Syd's Box

SydBox is a ptrace & seccomp based sandbox for modern Linux machines to sandbox unwanted process access to filesystem and network resources.

SydBox uses autotools. To build, simply do ./configure, make and make install.

To use SydBox you need a recent Linux kernel, preferably 3.5 or newer which has secure computing mode facility. Make sure you build SydBox with --enable-seccomp given to ./configure. SydBox works fine without it but it is going to be noticably slower and less secure. See the SydBox manual page on more information about secure computing mode protections.

NOTE: Secure computing mode only works on i386 and x86_64 architectures.

In addition, it is advised that you enable the kernel option CONFIG_CROSS_MEMORY_ATTACH=y.

NOTE: Pandora is in its early stages of development. To be able to use pandora you should clone SydBox from git and build SydBox from the inspect branch.

Browse at https://git.exherbo.org/sydbox-1.git/?h=inspect

SydBox requires Pink's Tracing Library

• Git: https://git.exherbo.org/git/pinktrace-1.git
• Lightweight ptrace wrapper library providing a robust API for tracing processes.
• An extensive API reference is available here.

Pandora

Pandora's Box: A helper for SydBox, a ptrace & seccomp based sandbox to make sandboxing practical. This makes it easy for the end user to use secure computing for practical purposes.

Simple Example:

Step 1: Inspect and gather data about the given process.

In this case, we're going to try with https://www.mozilla.org/de/firefox/new/.

$ pandora profile firefox

Browse using firefox for a while, let pandora gather data. The browser is running under a tracer so it'll run noticably slower.

• use --bin /path/to/sydbox, if sydbox is not in PATH
• use --output firefox.syd-1 to specify an alternative output path for profile.

$ $EDITOR out.syd-1

Inspect what the browser has been doing. Enable, disable additional options or turn paths into wildcards such as /home/*** to allow home and everything beyond /home the usual glob characters, ?, * are supported.

Check SydBox manual page to learn more on how PATTERN MATCHING works.

Enable, disable additional network addresses unless you're using a SOCKS5 proxy which does remote DNS lookups, e.g:

whitelist/network/connect+inet:127.0.0.1@9050

for Tor

Check SydBox manual page to learn more on how ADDRESS MATCHING works.

$ pandora box -c out.syd-1 firefox

• Run the browser under secure computing with full protection.
• Check SydBox manual page for a list of system call protections.
• Check the console for possible access violations over time.
• Edit the profile file as necessary and update restrictions.
• Share your profile with other people and help others use secure computing!

Documentation

Read the fine manual of SydBox and SydFmt

Blog Posts

• Sydbox: Stop Skype P2P/Call Home: People Have The Right To Communicate W\o Eavesdropping
• Recent Linux Changes Help Safe & Secure w\o Root
• A Study in Sydbox
• Pink's Tracing Library
• Sydbox Logo Survey
• Sydbox: Default Sandbox of Exherbo
• Disabling External Commands in Metadata Phase (Exherbo>Gentoo)
• ptrace on IA64
• Network Sandboxing and /proc (Exherbo>Gentoo)
• ptrace on FreeBSD
• Running Untrusted Binaries that Access the Network
• Proper Network Sandboxing (Exherbo>Gentoo)
• Deprecating addpredict (Exherbo>Gentoo)