StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity
sandboxed-api/sandboxed_api/sandbox2
History
Wiktor Garbacz 8a7d0d1cb3 Use a nested userns&mntns to pre-pivot_root 
This addresses a latency issue - chroot_fs_refs called inside pivot_root
in the kernel can take several milliseconds on machines with many threads
running.
This might not always reduce latency for custom forkservers, as additional
fork can be more costly than pivot_root.

PiperOrigin-RevId: 281306284
Change-Id: If503ac76a70e5438e94caf708d79cb0219c66def
2019-11-19 09:02:28 -08:00
..
examples
This fixes broken _proto_cc_cc_proto build target suffixes.
2019-09-25 07:13:58 -07:00
testcases
Remount chroot as read-only
2019-11-14 03:51:26 -08:00
unwind
This fixes broken _proto_cc_cc_proto build target suffixes.
2019-09-25 07:13:58 -07:00
util
Internal change.
2019-08-23 08:08:51 -07:00
bpfdisassembler.cc
Add support for new SECCOMP_RET_* in disassembler
2019-04-09 14:38:05 +02:00
bpfdisassembler.h
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
buffer_test.cc
Call DisableNamespaces where needed
2019-05-23 07:21:03 -07:00
buffer.cc
Internal change.
2019-08-23 08:08:51 -07:00
buffer.h
Internal change.
2019-08-23 08:08:51 -07:00
BUILD.bazel
Use a nested userns&mntns to pre-pivot_root
2019-11-19 09:02:28 -08:00
client.cc
Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added
2019-07-23 04:41:08 -07:00
client.h
Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added
2019-07-23 04:41:08 -07:00
CMakeLists.txt
Use a nested userns&mntns to pre-pivot_root
2019-11-19 09:02:28 -08:00
comms_test.cc
Internal change.
2019-08-23 08:08:51 -07:00
comms_test.proto
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
comms.cc
Remove stale comment
2019-05-17 07:21:31 -07:00
comms.h
Make StatusMatcher more flexible
2019-04-23 10:30:45 -07:00
executor.cc
Fix a file descriptor leak in sandbox2::Executor.
2019-10-23 09:52:07 -07:00
executor.h
Fix a file descriptor leak in sandbox2::Executor.
2019-10-23 09:52:07 -07:00
forkingclient.cc
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
forkingclient.h
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
forkserver_bin.cc
Move forkserver into a dedicated binary
2019-04-09 14:37:41 +02:00
forkserver_test.cc
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
forkserver.cc
Use a nested userns&mntns to pre-pivot_root
2019-11-19 09:02:28 -08:00
forkserver.h
Use a nested userns&mntns to pre-pivot_root
2019-11-19 09:02:28 -08:00
forkserver.proto
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
global_forkclient.cc
Move forkserver into a dedicated binary
2019-04-09 14:37:41 +02:00
global_forkclient.h
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
ipc_test.cc
Call DisableNamespaces where needed
2019-05-23 07:21:03 -07:00
ipc.cc
Formatting fixes.
2019-03-19 03:41:32 -07:00
ipc.h
Formatting fixes.
2019-03-19 03:41:32 -07:00
limits_test.cc
Call DisableNamespaces where needed
2019-05-23 07:21:03 -07:00
limits.h
Formatting fixes.
2019-03-19 03:41:32 -07:00
logserver.cc
Follow-up to rev. 6edcf5f which introduced a build failure
2019-07-08 05:56:36 -07:00
logserver.h
Fix unnecessary unique_ptr in LogServer.
2019-05-26 08:47:38 -07:00
logserver.proto
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
logsink.cc
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
logsink.h
Internal change
2019-04-26 06:18:59 -07:00
monitor.cc
fail soft if sandboxee exits before init is ptraced
2019-09-20 06:13:44 -07:00
monitor.h
Initialize std::atomic_flag members
2019-07-15 23:59:24 -07:00
mounts_test.cc
Fix mount entries listing for tmpfs
2019-10-24 02:37:54 -07:00
mounts.cc
