A programmable security sandbox for Backend.AI kernels
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
policy
utils
.dockerignore
.editorconfig Add editorconfig and remove file-local vim settings Jul 13, 2017
.gitignore Update .gitignore Aug 30, 2018
Dockerfile Change repository name to backend.ai-jail Aug 30, 2018
Dockerfile.builder-manylinux Upgrade Golang version Nov 18, 2018
Dockerfile.builder-musllinux Upgrade Golang version Nov 18, 2018
LICENSE Initial commit Mar 28, 2017
Makefile Apply static build so that kernel images do not have to install speci… Jan 17, 2019
README.md
example_policy.yml
main.go Add "-noop" mode to bypass ptrace/seccomp mechanisms Jan 17, 2019

README.md

Backend.ai-jail

A dynamic sandbox for Backend.Ai kernels.

Testing and Debugging

  • Requirements: Docker, make

As we provide all docker configurations to run this code with valid GOPATH, you don't have to place the cloned working copy somewhere special.

Just run make prepare-dev to build and create a development container based on Alpine Linux. Afterwards, you can docker start jail-dev and docker attach jail-dev to access its shell.

Inside the container, you can use go get, go build, and so on seamlessly.

To test the jail, run ./backend.ai-jail <policy-name> <command-args>. Note that this jail binary cannot be executed outside the container even though it exists inside the working copy, if you use different OS/architectures for the host (e.g., macOS).

To debug, add -debug flag to the command-line arguments.

Building Release Binaries

Run make manylinux for glibc-based binaries (for Ubuntu/Debian Linux) and make musllinux for musl-based binaries (for Alpine Linux).

On the target systems or images, you need to install libseccomp 2.2 or higher to use Sorna jail.