mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
ca6ec4337d
Recenly, Debian based distribution kernels started activating the Tomoyo Linux Security Module by default. Even if it is not used, this changes the behavior of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during `execveat()`. As a result, Sandbox2 and Sandboxed API always fail without one of the following conditions - `/proc` mounted within the sandboxee - `/dev` mounted - `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace Some code pointers to upstream Linux 5.12.2: - https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775 - https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107 - https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729 To find out whether your system has Tomoyo enabled, use this command, similar to what this change does in code: ``` $ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active" capability,yama,apparmor,tomoyo Tomoyo active ``` The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into the kernel by default. PiperOrigin-RevId: 372919524 Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623
Sandbox2
Sandbox2 is a C++ security sandbox for Linux which can be used to run untrusted programs or portions of programs in confined environments. The idea is that the runtime environment is so restricted that security bugs such as buffer overflows in the protected region cause no harm.
Documentation
Detailed developer documentation is available on the Google Developers site for Sandboxed API under Sandbox2.
There is also a Getting Started guide for Sandbox2.