Albert S 763c65c3fe qssb_enable_policy: check for empty str instead of NULL ptr
This was missed in 0a851790b8bc0a91531e5347668fa9543884d9ba
2020-09-26 16:09:43 +02:00
2019-11-15 21:53:26 +01:00

qssb.h (quite simple sandbox)

qssb.h is a simple header only library that provides an interface to sandbox applications. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible.

Status

No release yet, API is unstable.

Features

Systemcall filtering, restricting file system access, dropping privileges, isolating the application from the network, etc.

Requirements

Kernel >=3.17 sys/capabilities.h header. Depending on your system, libcap might be needed for this.

FAQ

Does the process need to be priviliged to utilize the library?

No.

It doesn't work on Debian!

You can thank a Debian-specific patch for that. In the future, the library may check against that. Execute echo 1 > /proc/sys/kernel/unprivileged_userns_clone to disable that patch for now.

Documentation

To be written

Examples

Real world project: cgit sandboxed: https://git.quitesimple.org/cgitsb

Contributing

Contributions are very welcome. Options:

  1. Pull-Request: github.com/quitesimpleorg/qssb
  2. Mail to qssb at quitesimple.org with instructions on where to pull the changes.
  3. Mailing a classic patch.

License

ISC

Cur síos
Painless Linux sandboxing API
Readme 355 KiB
Teangacha
C 89.8%
C++ 7.9%
Shell 1.8%
Makefile 0.5%