Hi everyone, Sydbox¹ is a ptrace based sandbox implementation which is based in part upon catbox² and strace³. Being ptrace based, it doesn't suffer the well known security issues that LD_PRELOAD based sandbox implementations suffer from. It tries hard to avoid symlink and other kind of races to be on the secure side. It has basic support to disallow network connections. Currently it only supports x86 and x86_64 architectures but adding support for new architectures should be trivial.
Currently it intercepts 15 system calls. The other essential system calls that has to be intercepted are the at suffixed functions (openat, mkdirat, mknodat etc.) and i'll add them soon. Look at the system call dispatch table in src/syscall.c⁴ for more information. Configuration is handled using confuse⁴, it's pretty straightforward and easy to understand. Look at the example configuration file⁶ for more information. Usage and transition will be simple in my humble opinion. Repositories will have a default sydbox.conf file in metadata/. There will be per-category and per-package based sydbox.conf files which will replace addpredict and addwrite calls. These files should include() the repository default configuration file which can be done easily if the package manager sets an environment variable that points to the root of the repository. Confuse can handle environment variables. The package manager is supposed to call the exheres using sydbox like: sydbox -p PHASE -- command-to-execute-phase. Last but not least confessions: I'm neither a C expert nor a security expert so the code is full of bugs but hey it's a start right? Yesterday I've started to add testcases and started to hunt them :) Please comment. ¹: http://github.com/alip/sydbox/tree/master ²: https://svn.uludag.org.tr/uludag/trunk/python-modules/catbox/ ³: http://sourceforge.net/projects/strace ⁴: http://github.com/alip/sydbox/blob/00d6756256130a29f74aa540a4c397cd92f43001/src/syscall.c ⁵: http://www.nongnu.org/confuse ⁶: http://github.com/alip/sydbox/blob/00d6756256130a29f74aa540a4c397cd92f43001/conf/sydbox.conf -- Regards, Ali Polatel
pgpcLigLvg3zK.pgp
Description: PGP signature
_______________________________________________ Exherbo-dev mailing list [email protected] http://lists.exherbo.org/mailman/listinfo/exherbo-dev
