Pand☮ra

Pand☮ra's Box: Sydb☮x's Dump Inspector & Profile Writer

Example: Sandbox Firefox

Step 1: Inspect and gather data about the given process.

In this case, we're going to try with https://www.mozilla.org/de/firefox/new/.

$ pandora profile firefox

Browse using firefox for a while, let pandora gather data. The browser is running under a tracer so it'll run noticably slower.

• use --bin /path/to/syd, if syd is not in PATH
• use --output firefox.syd-3 to specify an alternative output path for profile.

$ $EDITOR out.syd-3

Inspect what the browser has been doing. Enable, disable additional options or turn paths into wildcards such as /home/*** to allow home and everything beyond /home the usual glob characters, ?, * are supported.

Check SydB☮x README to learn more on how PATTERN MATCHING works.

Enable, disable additional network addresses unless you're using a SOCKS5 proxy which does remote DNS lookups, e.g:

allowlist/net/connect+127.0.0.1!9050

for Tor.

Check SydB☮x README to learn more on how ADDRESS MATCHING works.

$ syd -C out.syd-3 firefox

• Run the browser under secure computing with full protection.
• Check the console (or syslog) for possible access violations over time.
• Edit the profile file as necessary and update restrictions.

Documentation

Read the fine manual of SydB☮x.

Blog Posts

• Sydb☮x: Stop Skype P2P/Call Home: People Have The Right To Communicate W\o Eavesdropping
• Recent Linux Changes Help Safe & Secure w\o Root
• A Study in Sydb☮x
• Pink's Tracing Library
• Sydb☮x Logo Survey
• Sydb☮x: Default Sandbox of Exherbo
• Disabling External Commands in Metadata Phase (Exherbo>Gentoo)
• ptrace on IA64
• Network Sandboxing and /proc (Exherbo>Gentoo)
• ptrace on FreeBSD
• Running Untrusted Binaries that Access the Network
• Proper Network Sandboxing (Exherbo>Gentoo)
• Deprecating addpredict (Exherbo>Gentoo)