crtxcr
/
exile.h
1
0
Çatalla 0
Kod Konular 14 Değişiklik İstekleri 1 Sürüm Wiki Aktivite
Painless Linux sandboxing API
51 İşleme 4 Dal 0 Etiket 436 KiB
C 89.7%
C++ 8%
Shell 1.8%
Makefile 0.5%
Dosyaya git
Albert S. 68694723fe Begin qssb_append_*_syscall family of functions 
The purpose of these new functions is to make it simpler for users
to add new syscalls to the whitelist and blacklist.

The current approach uses a user-supplied pointer which however
was difficult to manage with "no_fs", which may add systemcalls
to the blacklist. Then we must resize arrays, and suddenly
it's our job to free them.

As a bonus, implementing them here allows easier data structure
changes and decreases the chances tgat users of this API
do something wrong, like forgetting -1 at then end, etc.
 		2021-08-12 11:37:19 +02:00
Makefile Start implementing tests 2021-06-05 20:11:07 +02:00
README.md update README 2021-06-08 22:04:26 +02:00
qssb.h Begin qssb_append_*_syscall family of functions 2021-08-12 11:37:19 +02:00
test.c Introduce "no_fs" and "no_new_fd" options. 2021-08-10 16:58:43 +02:00
test.sh test: Log output of individual tests 2021-06-06 09:27:45 +02:00

README.md

qssb.h (quite simple sandbox)

qssb.h is a simple header-only library that provides an interface to sandbox processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end.

Status

No release yet, expiremental, API is unstable, builds will break on updates of this library.

Features

  • Systemcall filtering (using seccomp-bpf)
  • restricting file system access (using Landlock and/or Namespaces)
  • dropping privileges
  • isolating the application from the network, etc.

Requirements

Kernel >=3.17

sys/capabilities.h header. Depending on your distribution, libcap might be needed for this.

While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock.

FAQ

Does the process need to be priviliged to utilize the library?

No.

It doesn't work on Debian!

You can thank a Debian-specific kernel patch for that. In the future, the library may check against that. Execute echo 1 > /proc/sys/kernel/unprivileged_userns_clone to disable that patch for now.

Examples

Contributing

Contributions are very welcome. Options:

  1. Pull-Request on github
  2. Mail to qssb at quitesimple.org with instructions on where to pull the changes from.
  3. Mailing a classic patch/diff to the same address.

License

ISC