How do I get started with libsandbox
The sample code of libsandbox
forbids system calls for file operations, such as open()
, stat()
, close()
. That said, you'll need to either (1) link the hello world program statically to avoid opening files such as shared libraries (i.e. libc.so
), or (2) write a customized sandbox policy that permits relevant system calls. Some examples on customizing sandbox policies can be found at https://github.com/liuyu81/TR-OJA-201209A.
DISCLAIMER: I am the author of libsandbox
.
Running libsandbox
The short and general answer is: to use libanything, you write a program that utilizes that library - you #include <anything.h>
into the source and link with -lanything
switch. You're not supposed to find any executable files, unless it's a test suite or an example program for the library.
I wasn't able to find 'libsandbox' for some reason, so my reply might be grossly inaccurate.
libsandbox / pysandbox documentation
What are the defaults when creating a sandbox? Is it secure by default?
- A
Sandbox
instance is permissive by default. It grants unlimited quota unless you specifyquota
; it allows all system calls except ones that lead to multi-processing (i.e.fork()
,vfork()
,clone()
, ...) and inter-process communication (i.e.waitid()
,ptrace()
, ...) unless you filter system call events with a custom policy. - The sample code (
sample2.py
) distributed withlibsandbox
is a minimal working example of restrictive, white-list sandboxing. Use that as the framework of your watchdog program.
What does disk in quota limit? Does it limit the total bytes the script can write in this run or the size of the folder?
disk
quota limits the total bytes that the target program can write to all eligible file systems (i.e. ones that support quota limitation and are capable of generatingSIGXFSZ
signals).- If the program writes a regular file on
ext3
orext4
file system, that usually counts; but writing to standard output stream or/dev/null
does not count against the quota. Nevertheless, you can implement folder-based quota within your custom policy.
What does setting
owner
tonobody
do?
- Execute the targeted program on behalf of user
nobody
. Theowner
argument wraps the OS-level servicesetuid()
. Aftersetuid()
tonobody
, the targeted program has all the permissions the OS granted to usernobody
, and nothing beyond. - Please note that, you have to be a super user to be able to specify an
owner
other than yourself.
Will the code in my example block executing arbitrary code, block network IO and block access to files outside of the jailed folder?
- Not exactly. All system calls made by the program are reported to the Sandbox, but you have to plug a policy module that explicitly blocks system calls relating to network IO. Or you can filter all system calls against a white list, as did by the sample code
sample2.py
. - Also note that, you have to be a super user to be able to specify a
jail
other than the root directory/
.
DISCLAIMER: I am the author of
libsandbox
.
How do I install libsandbox? I have some problems during installation
Seems like you have installed 32bit pysandbox on a 64bit machine, and trying to import the 32bit module from a 64bit python interpreter.
DISCLAIMER: I am the author of libsandbox
.
Sandbox ( libsandbox ) Error in shared libraries
I have solved the problem by running this command
./configure --prefix=/usr
error while loading shared libraries: libsandbox.so
The "shared library gone missing" problem is not unique to libsandbox
. It so happens to many self-compiled libraries that use GNU autotools for build configuration.
The problem is that GNU autotools prepares the library to go to /usr/local/lib
by default (and there are good reasons for this setting to remain default, such as FHS conformance). However, in some Linux distributions -- like Ubuntu and ArchLinux -- the runtime linker (aka. ld.so
) does not search /usr/local/lib
for shared libraries, unless otherwise specified through ldconfig
.
While all other solutions from @anton-kovalenko's answer are viable, it could be more convenient if you just configure libsandbox
with options --prefix=/usr
and --libdir=/usr/lib
(in case you have write access to /usr/lib
, of course). Or you can add a new ldconfig
entry in /etc/ld.so.conf.d
to enable /usr/local/lib
for library search at system level.
DISCLAIMER: I am the author of libsandbox
.
what does wallclock mean in libsandbox?
libsandbox
can apply two types of time limit to sandboxed programs, namely, cpu clock
quota and wall clock
quota. Both can trigger result code TL
(time limit exceeded). Literally, cpu clock
defines the processor time consumed by the sandboxed program, and wall clock
measures the elapsed real-world time since the start of the sandboxed program.
The reason we need wall clock
quota is that some programs (e.g. idle programs and I/O-intensive programs) may exhibit slow cpu clock
consumption and remain alive for an undesirably long wall clock
life time.
The recommended value for wall clock
quota is 10x-15x that of the cpu clock
quota.
DISCLAIMER: I am the author of libsandbox
.
Restricted Function (RF) with pysandbox
I change this:
x86_64=set([0,1,5,8,9,10,11,12,16,25,63,158,219,231])
for this:
x86_64=set([0,1,5,8,9,10,11,12,16,21,25,63,89,158,219,231])
in sample2.py, and It works.
Static and Dynamic Linking Sandbox
It is possible to sandbox the Python interpreter with libsandbox
. You need to handle a few system calls for, say, loading shared libraries and importing default python modules. A working example of pysandbox
over Python3 interpreter can be found in Richard Lobb's CodeRunner
project,
https://github.com/trampgeek/CodeRunner
Java has its own security mechanisms. So it is unnecessary to wrap the Java VM within a sandbox.
DISCLAIMER: I am the author of libsandbox
.
Related Topics
How to Detect Whether Tomcat and Ant Are Installed on Linux Machine
Linux Device Driver File Operations: It Is Possible to Have Race Conditions
Statically Linked Shared Object? or a Corrupt File
Windows <Sys/File.H> Equivalent
How Make /Var/Www Contents Editable by Ide
What Is The Side Effect of Setting Tcp_Max_Tw_Buckets to a Very Small Value
How to Install Pysqlite for Python3.4.2
Google Cloud Storage Buckets: Mounting in a Linux Instance with Global Permissions
How to Use Multiple Lower Layers in Overlayfs
Bash Script - Auto Fill Answer
Listening for New Processes in Linux Kernel Module
Setting Color Brightness on Linux/Xorg
Install Gulp Browserify Gives Error Always
Glib: G_Atomic_Int_Get Becomes No-Op
Replace Key:Value from One File in Another File in Shellscript
Jmeter:Difference Between Jmeter.Sh and Jmeter Without Extension File in Jmeter