Hello, After nearly two years I began working on a sydbox replacement¹ she is finally nearing completion. This mail is meant both as a preliminary announcement and help request.
sydbox-1 has been in ::arbor for sometime as sydbox[~scm]² and paludis
supports it since version `0.78.1'. The git repository hosted on
exherbo.org³. Before going on to tell you about
her I want to kindly ask you to help me with some tasks:
- Proof read the manual page⁴. I am still unsure about the configuration
file format and the magic command API so now is the time to share your
ideas and views to help make sydbox-1 better.
- For brave souls, unmask it and install it. Especially important is to
run its tests. To do that you have to set the environment variable
PALUDIS_DO_NOTHING_SANDBOXY⁵. You will notice that it doesn't depend
on pinktrace anymore. This is because sydbox-1 includes a rewrite of
pinktrace which will eventually be released as pinktrace-1.
- Once again for brave souls, use it on your system. I am especially
interested in how it performs during the `src_test' phase of
exhereseses so please make sure tests are enabled if you do so and
report back any issues (accompanied with a poem of your choosing!).
It is always a good idea to have a pbin of the package in question
to easily rollback changes in case you hit a severe bug⁶.
If you are bored, you can stop reading now. I will go on to introduce
sydbox-1.
### Why?
I am not a professional programmer. However, I have gained many
experiences after writing sydbox-0 and watching it perform as the
default sandbox of Exherbo. sydbox-0 has many shortcomings and drawbacks
which made it rather hard to maintain. Such as:
- sydbox-0 was based on the now unmaintained `catbox' initially.
There are many design issues which didn't fit with our use
cases for Exherbo.
- Being GPL-2 licensed it was problematic to share code with
the well-established `ptrace(2)' based projects like `strace'
and `truss' (of FreeBSD). I have partially solved this problem
by writing pinktrace - a BSD3 licensed library providing thin
wrappers around certain `ptrace(2)' calls but this was not
enough. (See below about `pinktrace-easy')
- Being a crucial part of the system set, dependencies like
`GLib' was obviously a bad idea.
- Over the years as sydbox-0 codebase grew there were unforeseen
code maintenance problems making it difficult to add new
features.
### Features of sydbox-1
Below are main features of sydbox-1. You may consult the manual page³
for more information.
- No external dependencies. `GLib' dependency is gone for good
among with the ini-format configuration file. sydbox-1 uses
JSON format for configuration.
- Most of the `ptrace(2)' work is now abstracted by a
callback-driven higher-level BSD3 licensed library called
`pinktrace-easy'. This makes both the maintenance easier and
code sharing with `strace' less problematic.
- Well designed, well documented magic command API which fits in
with the configuration file format and provides an easier
experience during command line invocation.
- Process dump can be obtained by sending sydbox-1 the `SIGUSR1'
signal (or `SIGUSR2' for a more verbose dump). This makes it
easier to debug sydbox hangs.
- Better signal handling to make sydbox more immune to
interrupts.
- More powerful and configurable rsync-like pattern matching.
- Support for secure computing mode aka seccomp⁷. This requires
Linux-3.5 or newer and `CONFIG_SECCOMP=y' and
`CONFIG_SECCOMP_FILTER=y` kernel configuration options. sydbox[~scm]
exheres has a seccomp option to pass `--enable-seccomp' to
econf. This is one of the key features which may make sydbox-1
faster compared to sydbox-0 because in this mode sydbox only
traces the sandboxed system calls. Tracing other commonly used
system calls - think threaded applications calling
sched_yield() - is therefore avoided.
- Logging is easier to filter. This still needs some work
though.
- Port numbers can now be entered as service names which will be
queried from the `services(5)' database.
- Unsupported socket families can be whitelisted/blacklisted.
- New magic commands exec/resume_if_match and
exec/kill_if_match are added. These commands may be used to
resume or kill matching binaries upon successful execution.
Paludis has `esandbox resume' and `esandbox kill' commands as
an interface for exheres-0 (Make sure `esandbox api' returns 1
before using them). See systemd.exlib as an example on
how we can now restart services from within exhereseses
without worrying about sandboxing.
- Read sandboxing to prevent unwanted filesytem reads.
- Black listing is now also supported in addition to
white listing. This may be used to make an `allow by default
and black list unwanted accesses' sandboxing policy.
- Many bugs fixed, some new system calls are sandboxed.
### How can I thank you?
Send me poems⁸!
¹: She used to be called `pandora' in the early days.
²: Not sydbox[~0-scm] which is the old one.
³: http://git.exherbo.org/sydbox-1.git/
⁴: http://dev.exherbo.org/~alip/sydbox/sydbox.html
⁵: Eventually sydbox-1 will install its tests so this phase is going to
be more convenient.
₆: sydbox-1 has been tested for some time by kind people and I have
heard about only one such issue so far but it is always a good idea
to be cautious.
⁷: http://lwn.net/Articles/475043/
⁸: http://dev.exherbo.org/~alip/sydbox/poems.txt
-alip
pgpXseihVppza.pgp
Description: PGP signature
_______________________________________________ Exherbo-dev mailing list [email protected] http://lists.exherbo.org/mailman/listinfo/exherbo-dev
