SydBox is a seccomp based sandbox for modern Linux machines to sandbox unwanted process access to filesystem and network resources.
See: https://sydbox.exherbo.org
For updates, check out my blog at https://pink.exherbo.org
SydBox uses autotools. To build, simply do ./configure, make, make -j check
and sudo make install. By default this will produce a statically linked SydBox binary.
If you want use dynamic linking, give the --disable-static option to ./configure.
To use SydBox you need a Linux kernel with version 5.11 or
newer which includes the secure computing mode
with the SECCOMP_USER_NOTIF_FLAG_CONTINUE facility,
and the system calls
pidfdsendsignal,
and pidfd_getfd.
In addition, it is recommended that you enable the kernel option
CONFIG_CROSS_MEMORY_ATTACH so that SydBox can use the system calls
processvmreadv
and
processvmwritev.
These system calls are available in Linux since 3.2. Note SydBox will use the file
/proc/pid/mem if these system calls are unavailable or not working.
For more information about these requirements, check the following links:
- kernelnewbies.org/Linux-5.6
- LWN article about pidfd_getfd
- SECCOMP_USER_NOTIF_FLAG_CONTINUE:
commit,
commit, and
commit.
If you do not have a very recent Linux version, you may use Sydbox-1.2.1 which requires Pink's Tracing Library
NOTE: SydBox-2.0.1 and newer do not use ptrace() but use seccomp user notify facilities in recent Linux kernels 5.6 and newer. Hence, PinkTrace is no longer a dependency.
See: https://pinktrace.exherbo.org
See the SydBox manual page on more information about secure computing mode protections. The parts which are of particular interest to read are:
NOTE: Pandora is in its early stages of development. To be able to use Pandora you need Sydbox-2.0.1 or later.
Git: https://git.exherbo.org/git/sydbox-1.git
Browse: https://git.exherbo.org/sydbox-1.git/
You can check the build options using sydbox --version:
$ sydbox --version
sydbox-2.0.1
Options: dump:yes seccomp:yes ipv6:yes netlink:yes
To see if your system is supported by SydBox, use sydbox ---test:
$ sydbox --test
sydbox: Linux/chesswob 5.12.10
sydbox: [>] Checking for requirements...
sydbox: [*] cross memory attach is functional.
sydbox: [*] /proc/pid/mem interface is functional.
sydbox: [*] pidfd interface is functional.
sydbox: [*] seccomp filters are functional.
sydbox: [>] SydBox is supported on this system!
To verify SydBox is working correctly, either use make -j check during
installation or use the helper utility sydtest to run the installed tests.
https://pandora.exherbo.org
Pandora's Box: A helper for SydBox, a ptrace & seccomp based sandbox to make sandboxing practical. This makes it easy for the end user to use secure computing for practical purposes.
Simple Example:
Step 1: Inspect and gather data about the given process.
In this case, we're going to try with https://www.mozilla.org/de/firefox/new/.
$ pandora profile firefox
Browse using firefox for a while, let pandora gather data. The browser is running under a tracer so it'll run noticably slower.
$ $EDITOR out.syd-2
Inspect what the browser has been doing.
Enable, disable additional options or turn paths into wildcards such as
/home/*** to allow home and everything beyond /home
the usual glob characters, ?, * are supported.
Check SydBox manual page to learn more on how PATTERN MATCHING works.
Enable, disable additional network addresses unless you're using a SOCKS5 proxy which does remote DNS lookups, e.g:
allowlist/network/connect+inet:127.0.0.1@9050
for Tor.
Check SydBox manual page to learn more on how ADDRESS MATCHING works.
$ pandora box -c out.syd-2 firefox
Check the console for possible access violations over time.
Edit the profile file as necessary and update restrictions.
For instance if you see an access violation such as
sydbox: 8< -- Access Violation! --
sydbox: connect(-1, unix:/run/user/1000/pulse/native)
sydbox: proc: AudioIPC Server[754336] (parent:0)
sydbox: cwd: `/home/alip/src/exherbo/sydbox-1'
sydbox: cmdline: `/usr/lib/firefox/firefox '
sydbox: >8 --
sydbox: 8< -- Access Violation! --
sydbox: connect(-1, unix:/var/run/pulse/native)
sydbox: proc: AudioIPC Server[754336] (parent:0)
sydbox: cwd: `/home/alip/src/exherbo/sydbox-1'
sydbox: cmdline: `/usr/lib/firefox/firefox '
sydbox: >8 --
This sounds like you're trying to play some audio on your browser. In this case, you
should add an allowlist to your profile .syd-2 file and restart your browser under
this new profile.
allowlist/connect/network+unix:/run/pulse/native
allowlist/connect/network+unix:/var/run/pulse/native
Note, sometimes you may have to add a symbolic link rather than the file it is pointing to, or vice versa, or both.
Last but not least,
Share your profile with other people and help others use secure computing!
Here is a Firefox profile edited by yours truly:
https://git.exherbo.org/sydbox-1.git/plain/data/firefox.syd-2
Read BUGS.
Below are the details of the author. Mail is preferred. Attaching poems encourages consideration tremendously.
Hey you, out there beyond the wall,
Breaking bottles in the hall,
Can you help me?
Github mirror is updated periodically. Feel free to submit an issue or a pull request there. Attaching poems encourages consideration tremendously.
Read the fine manual of SydBox and SydFmt.