After nearly two years I began working on a sydbox replacement1 she is finally nearing completion. This post is meant both as a preliminary announcement and help request.
sydbox-1 has been in ::arbor for sometime as sydbox-scm2 and paludis supports it since version 0.78.1. The git repository is hosted on exherbo.org3. Before going on to tell you about her I want to kindly ask you to help me with some tasks:
Proof read the manual page4. I am still unsure about the configuration file format and the magic command API so now is the time to share your ideas and views to help make sydbox-1 better.
For brave souls, unmask it and install it. Especially important is to run its tests. To do that you have to set the environment variable PALUDIS_DO_NOTHING_SANDBOXY5. You will notice that it doesn’t depend on pinktrace anymore. This is because sydbox-1 includes a rewrite of pinktrace which will eventually be released as pinktrace-1.
Once again for brave souls, use it on your system. I am especially interested in how it performs during the
src_testphase of exhereseses so please make sure tests are enabled if you do so and report back any issues (accompanied with a poem of your choosing!). It is always a good idea to have a pbin of the package in question to easily rollback changes in case you hit a severe bug[^6].
If you are bored, you can stop reading now. I will go on to introduce sydbox-1.
I am not a professional programmer. However, I have gained many experiences after writing sydbox-0 and watching it perform as the default sandbox of Exherbo. sydbox-0 has many shortcomings and drawbacks which made it rather hard to maintain. Such as:
- sydbox-0 was based on the now unmaintained
catboxinitially. There are many design issues which didn’t fit with our use cases for Exherbo.
- Being GPL-2 licensed it was problematic to share code with
ptrace(2)based projects like
truss(of FreeBSD). I have partially solved this problem by writing pinktrace - a BSD3 licensed library providing thin wrappers around certain
ptrace(2)calls but this was not enough. (See below about
- Being a crucial part of the system set, dependencies like
GLibwas obviously a bad idea.
- Over the years as sydbox-0 codebase grew there were unforeseen code maintenance problems making it difficult to add new features.
Features of sydbox-1
Below are main features of sydbox-1. You may consult the manual page³ for more information.
- No external dependencies.
GLibdependency is gone for good among with the ini-format configuration file. sydbox-1 uses JSON format for configuration.
- Most of the
ptrace(2)work is now abstracted by a callback-driven higher-level BSD3 licensed library called
pinktrace-easy. This makes both the maintenance easier and code sharing with
- Well designed, well documented magic command API which fits in with the configuration file format and provides an easier experience during command line invocation.
- Process dump can be obtained by sending sydbox-1 the
SIGUSR2for a more verbose dump). This makes it easier to debug sydbox hangs.
- Better signal handling to make sydbox more immune to interrupts.
- More powerful and configurable rsync-like pattern matching.
- Support for secure computing mode aka seccomp[^7]. This requires
Linux-3.5 or newer and
CONFIG_SECCOMP_FILTER=ykernel configuration options. sydbox-scm exheres has a seccomp option to pass
--enable-seccompto econf. This is one of the key features which may make sydbox-1 faster compared to sydbox-0 because in this mode sydbox only traces the sandboxed system calls. Tracing other commonly used system calls - think threaded applications calling sched_yield() - is therefore avoided.
- Logging is easier to filter. This still needs some work though.
- Port numbers can now be entered as service names which will be
queried from the
- Unsupported socket families can be whitelisted/blacklisted.
- New magic commands exec/resume_if_match and
exec/kill_if_match are added. These commands may be used to
resume or kill matching binaries upon successful execution.
esandbox killcommands as an interface for exheres-0 (Make sure
esandbox apireturns 1 before using them). See systemd.exlib as an example on how we can now restart services from within exhereseses without worrying about sandboxing.
- Read sandboxing to prevent unwanted filesytem reads.
- Black listing is now also supported in addition to white listing. This may be used to make an “allow by default and black list unwanted accesses” sandboxing policy.
- Many bugs fixed, some new system calls are sandboxed.
How can I thank you?
Send me poems[^8]!
be more convenient. [^6]: sydbox-1 has been tested for some time by kind people and I have heard about only one such issue so far but it is always a good idea to be cautious. [^7]: http://lwn.net/Articles/475043/ [^8]: http://dev.exherbo.org/~alip/sydbox/poems.txt