Painless Linux sandboxing API

Go to file

Albert S d150c2ecd9 Don't add any seccomp rules by default Cannot be done properly on a pure syscall basis at this point. A whitelist is almost certainly too restrictive, which means user has to manually adjust the policy anyway. Then the default is not of much use. Or too permissive. A blacklist has to play catchup with new kernel versions. This may be be improved upon by blocking all unknown (too new) syscall numbers. However, in light of the fact we drop caps and set no_new_privs, it's debtable how much we can gain from a blacklist anyway. So best to leave it to the user. We also need to allow checking args too in order to make it easier to build policies. Perhaps get inspiration from pledge() in OpenBSD.		2021-11-20 20:54:28 +01:00
gengroup.py	Assign syscalls into groups. Add whitelist mode (default).	2021-11-14 21:46:47 +01:00
grouping_x86-64.txt	Assign syscalls into groups. Add whitelist mode (default).	2021-11-14 21:46:47 +01:00
Makefile	Start implementing tests	2021-06-05 20:11:07 +02:00
qssb.h	Don't add any seccomp rules by default	2021-11-20 20:54:28 +01:00
README.md	README.md: Update	2021-09-05 17:12:25 +02:00
test.c	test: Skip landlock specific tests if unavailble during compile time	2021-11-20 19:25:30 +01:00
test.sh	test: Skip landlock specific tests if unavailble during compile time	2021-11-20 19:25:30 +01:00

README.md

qssb.h (quite simple sandbox)

qssb.h is a simple header-only library that provides an interface to sandbox processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end.

Status

No release yet, expiremental, API is unstable, builds will break on updates of this library.

Currently, it's mainly evolving according to the needs of my other projects.

Features

Systemcall filtering (using seccomp-bpf)
restricting file system access (using Landlock and/or Namespaces)
dropping privileges
isolating the application from the network, etc.

Requirements

Kernel >=3.17

sys/capabilities.h header. Depending on your distribution, libcap might be needed for this.

While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock.

FAQ

Does the process need to be priviliged to utilize the library?

No.

It doesn't work on Debian!

You can thank a Debian-specific kernel patch for that. In the future, the library may check against that. Execute echo 1 > /proc/sys/kernel/unprivileged_userns_clone to disable that patch for now.

Examples

looqs: https://gitea.quitesimple.org/crtxcr/looqs
qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
cgit sandboxed: https://gitea.quitesimple.org/crtxcr/cgitsb
qpdfviewsb sandboxed (quick and dirty): https://gitea.quitesimple.org/crtxcr/qpdfviewsb

Contributing

Contributions are very welcome. Options:

Pull-Request on github
Mail to qssb at quitesimple.org with instructions on where to pull the changes from.
Mailing a classic patch/diff to the same address.

License

ISC