syd 3.0.0-alpha.2

practical userspace application sandbox
docs.rs failed to build syd-3.0.0-alpha.2
Please check the build logs for more information.
See Builds for ideas on how to fix a failed build, or Metadata for how to configure docs.rs builds.
If you believe this is docs.rs' fault, open an issue.
Visit the last successful build: syd-3.48.1

sydbox: The ☮ther SⒶndbøx

msrv repology build status license maintenance-status

GNU Linux Exherbo libseccomp

Introduction

sydbox has been the default sandbox of Exherbo GNU/Linux distribution for over a decade. We use it to provide a restricted environment under which package builds run with controlled access to file system and network resources. Exherbo package description format, currently exheres-0, uses a shell function called esandbox to interact with sydbox. See the Sandboxing section of Exheres for Smarties for more information.

History

  • sydbox-0 is a ptrace based sandbox.
  • sydbox-1 is a ptrace+seccomp based sandbox.
  • sydbox-2 is a seccomp+seccomp-unotify based sandbox.
  • sydbox-3 is a rewrite of sydbox-2 in Rust and it's what you are looking at.

This codebase has a history of over a decade and up to this point we have used C11 as our implementation language for various reasons. With sydbox-3 we are moving forwards one step and writing the sandbox from scratch using Rust programming language with the only !Rust dependency being libseccomp. Although we inherit many ideas and design decisions from the old codebase, we also don't shy away from radically changing the internal implementation making it much simpler, idiomatic, and less prone to bugs.

Security

This is a tricky area. The main advantage sydbox brings to the table is that it requires no elevated privileges: no root access or ptrace capabilities are needed. This makes sydbox very easy to set up and use. Moreover, sydbox allows the user to configure the sandbox dynamically from within the sandbox, and lock it as necessary afterwards. This comes at a cost though. sydbox makes use of SECCOMP_USER_NOTIF_FLAG_CONTINUE to resume system calls after dereferencing pointer arguments, and hence the sandbox is vulnerable to TOCTOU attacks. This is something we accept and live with. That said sydbox takes some mild precautions to make TOCTOU attacks less likely such as disallowing system calls which can access remote process memory such as ptrace and process_vm_writev, and disallowing write access to /proc/${pid}/mem. This makes the attack vectors much harder to realize.

ChangeLog

3.0.0-alpha.2

  • When run without arguments, sydbox now drops into user's current running shell allowlisting the HOME directory.
  • Document the CLI option -p, --profile and add noipv4 and noipv6 profiles in addition the paludis profile. These profiles may be stacked by specifying more than one -p arguments.
  • Use a Seccomp BPF filter rather than a Notify filter for fakeroot mode.
  • Improve logging to achieve consistency. We have a very simple Logger which logs to standard error in format JSON lines. There are some common keys id is always syd, l gives the Log::Level as an integer whereby the lower the value of the integer the more severe is the log condition. t gives a UNIX time stamp in seconds, and ctx has short context on the log entry. Errors are represented with the err key, and system call names are given with the sys key.
  • The --profile <profile-name> and --config @<profile-name> is now supported. Paludis uses the former so it is important for compatibility. The profile file is no longer installed under ${sharedir}/sydbox where {sharedir} is usually /usr/share and is kept as a static array in the program itself. In the future when sydbox-3 has an exheres we can improve on this but for now this gets us going.
  • The setuid system call is now allowed in the sandbox.
  • Use snmalloc as the global allocator for improved performance.

3.0.0-alpha.1

  • New: Added core/allowlist/successful_bind.

    • Utilizes getsockname hook, pidfd_getfd, and process_vm_writev for complete emulation.
    • Features a TTL of 3 mins for tracking addresses to manage zero port arguments in bind() system calls.

  • Improved: Refined read, write, network/{bind,connect} sandboxing.

    • Simpler implementation, yet compatible with Paludis via esandbox.
    • No per-process sandboxing or process tree tracking; uses /proc/$pid/cwd when required.
    • Single set of sandbox rules with configurations pushed upfront.
    • API Change: Replaced allow, deny modes with simpler on/off toggle.
    • core/sandbox/network can be set to bind or connect for selective sandboxing.
    • Rule matching favors the latest rule for configuration stacking.
    • Streamlined core/trace/magic_lock:exec due to lack of parent/child tracking.

  • New: Introduced seccomp process supervision.

    • Implemented primarily in syd::hook and syd::remote.
    • Derived from the greenhook crate, but with a deny-by-default seccomp policy.
    • Allowlisted system calls maintained in syd::config (currently immutable by users).
    • Notable system calls like ptrace, process_vm_writev, and io-uring are disabled to counteract TOCTOU vulnerabilities.

.. vim: set spell spelllang=en tw=80 : ..