Syd's Box
SydBox is a ptrace & seccomp based sandbox for modern Linux machines to sandbox unwanted process access to filesystem and network resources.
See: https://sydbox.exherbo.org
SydBox uses autotools. To build, simply do ./configure
, make
and sudo make install
.
To use SydBox you need a recent Linux kernel, preferably 3.5 or newer which has secure computing mode facility. Make sure you build SydBox without --disable-seccomp. SydBox works fine without SecComp but it is going to be noticably slower and less secure. See the SydBox manual page on more information about secure computing mode protections. The parts which are of particular interest to read are:
NOTE: Secure computing mode only works
on i386
and x86_64
architectures.
In addition, it is advised that you enable the kernel option
CONFIG_CROSS_MEMORY_ATTACH=y
so that SydBox can use the functions
process_vm_readv
and process_vm_writev.
These system calls are available in Linux since 3.2.
NOTE: Pandora is in its early stages of development. To be able to use Pandora you need Sydbox-1.2.1 or later.
-
Tar: https://dev.exherbo.org/~alip/sydbox/sydbox-1.2.1.tar.bz2
-
SHA: https://dev.exherbo.org/~alip/sydbox/sydbox-1.2.1.tar.bz2.sha1sum
-
GPG: https://dev.exherbo.org/~alip/sydbox/sydbox-1.2.1.tar.bz2.sha1sum.asc
-
Exheres:
You can check the build options using sydbox --version
:
$ sydbox --version
sydbox-1.1.0-pandora-0.0.3-1-gc96f237 (pinktrace-0.9.5 git:v0.9.5-1-ge6ac27f)
Options: dump:yes seccomp:yes ipv6:yes netlink:yes
- seccomp:yes indicates --enable-seccomp was passed on build.
- ipv6:yes IPv6 Network Sandboxing is enabled.
SydBox requires Pink's Tracing Library.
URL: https://pinktrace.exherbo.org
See the API docs here: http://dev.exherbo.org/~alip/pinktrace/api/c/
See: https://pinktrace.exherbo.org
- Exheres:
- Git: https://git.exherbo.org/git/pinktrace-1.git
- Lightweight ptrace wrapper library providing a robust API for tracing processes.
- An extensive API reference is available here.
- Tar: https://dev.exherbo.org/distfiles/pinktrace/pinktrace-0.9.6.tar.bz2
- Git: https://git.exherbo.org/git/pinktrace-1.git
Pandora
Pandora's Box: A helper for SydBox, a ptrace & seccomp based sandbox to make sandboxing practical. This makes it easy for the end user to use secure computing for practical purposes.
Simple Example:
Step 1: Inspect and gather data about the given process.
In this case, we're going to try with https://www.mozilla.org/de/firefox/new/.
$ pandora profile firefox
Browse using firefox for a while, let pandora gather data. The browser is running under a tracer so it'll run noticably slower.
- use --bin /path/to/sydbox, if sydbox is not in PATH
- use --output firefox.syd-1 to specify an alternative output path for profile.
$ $EDITOR out.syd-1
Inspect what the browser has been doing.
Enable, disable additional options or turn paths into wildcards such as
/home/***
to allow home and everything beyond /home
the usual glob characters, ?, *
are supported.
Check SydBox manual page to learn more on how PATTERN MATCHING works.
Enable, disable additional network addresses unless you're using a SOCKS5 proxy which does remote DNS lookups, e.g:
whitelist/network/connect+inet:127.0.0.1@9050
for Tor.
Check SydBox manual page to learn more on how ADDRESS MATCHING works.
$ pandora box -c out.syd-1 firefox
-
Run the browser under secure computing with full protection.
-
Check SydBox manual page for a list of system call protections.
-
Check the console for possible access violations over time.
-
Edit the profile file as necessary and update restrictions.
For instance if you see an access violation such as
sydbox: 8< -- Access Violation! --
sydbox: connect(-1, unix:/run/user/1000/pulse/native)
sydbox: proc: AudioIPC Server[754336] (parent:0)
sydbox: cwd: `/home/alip/src/exherbo/sydbox-1'
sydbox: cmdline: `/usr/lib/firefox/firefox '
sydbox: >8 --
sydbox: 8< -- Access Violation! --
sydbox: connect(-1, unix:/var/run/pulse/native)
sydbox: proc: AudioIPC Server[754336] (parent:0)
sydbox: cwd: `/home/alip/src/exherbo/sydbox-1'
sydbox: cmdline: `/usr/lib/firefox/firefox '
sydbox: >8 --
This sounds like you're trying to play some audio on your browser. In this case, you
should add a whitelist to your profile .syd-1
file and restart your browser under
this new profile.
whitelist/connect/network+unix:/run/pulse/native
whitelist/connect/network+unix:/var/run/pulse/native
Note, sometimes you may have to add a symbolic link rather than the file it is pointing to, or vice versa, or both.
Last but not least,
Share your profile with other people and help others use secure computing!
Here is a Firefox profile edited by yours truly:
https://git.exherbo.org/sydbox-1.git/plain/data/firefox.syd-1
Bugs
Read BUGS.
Below are the details of the author. Mail is preferred. Attaching poems encourages consideration tremendously.
Hey you, out there beyond the wall,
Breaking bottles in the hall,
Can you help me?
- Alï Polatel alip@exherbo.org
- Exherbo: https://git.exherbo.org/dev/alip.git/
- Github: https://github.com/alip/
- Twitter: https://twitter.com/hayaliali
- Mastodon: https://mastodon.online/@alip
- IRC: alip at Libera
Git
- Original Git: https://git.exherbo.org/sydbox-1.git/
- Github Mirror: https://github.com/sydbox/sydbox-1
Github mirror is updated periodically. Feel free to submit an issue or a pull request there. Attaching poems encourages consideration tremendously.
Documentation
Read the fine manual of SydBox and SydFmt.
Blog Posts
- Sydbox: Stop Skype P2P/Call Home: People Have The Right To Communicate W\o Eavesdropping
- Recent Linux Changes Help Safe & Secure w\o Root
- A Study in Sydbox
- Pink's Tracing Library
- Sydbox Logo Survey
- Sydbox: Default Sandbox of Exherbo
- Disabling External Commands in Metadata Phase (Exherbo>Gentoo)
- ptrace on IA64
- Network Sandboxing and /proc (Exherbo>Gentoo)
- ptrace on FreeBSD
- Running Untrusted Binaries that Access the Network
- Proper Network Sandboxing (Exherbo>Gentoo)
- Deprecating addpredict (Exherbo>Gentoo)