Syd's Box

SydBox is a ptrace & seccomp based sandbox for modern Linux machines to sandbox unwanted process access to filesystem and network resources.

SydBox uses autotools. To build, simply do:

$ ./configure --enable-seccomp $ make -j $ make -j check $ sudo make install

To use SydBox you need a recent Linux kernel, preferably 3.5 or newer which has secure computing mode facility. Make sure you build SydBox with --enable-seccomp

In addition, it is advised that you enable the kernel option CONFIG_CROSS_MEMORY_ATTACH=y.

NOTE: Pandora is in its early stages of development. To be able to use pandora you should clone SydBox from git.

Browse at https://git.exherbo.org/sydbox-1.git/?h=inspect

Pandora

Pandora's Box: A helper for SydBox, a ptrace & seccomp based sandbox to make sandboxing practical. This makes it easy for the end user to use secure computing for practical purposes.

Simple Example: ```

Step 1: Inspect and gather data about the given process.

In this case, we're going to try with

Firefox, https://www.mozilla.org/de/firefox/new/

$ pandora profile firefox

browse using firefox for a while, let pandora gather data.

the browser is running under a tracer so it'll run noticably slower.

use --bin /path/to/sydbox, if sydbox is not in PATH

use --output firefox.syd-1 to specify an alternative output path for profile.

$ $EDITOR out.syd-1

Inspect what the browser has been doing.

Enable, disable additional options or turn paths into wildcards such as

/home/* to allow home and everything beyond /home

the usual glob characters, ?, * are supported.

Check sydbox manual page to learn more on how pattern matching works.

Enable, disable additional network addresses unless you're using a SOCKS5 proxy

which does remote DNS lookups, e.g:

#

whitelist/network/connect+inet:127.0.0.1@9050

#

for Tor, https://www.torproject.org/

Check sydbox manual page to learn more on how address matching works.

# $ pandora box -c out.syd-1 firefox

Run the browser under secure computing with full protection.

Check sydbox manual page for a list of system call protections.

Check the console for possible access violations over time.

Edit the profile file as necessary and update restrictions.

#

Share your profile with other people and help others use secure computing!

# ```

Documentation

Read the fine manual of sydbox and sydfmt

Blog Posts

• Sydbox: Stop Skype P2P/Call Home: People Have The Right To Communicate W\o Eavesdropping
• Recent Linux Changes Help Safe & Secure w\o Root
• A Study in Sydbox
• Pink's Tracing Library
• Sydbox Logo Survey
• Sydbox: Default Sandbox of Exherbo
• Disabling External Commands in Metadata Phase (Exherbo>Gentoo)
• ptrace on IA64
• Network Sandboxing and /proc (Exherbo>Gentoo)
• ptrace on FreeBSD
• Running Untrusted Binaries that Access the Network
• Proper Network Sandboxing (Exherbo>Gentoo)
• Deprecating addpredict (Exherbo>Gentoo)