mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
177b969e8c
PiperOrigin-RevId: 238996664 Change-Id: I9646527e2be68ee0b6b371572b7aafe967102e57 Signed-off-by: Christian Blichmann <cblichmann@google.com>
2.9 KiB
2.9 KiB
Sandboxing Code
Sometimes, a piece of code carries a lot of security risk. Examples include:
- Commercial binary-only code to do document parsing. Document parsing often goes wrong, and binary-only means no opportunity to fix it up.
- A web browser's core HTML parsing and rendering. This is such a large amount of code that there will be security bugs.
- A JavaScript engine in Java. Accidents here would permit arbitrary calls to Java methods.
Where a piece of code is very risky, and directly exposed to untrusted users and untrusted input, it is sometimes desirable to sandbox this code. The hardest thing about sandboxing is making the call whether the risk warrants the effort to sandbox.
There are many approaches to sandboxing, including virtualization, jail environments, network segregation and restricting the permissions code runs with. This page covers technologies available to do the latter: restrict the permission code runs with. See the following depending on which technology you are using:
General Sandboxing
Project/technology | Description |
---|---|
Sandbox2 | Linux sandboxing using namespaces, resource limits and seccomp-bpf syscall filters. Provides the underlying sandboxing technology for Sandboxed API. |
gVisor | Uses hardware virtualization and a small syscall emulation layer implemented in Go. |
Sandbox command-line tools
Project/technology | Description |
---|---|
Firejail | Lightweight sandboxing tool implemented as a SUID program with minimal dependencies. |
Minijail | The sandboxing and containment tool used in Chrome OS and Android. Provides an executable and a library that can be used to launch and sandbox other programs and code. |
NSJail | Process isolation for Linux using namespaces, resource limits and seccomp-bpf syscall filters. Can optionally make use of Kafel, a custom domain specific language, for specifying syscall policies. |
C/C++
Project/technology | Description |
---|---|
Sandboxed API | Reusable sandboxes for C/C++ libraries using Sandbox2. |
(Portable) Native Client | (Deprecated) Powerful technique to sandbox C/C++ binaries by compiling to a restricted subset of x86 (NaCl)/LLVM bytecode (PNaCl). |
Graphical/Desktop Applications
Project/technology | Description |
---|---|
Flatpak | Built on top of Bubblewrap, provides sandboxing for Linux desktop applications. Puts an emphasis on packaging and distribution of native apps. |