sandboxed-api/sandboxed_api/sandbox2
Christian Blichmann 3c51348aaf Enable CMake projects to consume Sandboxed API via add_subdirectory()
This change moves away from a classical superbuild which downloads and builds
at build time. Instead, we now follow a "Fetch Content" workflow (available as
FetchContent in CMake 3.11+) and download dependencies at config time.

Rationale: Superbuild projects have the disadvantage that projects cannot
directly access their individual declared targets. This is not a problem with
regular libraries, as those are usually/supposed to be installed. With
Sandboxed API, this is not desirable, as it has dependencies like Abseil and
glog, which are almost always consumed by including their source tree using
add_subdirectory().

Fixes #10 and makes external embedding easier.

PiperOrigin-RevId: 260129870
Change-Id: I70f295f29a6e4fc8c330512c94b01ef10c017166
2019-07-26 05:51:08 -07:00
..
docs Internal change 2019-04-23 10:42:14 -07:00
examples Enable CMake projects to consume Sandboxed API via add_subdirectory() 2019-07-26 05:51:08 -07:00
testcases Deflake namespace_test 2019-07-09 04:11:07 -07:00
unwind Use full workspace name to access Bazel packages in generator 2019-07-01 02:53:41 -07:00
util Add CMake options to exclude examples and tests from build 2019-07-15 04:42:58 -07:00
bpfdisassembler.cc Add support for new SECCOMP_RET_* in disassembler 2019-04-09 14:38:05 +02:00
bpfdisassembler.h Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
buffer_test.cc Call DisableNamespaces where needed 2019-05-23 07:21:03 -07:00
buffer.cc Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
buffer.h Clarify behavior of Buffer::CreateFromFd 2019-05-30 23:50:54 -07:00
BUILD.bazel Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added 2019-07-23 04:41:08 -07:00
client.cc Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added 2019-07-23 04:41:08 -07:00
client.h Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added 2019-07-23 04:41:08 -07:00
CMakeLists.txt Enable CMake projects to consume Sandboxed API via add_subdirectory() 2019-07-26 05:51:08 -07:00
comms_test.cc Internal change 2019-04-23 10:42:14 -07:00
comms_test.proto Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
comms.cc Remove stale comment 2019-05-17 07:21:31 -07:00
comms.h Make StatusMatcher more flexible 2019-04-23 10:30:45 -07:00
executor.cc Use full workspace name to access Bazel packages in generator 2019-07-01 02:53:41 -07:00
executor.h Formatting fixes and include file hygiene. 2019-03-26 07:54:21 -07:00
forkingclient.cc Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
forkingclient.h Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
forkserver_bin.cc Move forkserver into a dedicated binary 2019-04-09 14:37:41 +02:00
forkserver_test.cc Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
forkserver.cc Extract RunInitProcess and SendPid/RecvPid 2019-07-16 07:23:17 -07:00
forkserver.h Formatting fixes and include file hygiene. 2019-03-26 07:54:21 -07:00
forkserver.proto Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
global_forkclient.cc Move forkserver into a dedicated binary 2019-04-09 14:37:41 +02:00
global_forkclient.h Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
ipc_test.cc Call DisableNamespaces where needed 2019-05-23 07:21:03 -07:00
ipc.cc Formatting fixes. 2019-03-19 03:41:32 -07:00
ipc.h Formatting fixes. 2019-03-19 03:41:32 -07:00
limits_test.cc Call DisableNamespaces where needed 2019-05-23 07:21:03 -07:00
limits.h Formatting fixes. 2019-03-19 03:41:32 -07:00
logserver.cc Follow-up to rev. 6edcf5f which introduced a build failure 2019-07-08 05:56:36 -07:00
logserver.h Fix unnecessary unique_ptr in LogServer. 2019-05-26 08:47:38 -07:00
logserver.proto Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
logsink.cc Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
logsink.h Internal change 2019-04-26 06:18:59 -07:00
monitor.cc Rename stack-trace{.h,.cc,._test.cc} to use underscores 2019-07-09 01:32:25 -07:00
monitor.h Initialize std::atomic_flag members 2019-07-15 23:59:24 -07:00
mounts_test.cc Print final FS mounts in sandboxee's chroot 2019-05-07 18:30:13 -07:00
