Sydbox is a ptrace based sandbox implementation which is based in part upon catbox and strace.
Being ptrace based, it doesn't suffer the well known security issues that LD_PRELOAD based sandbox implementations suffer from.
Sydbox tries hard to avoid symlink and other kind of races to be on the secure side. It has basic support to disallow network connections.
Currently it only supports x86 and x86_64 architectures but adding support for new architectures should be trivial.
Currently it intercepts 15 system calls. The other essential system calls that has to be intercepted are the at suffixed functions (openat, mkdirat, mknodat etc.) and i'll add them soon. Look at the system call dispatch table in src/syscall.c⁴ for more information.
Configuration is handled using confuse, it's pretty straightforward and easy to understand. Look at the example configuration file⁶ for more information.
Usage and transition will be simple in my humble opinion. Repositories will have a default sydbox.conf file in metadata/.
There will be per-category and per-package based sydbox.conf files which will replace addpredict and addwrite calls.
These files should include() the repository default configuration file which can be done easily if the package manager sets an environment variable that points to the root of the repository. Confuse can handle environment variables.
The package manager is supposed to call the exheres using sydbox like: sydbox -p PHASE -- command-to-execute-phase.
What's New in This Release: [ read full changelog ]
· Fixed SYDBOX_USER_CONFIG.