SydBox is a ptrace & seccomp based sandbox for modern Linux machines to sandbox unwanted process access to filesystem and network resources.
SydBox uses autotools. To build, simply do:
$ ./configure --enable-seccomp
$ make -j
$ make -j check
$ sudo make install
To use SydBox you need a recent Linux kernel, preferably 3.5 or newer which has secure computing mode facility. Make sure you build SydBox with --enable-seccomp
In addition, it is advised that you enable the kernel option
CONFIG_CROSS_MEMORY_ATTACH=y.
NOTE: Pandora is in its early stages of development. To be able to use pandora you should clone SydBox from git and build SydBox from the inspect branch.
Browse at https://git.exherbo.org/sydbox-1.git/?h=inspect
Pandora's Box: A helper for SydBox, a ptrace & seccomp based sandbox to make sandboxing practical. This makes it easy for the end user to use secure computing for practical purposes.
Simple Example:
Step 1: Inspect and gather data about the given process.
In this case, we're going to try with https://www.mozilla.org/de/firefox/new/.
$ pandora profile firefox
Browse using firefox for a while, let pandora gather data. The browser is running under a tracer so it'll run noticably slower.
$ $EDITOR out.syd-1
Inspect what the browser has been doing.
Enable, disable additional options or turn paths into wildcards such as
/home/*** to allow home and everything beyond /home
the usual glob characters, ?, * are supported.
Check SydBox manual page to learn more on how PATTERN MATCHING works.
Enable, disable additional network addresses unless you're using a SOCKS5 proxy which does remote DNS lookups, e.g:
whitelist/network/connect+inet:127.0.0.1@9050
for Tor
Check SydBox manual page to learn more on how ADDRESS MATCHING works.
$ pandora box -c out.syd-1 firefox
Read the fine manual of SydBox and SydFmt