Remount chroot as read-only
2019-11-14 03:51:26 -08:00
mounts.h
Remount chroot as read-only
2019-11-14 03:51:26 -08:00
mounttree.proto
Remount chroot as read-only
2019-11-14 03:51:26 -08:00
namespace_test.cc
Remount chroot as read-only
2019-11-14 03:51:26 -08:00
namespace.cc
Use a nested userns&mntns to pre-pivot_root
2019-11-19 09:02:28 -08:00
namespace.h
Use a nested userns&mntns to pre-pivot_root
2019-11-19 09:02:28 -08:00
network_proxy_client.cc
Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added
2019-07-23 04:41:08 -07:00
network_proxy_client.h
Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added
2019-07-23 04:41:08 -07:00
network_proxy_server.cc
Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added
2019-07-23 04:41:08 -07:00
network_proxy_server.h
Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added
2019-07-23 04:41:08 -07:00
notify_test.cc
Call DisableNamespaces where needed
2019-05-23 07:21:03 -07:00
notify.h
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
policy_test.cc
Enable namespaces by default
2019-09-11 02:39:49 -07:00
policy.cc
Use full workspace name to access Bazel packages in generator
2019-07-01 02:53:41 -07:00
policy.h
Rename deathrattle_fatalmsg proto
2019-03-20 05:19:55 -07:00
policybuilder_test.cc
Make PolicyBuilder a value class.
2019-10-08 10:45:45 -07:00
policybuilder.cc
Remount chroot as read-only
2019-11-14 03:51:26 -08:00
policybuilder.h
Remount chroot as read-only
2019-11-14 03:51:26 -08:00
README.md
Corrects typo in link
2019-10-07 02:36:35 -07:00
regs.cc
Internal change.
2019-08-23 08:08:51 -07:00
regs.h
Internal change.
2019-08-23 08:08:51 -07:00
result.cc
Internal change.
2019-08-23 08:08:51 -07:00
result.h
Internal change.
2019-08-23 08:08:51 -07:00
sandbox2_test.cc
Enable namespaces by default
2019-09-11 02:39:49 -07:00
sandbox2.cc
Internal change.
2019-08-23 08:08:51 -07:00
sandbox2.h
Internal change.
2019-08-23 08:08:51 -07:00
sanitizer_test.cc
Call DisableNamespaces where needed
2019-05-23 07:21:03 -07:00
sanitizer.cc
Formatting fixes and include file hygiene.
2019-03-26 07:54:21 -07:00
sanitizer.h
Formatting fixes and include file hygiene.
2019-03-26 07:54:21 -07:00
stack_trace_test.cc
Enable namespaces by default
2019-09-11 02:39:49 -07:00
stack_trace.cc
Rework stacktrace mounttree logic
2019-10-22 09:05:33 -07:00
stack_trace.h
Rename stack-trace{.h,.cc,._test.cc} to use underscores
2019-07-09 01:32:25 -07:00
syscall_defs.cc
Formatting fixes and include file hygiene.
2019-03-26 07:54:21 -07:00
syscall_defs.h
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
syscall_test.cc
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
syscall.cc
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
syscall.h
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
testing.cc
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
testing.h
Sandboxed API OSS release.
2019-03-18 19:00:48 +01:00
util_test.cc
Formatting fixes and include file hygiene.
2019-03-26 07:54:21 -07:00
util.cc
Internal change.
2019-08-23 08:08:51 -07:00
util.h
Internal change.
2019-08-23 08:08:51 -07:00
violation.proto
Internal change
2019-09-24 04:50:18 -07:00

README.md

Sandbox2

Sandbox2 is a C++ security sandbox for Linux which can be used to run untrusted programs or portions of programs in confined environments. The idea is that the runtime environment is so restricted that security bugs such as buffer overflows in the protected region cause no harm.

Documentation

Detailed developer documentation is available on the Google Developers site for Sandboxed API under Sandbox2.

There is also a Getting Started guide for Sandbox2.