Sydbox 0.7.6

A ptrace based sandbox implementation
Sydbox is a ptrace based sandbox implementation which is based in part upon catbox and strace.

Being ptrace based, it doesn't suffer the well known security issues that LD_PRELOAD based sandbox implementations suffer from.

Sydbox tries hard to avoid symlink and other kind of races to be on the secure side. It has basic support to disallow network connections.

Currently it only supports x86 and x86_64 architectures but adding support for new architectures should be trivial.

Currently it intercepts 15 system calls. The other essential system calls that has to be intercepted are the at suffixed functions (openat, mkdirat, mknodat etc.) and i'll add them soon. Look at the system call dispatch table in src/syscall.c⁴ for more information.

Configuration is handled using confuse, it's pretty straightforward and easy to understand. Look at the example configuration file⁶ for more information.

Usage and transition will be simple in my humble opinion. Repositories will have a default sydbox.conf file in metadata/.

There will be per-category and per-package based sydbox.conf files which will replace addpredict and addwrite calls.

These files should include() the repository default configuration file which can be done easily if the package manager sets an environment variable that points to the root of the repository. Confuse can handle environment variables.

The package manager is supposed to call the exheres using sydbox like: sydbox -p PHASE -- command-to-execute-phase.

last updated on:
August 14th, 2012, 8:26 GMT
price:
FREE!
homepage:
git.exherbo.org
license type:
BSD License 
developed by:
Ali Polatel
category:
ROOT \ Security
Sydbox
Download Button

In a hurry? Add it to your Download Basket!

user rating

UNRATED
0.0/5
 

0/5

Rate it!
What's New in version 0.7.2
  • Fixed SYDBOX_USER_CONFIG.
read full changelog

Add your review!

SUBMIT