seccomp-nurse

seccomp-nurse copied to clipboard

seccomp-nurse

This project is now archived. It was a fun project but it does not compile/run anymore and there are far better mechanisms that have been implemented now: firejail, crosvm, gvisor, etc.

• About

  =seccomp-nurse= is a sandboxing framework based on =SECCOMP=.

• How to use it?

: $ git clone git://github.com/nbareil/seccomp-nurse.git : $ cd seccomp-nurse/ : $ make : $ ./sandbox -- /usr/bin/pdftotext ~/resume.pdf /tmp/resume.txt

Easy, isn't it?

• Current limitations

  • =dlopen()= not supported yet

  • =clone()= (so =fork()= and threads) will never be supported

  • =socket()=: work in progress!

  • =exec*()= will never be supported

  At the moment, there is no security check implemented. The sandbox is wide open! It will be the next step.

• References

  • Blog post about "[[http://justanothergeek.chdir.org/2010/03/seccomp-as-sandboxing-solution.html][SECCOMP as a sandboxing solution?]]"

  • Blog post about "[[http://justanothergeek.chdir.org/2010/02/how-system-calls-work-on-recent-linux.html][How system calls work on Linux?]]"

  • Chrome browser:

    • [[http://www.imperialviolet.org/2009/08/26/seccomp.html][Chromium's seccomp Sandbox by Adam Langley]]
    • [[http://lwn.net/Articles/347547/][LWN's article by Jake Edge]]

• Availability

  =seccomp-nurse= is a free software available under the GNU Public Licence 2! Sources are availables on github: http://github.com/nbareil/seccomp-nurse/

• Acknowledgment

  This work was funded by the European Commission under contract IST-FP6-033576 (through the [[http://www.xtreemos.eu/][XtreemOS project]]) and [[http://www.eads.net/][EADS Innovation Works]].