Painless Linux sandboxing API

Go to file

Albert S 3780509078 Introduce flags indicating errors to catch non-checked return codes Certain functions can fail before we execute exile_enable_policy(). While the return code should be checked, it's easily forgotten. For most users, checking just the exile_enable_policy() return code should suffice. exile_append_path_policies(): Add check whether a path exists. If not, set the error flag. This also allows an early exit, allowing to cleanly handle the case when a path does not exist. Previously, this was only caught during activation, and a failure there is generally undefined.		2022-01-16 21:46:11 +01:00
exile.h	Introduce flags indicating errors to catch non-checked return codes	2022-01-16 21:46:11 +01:00
Makefile	Start implementing tests	2021-06-05 20:11:07 +02:00
README.md	rename to exile.h	2021-11-30 18:19:15 +01:00
test.c	Introduce flags indicating errors to catch non-checked return codes	2022-01-16 21:46:11 +01:00
test.sh	rename to exile.h	2021-11-30 18:19:15 +01:00

README.md

exile.h

exile.h is a simple header-only library that provides an interface to isolate processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end.

Status

No release yet, expiremental, API is unstable, builds will break on updates of this library.

Currently, it's mainly evolving according to the needs of my other projects.

Features

Systemcall filtering (using seccomp-bpf)
restricting file system access (using Landlock and/or Namespaces)
dropping privileges
isolating the application from the network, etc.

Requirements

Kernel >=3.17

sys/capabilities.h header. Depending on your distribution, libcap might be needed for this.

While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock.

FAQ

Does the process need to be priviliged to utilize the library?

No.

It doesn't work on Debian!

You can thank a Debian-specific kernel patch for that. In the future, the library may check against that. Execute echo 1 > /proc/sys/kernel/unprivileged_userns_clone to disable that patch for now.

Examples

looqs: https://gitea.quitesimple.org/crtxcr/looqs
qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
cgit sandboxed: https://gitea.quitesimple.org/crtxcr/cgitsb
qpdfviewsb sandboxed (quick and dirty): https://gitea.quitesimple.org/crtxcr/qpdfviewsb

Contributing

Contributions are very welcome. Options:

Pull-Request on github
Mail to exile at quitesimple.org with instructions on where to pull the changes from.
Mailing a classic patch/diff to the same address.

License

ISC