documentation
=============
To be written
### Examples
Examples
========
- qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
- cgit sandboxed: https://gitea.quitesimple.org/crtxcr/cgitsb
- qpdfviewsb sandboxed (quick and dirty): https://gitea.quitesimple.org/crtxcr/qpdfviewsb
Contributing
============
### Contributing
Contributions are very welcome. Options:
1) Pull-Request: github.com/quitesimpleorg/qssb
2) Mail to qssb at quitesimple.org with instructions
on where to pull the changes.
3) Mailing a classic patch.
1. Pull-Request on [github](https://github.com/quitesimpleorg/qssb)
2. Mail to `qssb at quitesimple.org` with instructions on where to pull the changes from.
3. Mailing a classic patch/diff to the same address.
License
=======