mounts.cc Log the progress of dynamic libraries being resolved while creating a sandboxee's virtual FS chroot. This provides valuable insight while debugging problems with dynamically linked sandoxed binaries. 2019-05-10 09:41:07 -07:00
mounts.h Print final FS mounts in sandboxee's chroot 2019-05-07 18:30:13 -07:00
mounttree.proto Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
namespace_test.cc Fix double EnableNamespaces 2019-07-15 05:34:31 -07:00
namespace.cc Move root chdir to namespace setup 2019-07-16 07:13:17 -07:00
namespace.h Use new function naming 2019-06-14 02:09:07 -07:00
network_proxy_client.cc Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added 2019-07-23 04:41:08 -07:00
network_proxy_client.h Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added 2019-07-23 04:41:08 -07:00
network_proxy_server.cc Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added 2019-07-23 04:41:08 -07:00
network_proxy_server.h Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added 2019-07-23 04:41:08 -07:00
notify_test.cc Call DisableNamespaces where needed 2019-05-23 07:21:03 -07:00
notify.h Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
policy_test.cc Call DisableNamespaces where needed 2019-05-23 07:21:03 -07:00
policy.cc Use full workspace name to access Bazel packages in generator 2019-07-01 02:53:41 -07:00
policy.h Rename deathrattle_fatalmsg proto 2019-03-20 05:19:55 -07:00
policybuilder_test.cc Call DisableNamespaces where needed 2019-05-23 07:21:03 -07:00
policybuilder.cc Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added 2019-07-23 04:41:08 -07:00
policybuilder.h Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added 2019-07-23 04:41:08 -07:00
README.md Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
regs.cc Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
regs.h Rename deathrattle_fatalmsg proto 2019-03-20 05:19:55 -07:00
result.cc Reintroduce monitor changes. 2019-05-15 07:46:49 -07:00
result.h Reintroduce monitor changes. 2019-05-15 07:46:49 -07:00
sandbox2_test.cc Call DisableNamespaces where needed 2019-05-23 07:21:03 -07:00
sandbox2.cc Replace custom synchronization with absl::Notification 2019-05-15 08:09:56 -07:00
sandbox2.h Fix formating 2019-06-14 03:01:09 -07:00
sanitizer_test.cc Call DisableNamespaces where needed 2019-05-23 07:21:03 -07:00
sanitizer.cc Formatting fixes and include file hygiene. 2019-03-26 07:54:21 -07:00
sanitizer.h Formatting fixes and include file hygiene. 2019-03-26 07:54:21 -07:00
stack_trace_test.cc Rename stack-trace{.h,.cc,._test.cc} to use underscores 2019-07-09 01:32:25 -07:00
stack_trace.cc Rename stack-trace{.h,.cc,._test.cc} to use underscores 2019-07-09 01:32:25 -07:00
stack_trace.h Rename stack-trace{.h,.cc,._test.cc} to use underscores 2019-07-09 01:32:25 -07:00
syscall_defs.cc Formatting fixes and include file hygiene. 2019-03-26 07:54:21 -07:00
syscall_defs.h Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
syscall_test.cc Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
syscall.cc Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
syscall.h Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
testing.cc Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
testing.h Sandboxed API OSS release. 2019-03-18 19:00:48 +01:00
util_test.cc Formatting fixes and include file hygiene. 2019-03-26 07:54:21 -07:00
util.cc Extract GetRlimitName into util 2019-05-17 01:55:35 -07:00
util.h Extract GetRlimitName into util 2019-05-17 01:55:35 -07:00
violation.proto Disable "mini" debug format support in libunwind to avoid additional library dependency 2019-03-20 08:03:08 -07:00

Sandbox2

Sandbox2 is a C++ security sandbox for Linux which can be used to run untrusted programs or portions of programs in confined environments. The idea is that the runtime environment is so restricted that security bugs such as buffer overflows in the protected region cause no harm.

Who is it for?

Sandbox2 is aimed to sandbox C/C++ code or whole binaries in production.

See the sandboxing options overview page to make sure this is the type of sandboxing you are looking for.

How does it work?

Read our How it works page to learn everything about this technology.