Permalink
Commits on Oct 31, 2011
Commits on Feb 3, 2011
  1. kill everybody on ^C

    committed Feb 3, 2011
  2. improving socket support to a point where libevent's httpd runs!

    Author: Fabrice Desclaux and myself
    committed Feb 1, 2011
Commits on Feb 1, 2011
  1. fixing clone() race condition leading to a deadlock

    libc's clone() makes a 'call *%gs:0x10' before executing child
    function. Unfortunately, at this moment, we already hijacked the
    %gs:0x10 page but the companion was not yet ready to process
    this kind of event.
    
    From now on, we hook the VDSO page only when the child has really been
    started and we are sure he can handle requests.
    
    Thanks Fabrice Desclaux for this debugging session :)
    committed Feb 1, 2011
  2. xclone removal

    committed Feb 1, 2011
Commits on Jan 28, 2011
Commits on Jan 27, 2011
  1. block also real-time signals

    committed Jan 27, 2011
  2. block signals

    committed Jan 27, 2011
  3. Never EVER use C variables, even if used like constants

    Thanks serpi for the help!
    committed Jan 27, 2011
Commits on Jan 25, 2011
  1. trusted thread *MUST NOT* use call/ret

    Fabrice Desclaux reported the unsafe use of call/ret in the trusted assembly routine.
    This is a critical security issue because the saved return address can be overwritten
    by the untrusted thread (as the memory is shared).
    
    Thanks serpi!
    committed Jan 25, 2011
Commits on Nov 23, 2010
  1. basic security file path

    committed Nov 23, 2010
Commits on Sep 8, 2010
  1. ret can only be a tuple

    committed Sep 8, 2010
  2. dummy unmap security check

    committed Sep 8, 2010
  3. naive security check for mmap

    committed Sep 8, 2010
  4. close is always allowed

    committed Sep 8, 2010
Commits on Jul 8, 2010
  1. +README

    committed Jul 8, 2010
  2. python runs!

    The python binary was compiled with --disable-shared since I don't support
    dlopen() yet.
    
    Screenshot (with a simple security check deniying /secret only to open()) :
    
      foobar@debian32 :~/python-2.6$ sandbox -- ./python
      Python 2.6.5+ (release26-maint :82382M, Jul 6 2010, 15 :41 :57) [GCC 4.4.4] on linux2
      Type "help", "copyright", "credits" or "license" for more information.
      >>> fd=open(’/etc/resolv.conf’)
      >>> for line in fd :
      ...    print line,
      ...
      nameserver 192.168.9.2
      domain vmlab
      search vmlab
      >>> import sys
      >>> sys.path.append(’/usr/lib/python2.6/’)
      >>> import os
      >>> os.getpid()
      27997
      >>> open(’/secret/password’)
      Traceback (most recent call last) :
      File "<stdin>", line 1, in <module>
      IOError : [Errno 1] Operation not permitted : ’/secret/password
      >>> open(’/var/log/../.././././../secret/password’)
      Traceback (most recent call last) :
      File "<stdin>", line 1, in <module>
      IOError : [Errno 1] Operation not permitted : ’/var/log/../.././././../secret/password’
      >>> os.access('/secret/password', os.R_OK)
      True
    
    Changes:
    
      - Implementation of new syscalls (just enough to run some
        binaries)
    
      - Rewrite of the sandbox frontend in Python. It now has a CLI options
       (--debug switch instead of environment variables) and can be run outside
       of $PWD
    committed Jul 8, 2010
  3. removal of prototype ruins

    committed Jul 8, 2010
Commits on Jul 7, 2010
  1. mock security test

    committed Jul 7, 2010
  2. sandbox: use absolute path

    committed Jul 7, 2010
Commits on Jun 25, 2010
  1. fix getpid()

    committed Jun 25, 2010
Commits on Jun 24, 2010
  1. first draft for verifying the pointer.

    For the moment, I only verify againt .text section and our dropbox area
    committed Jun 24, 2010
  2. testcase: exit()

    committed Jun 24, 2010
  3. removing prototypes

    committed Jun 24, 2010
Commits on Jun 22, 2010