sandboxed-api

mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00

Go to file

Christian Blichmann ca6ec4337d Add workaround for active Tomoyo LSM

Recenly, Debian based distribution kernels started activating the Tomoyo Linux
Security Module by default. Even if it is not used, this changes the behavior
of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during
`execveat()`.

As a result, Sandbox2 and Sandboxed API always fail without one of the following
conditions
- `/proc` mounted within the sandboxee
- `/dev` mounted
- `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace

Some code pointers to upstream Linux 5.12.2:
- https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729

To find out whether your system has Tomoyo enabled, use this command, similar to
what this change does in code:

```
$ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active"
capability,yama,apparmor,tomoyo
Tomoyo active
```

The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into
the kernel by default.

PiperOrigin-RevId: 372919524
Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623

2021-05-10 07:04:04 -07:00

.bazelci

Update BazelCI configuration to use Debian 10

2019-10-23 06:10:05 -07:00

.github/workflows

Add more compiler variants to GitHub Actions

2021-04-07 15:23:23 +02:00

cmake

Update third-party dependencies

2021-04-26 05:00:30 -07:00

contrib

Add directories/README for contributions

2020-07-29 11:32:41 +02:00

oss-internship-2020

Merge pull request #82 from cblichmann:main

2021-01-26 08:18:57 -08:00

sandboxed_api

Add workaround for active Tomoyo LSM

2021-05-10 07:04:04 -07:00

.bazelignore

Build fixes for recent Bazel versions

2020-09-25 07:25:31 -07:00

.bazelrc

Update/simplify linker flags for testcases

2020-12-11 01:12:05 -08:00

.clang-format

Update .clang-format to prefer & and * to be close to the type

2020-09-18 02:22:43 -07:00

.gitignore

Make CMake superbuild behave more similar to FetchContent

2021-02-03 18:15:15 +01:00

.gitmodules

Merge pull request #56 from alexelex:master

2020-12-08 03:15:35 -08:00

CMakeLists.txt

Make CMake superbuild behave more similar to FetchContent

2021-02-03 18:15:15 +01:00

CONTRIBUTING.md

Sandboxed API OSS release.

2019-03-18 19:00:48 +01:00

LICENSE

Sandboxed API OSS release.

2019-03-18 19:00:48 +01:00

README.md

Update/rephrase README

2021-02-02 03:08:31 -08:00

WORKSPACE

Update dependencies to latest versions

2020-04-29 06:45:44 -07:00

README.md

What is Sandboxed API?

The Sandboxed API project (SAPI) makes sandboxing of C/C++ libraries less burdensome: after initial setup of security policies and generation of library interfaces, a stub API is generated, transparently forwarding calls using a custom RPC layer to the real library running inside a sandboxed environment.

Additionally, each SAPI library utilizes a tightly defined security policy, in contrast to the typical sandboxed project, where security policies must cover the total syscall/resource footprint of all its libraries.

Documentation

Developer documentation is available on the Google Developers site for Sandboxed API.

There is also a Getting Started guide.

Getting Involved

If you want to contribute, please read CONTRIBUTING.md and send us pull requests. You can also report bugs or file feature requests.

If you'd like to talk to the developers or get notified about major product updates, you may want to subscribe to our mailing list or sign up with this link.

Languages

C++ 77.8%

CMake 10.8%

Starlark 5.7%

Python 3.3%

C 1.7%

Other 0.7%