crtxcr/exile.h
1
0
Fork 0
Code Issues 14 Pull Requests 1 Releases Wiki Activity

update README

Browse Source
This commit is contained in:
Albert S. 2021-05-22 20:51:09 +02:00
parent c57c79fa36
commit ade022ba62
1 changed files with 31 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
README.md
View File

@ -1,61 +1,55 @@
qssb.h (quite simple sandbox) # qssb.h (quite simple sandbox)
============================= `qssb.h` is a simple header-only library that provides an interface to sandbox processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end.
qssb.h is a simple header only library that provides an interface
to sandbox applications on Linux. Using Seccomp and Linux Namespaces for that
purpose requires some knowledge of annoying details which this library
aims to abstract away as much as possible.
Status ## Status
====== No release yet, expiremental, API is unstable, builds will break on updates of this library.
No release yet, API is unstable.
Features ## Features
========
- Systemcall filtering - Systemcall filtering (using seccomp-bpf)
- restricting file system access - restricting file system access (using Landlock and/or Namespaces)
- dropping privileges - dropping privileges
- isolating the application from the network, etc. - isolating the application from the network, etc.
Requirements ## Requirements
============
Kernel >=3.17 Kernel >=3.17
sys/capabilities.h header. Depending on your system, libcap
``sys/capabilities.h`` header. Depending on your distribution, libcap
might be needed for this. might be needed for this.
While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock.
FAQ
===
Does the process need to be priviliged to utilize the library? ## FAQ
----------------------------------------------------------------
### Does the process need to be priviliged to utilize the library?
No. No.
It doesn't work on Debian! ### It doesn't work on Debian!
--------------------------
You can thank a Debian-specific patch for that. In the future, You can thank a Debian-specific kernel patch for that. In the future,
the library may check against that. Execute the library may check against that. Execute
echo 1 > /proc/sys/kernel/unprivileged_userns_clone to disable that `echo 1 > /proc/sys/kernel/unprivileged_userns_clone` to disable that patch for now.
patch for now.
Documentation ### Examples
=============
To be written
Examples
========
- qswiki: https://gitea.quitesimple.org/crtxcr/qswiki - qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
- cgit sandboxed: https://gitea.quitesimple.org/crtxcr/cgitsb - cgit sandboxed: https://gitea.quitesimple.org/crtxcr/cgitsb
- qpdfviewsb sandboxed (quick and dirty): https://gitea.quitesimple.org/crtxcr/qpdfviewsb - qpdfviewsb sandboxed (quick and dirty): https://gitea.quitesimple.org/crtxcr/qpdfviewsb
Contributing ### Contributing
============
Contributions are very welcome. Options: Contributions are very welcome. Options:
1) Pull-Request: github.com/quitesimpleorg/qssb
2) Mail to qssb at quitesimple.org with instructions 1. Pull-Request on [github](https://github.com/quitesimpleorg/qssb.h)
on where to pull the changes. 2. Mail to `qssb at quitesimple.org` with instructions on where to pull the changes from.
3) Mailing a classic patch. 3. Mailing a classic patch/diff to the same address.
License License
======= =======