This repository has been archived by the owner. It is now read-only.
Sandboxing framework based on SECCOMP
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
doc Rewrite of the sandbox with another approach, thread based. Jun 17, 2010
t improving socket support to a point where libevent's httpd runs! Feb 3, 2011
.gitignore adding .gitignore Jun 22, 2010
ChangeLog python runs! Jul 8, 2010
Makefile preload.o is from the past (closes GH#3) Oct 31, 2011
README.org Update README.org May 14, 2018
common.c xclone removal Feb 1, 2011
common.h xclone removal Feb 1, 2011
companion.h Never EVER use C variables, even if used like constants Jan 27, 2011
companion.s improving socket support to a point where libevent's httpd runs! Feb 3, 2011
constants.py improving socket support to a point where libevent's httpd runs! Feb 3, 2011
dlmalloc.c The open() syscall is handled! This is promising! Feb 6, 2010
dlmalloc.h The open() syscall is handled! This is promising! Feb 6, 2010
helper.c do not use GNU Libc functions at all Jan 28, 2011
helper.h Rewrite of the sandbox with another approach, thread based. Jun 17, 2010
hybrid.py kill everybody on ^C Feb 3, 2011
inject.c fixing clone() race condition leading to a deadlock Feb 1, 2011
inject.h Never EVER use C variables, even if used like constants Jan 27, 2011
jail.c really perform syscall with 'int $0x80' instead of using real handler Feb 1, 2011
jail.h Rewrite of the sandbox with another approach, thread based. Jun 17, 2010
mm.c cat-like using open() and mmap() works! Mar 2, 2010
mm.h New milestone: fopen/fgets/fclose works Feb 18, 2010
sandbox improving socket support to a point where libevent's httpd runs! Feb 3, 2011
security.py improving socket support to a point where libevent's httpd runs! Feb 3, 2011
sizeof.py improving socket support to a point where libevent's httpd runs! Feb 3, 2011
syscalls.py Rewrite of the sandbox with another approach, thread based. Jun 17, 2010
trustedthread.py improving socket support to a point where libevent's httpd runs! Feb 3, 2011
vm.py cat-like using open() and mmap() works! Mar 2, 2010

README.org

seccomp-nurse

This project is now archived. It was a fun project but it does not compile/run anymore and there are far better mechanisms that have been implemented now: firejail, crosvm, gvisor, etc.

About

seccomp-nurse is a sandboxing framework based on SECCOMP.

How to use it?

 $ git clone git://github.com/nbareil/seccomp-nurse.git
 $ cd seccomp-nurse/
 $ make
 $ ./sandbox -- /usr/bin/pdftotext ~/resume.pdf /tmp/resume.txt

Easy, isn’t it?

Current limitations

  • dlopen() not supported yet
  • clone() (so fork() and threads) will never be supported
  • socket(): work in progress!
  • exec*() will never be supported

At the moment, there is no security check implemented. The sandbox is wide open! It will be the next step.

References

Availability

seccomp-nurse is a free software available under the GNU Public Licence 2! Sources are availables on github: http://github.com/nbareil/seccomp-nurse/

Acknowledgment

This work was funded by the European Commission under contract IST-FP6-033576 (through the XtreemOS project) and EADS Innovation Works.