How to Get Started with Libsandbox

How do I get started with libsandbox

The sample code of libsandbox forbids system calls for file operations, such as open(), stat(), close(). That said, you'll need to either (1) link the hello world program statically to avoid opening files such as shared libraries (i.e. libc.so), or (2) write a customized sandbox policy that permits relevant system calls. Some examples on customizing sandbox policies can be found at https://github.com/liuyu81/TR-OJA-201209A.

DISCLAIMER: I am the author of libsandbox.

Running libsandbox

The short and general answer is: to use libanything, you write a program that utilizes that library - you #include <anything.h> into the source and link with -lanything switch. You're not supposed to find any executable files, unless it's a test suite or an example program for the library.

I wasn't able to find 'libsandbox' for some reason, so my reply might be grossly inaccurate.

libsandbox / pysandbox documentation

What are the defaults when creating a sandbox? Is it secure by default?

• A Sandbox instance is permissive by default. It grants unlimited quota unless you specify quota; it allows all system calls except ones that lead to multi-processing (i.e. fork(), vfork(), clone(), ...) and inter-process communication (i.e. waitid(), ptrace(), ...) unless you filter system call events with a custom policy.
• The sample code (sample2.py) distributed with libsandbox is a minimal working example of restrictive, white-list sandboxing. Use that as the framework of your watchdog program.

What does disk in quota limit? Does it limit the total bytes the script can write in this run or the size of the folder?

• disk quota limits the total bytes that the target program can write to all eligible file systems (i.e. ones that support quota limitation and are capable of generating SIGXFSZ signals).
• If the program writes a regular file on ext3 or ext4 file system, that usually counts; but writing to standard output stream or /dev/null does not count against the quota. Nevertheless, you can implement folder-based quota within your custom policy.

What does setting owner to nobody do?

• Execute the targeted program on behalf of user nobody. The owner argument wraps the OS-level service setuid(). After setuid() to nobody, the targeted program has all the permissions the OS granted to user nobody, and nothing beyond.
• Please note that, you have to be a super user to be able to specify an owner other than yourself.

Will the code in my example block executing arbitrary code, block network IO and block access to files outside of the jailed folder?

• Not exactly. All system calls made by the program are reported to the Sandbox, but you have to plug a policy module that explicitly blocks system calls relating to network IO. Or you can filter all system calls against a white list, as did by the sample code sample2.py.
• Also note that, you have to be a super user to be able to specify a jail other than the root directory /.

DISCLAIMER: I am the author of libsandbox.

How do I install libsandbox? I have some problems during installation

Seems like you have installed 32bit pysandbox on a 64bit machine, and trying to import the 32bit module from a 64bit python interpreter.

DISCLAIMER: I am the author of libsandbox.

Sandbox ( libsandbox ) Error in shared libraries

I have solved the problem by running this command

./configure --prefix=/usr

error while loading shared libraries: libsandbox.so

The "shared library gone missing" problem is not unique to libsandbox. It so happens to many self-compiled libraries that use GNU autotools for build configuration.

The problem is that GNU autotools prepares the library to go to /usr/local/lib by default (and there are good reasons for this setting to remain default, such as FHS conformance). However, in some Linux distributions -- like Ubuntu and ArchLinux -- the runtime linker (aka. ld.so) does not search /usr/local/lib for shared libraries, unless otherwise specified through ldconfig.

While all other solutions from @anton-kovalenko's answer are viable, it could be more convenient if you just configure libsandbox with options --prefix=/usr and --libdir=/usr/lib (in case you have write access to /usr/lib, of course). Or you can add a new ldconfig entry in /etc/ld.so.conf.d to enable /usr/local/lib for library search at system level.

DISCLAIMER: I am the author of libsandbox.

what does wallclock mean in libsandbox?

libsandbox can apply two types of time limit to sandboxed programs, namely, cpu clock quota and wall clock quota. Both can trigger result code TL (time limit exceeded). Literally, cpu clock defines the processor time consumed by the sandboxed program, and wall clock measures the elapsed real-world time since the start of the sandboxed program.

The reason we need wall clock quota is that some programs (e.g. idle programs and I/O-intensive programs) may exhibit slow cpu clock consumption and remain alive for an undesirably long wall clock life time.

The recommended value for wall clock quota is 10x-15x that of the cpu clock quota.

DISCLAIMER: I am the author of libsandbox.

Restricted Function (RF) with pysandbox

I change this:

x86_64=set([0,1,5,8,9,10,11,12,16,25,63,158,219,231])

for this:

x86_64=set([0,1,5,8,9,10,11,12,16,21,25,63,89,158,219,231])

in sample2.py, and It works.

Static and Dynamic Linking Sandbox

It is possible to sandbox the Python interpreter with libsandbox. You need to handle a few system calls for, say, loading shared libraries and importing default python modules. A working example of pysandbox over Python3 interpreter can be found in Richard Lobb's CodeRunner project,

https://github.com/trampgeek/CodeRunner

Java has its own security mechanisms. So it is unnecessary to wrap the Java VM within a sandbox.

DISCLAIMER: I am the author of libsandbox.

---

Related Topics