Skip to content
This repository has been archived by the owner. It is now read-only.
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
COPYING
Makefile
README.md
admin.c
admin.h
config.c
config.h
logging.c
logging.h
memory.c
memory.h
sandblast.1
sandblast.c

README.md

This was a good learning experiment, but jail(8) is actually fine.

Sandblast ISC License

Sandblast is a sandbox/container tool for FreeBSD.

Like jail(8), but:

  • no persistent/system-wide config files like jail.conf
  • just pass JSON (or nginx-style) configuration for ONE jail as a file or to stdin
  • it will manage nullfs/unionfs mounts and RCTL resource limits
  • (manage, as in, both set and clean up)

Dependencies

  • FreeBSD, obviously -- at least 10.x
  • pkg install pkgconf libucl
  • For CPU and memory limiting

Installation

For now, git clone, make and sudo make install.

Usage

Sandblast runs configuration files parsed by libucl, which allows both a human-friendly (nginx-style) configuration language and JSON.

Here's an example:

ipv4 = ["192.168.122.67", "128.4.4.4"]; # one address or array of addresses
ipv6 = 2001:dbca::2; # one address or array of addresses
net_iface = vtnet0;
hostname = myjail;
# jailname = myjail; # default: same as hostname
# securelevel = 3; # default: 3
# devfs_ruleset = 4; # default: 4
resources { # rctl deny
	pcpu = 50;
}
mount = [ # nullfs/unionfs (automatically uses unionfs when "to" is the same)
	{ from = /usr/jails/base/10.2-RELEASE, to = /, readonly = true },
	{ from = /tmp/myjail-storage, to = / },
	{ from = /usr/local, to = /usr/local, readonly = true },
	{ from = /home/user, to = /home/user }
]
script = "#!/bin/sh\nTERM=screen-256color exec sh";

Security

This code has not been audited yet!

Configuration parsing (libucl) is sandboxed using Capsicum.

Trust

  • The jail configuration files are trusted. When building PaaS/CI/hosting/etc. services, you need to make sure your software generates valid configuration that doesn't eat your system.
  • Except for the script field, which is untrusted -- it's executed inside of the jail.

setuid

You can run sandblast as a non-root user if you set the setuid bit on the sandblast binary, like so:

$ sudo chmod 4755 /usr/local/bin/sandblast

Copyright

Copyright (c) 2014-2016 Greg V greg@unrelenting.technology
Available under the ISC license, see the COPYING file

You can’t perform that action at this time.