Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Sandboxing framework based on SECCOMP
C Python
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
doc Rewrite of the sandbox with another approach, thread based.
t improving socket support to a point where libevent's httpd runs!
.gitignore adding .gitignore
ChangeLog python runs!
Makefile preload.o is from the past (closes GH#3)
README.org improving socket support to a point where libevent's httpd runs!
common.c xclone removal
common.h xclone removal
companion.h Never EVER use C variables, even if used like constants
companion.s improving socket support to a point where libevent's httpd runs!
constants.py improving socket support to a point where libevent's httpd runs!
dlmalloc.c The open() syscall is handled! This is promising!
dlmalloc.h The open() syscall is handled! This is promising!
helper.c do not use GNU Libc functions at all
helper.h Rewrite of the sandbox with another approach, thread based.
hybrid.py kill everybody on ^C
inject.c fixing clone() race condition leading to a deadlock
inject.h Never EVER use C variables, even if used like constants
jail.c really perform syscall with 'int $0x80' instead of using real handler
jail.h Rewrite of the sandbox with another approach, thread based.
mm.c cat-like using open() and mmap() works!
mm.h New milestone: fopen/fgets/fclose works
sandbox improving socket support to a point where libevent's httpd runs!
security.py improving socket support to a point where libevent's httpd runs!
sizeof.py improving socket support to a point where libevent's httpd runs!
syscalls.py Rewrite of the sandbox with another approach, thread based.
trustedthread.py improving socket support to a point where libevent's httpd runs!
vm.py cat-like using open() and mmap() works!

README.org

seccomp-nurse

About

seccomp-nurse is a sandboxing framework based on SECCOMP.

How to use it?

 $ git clone git://github.com/nbareil/seccomp-nurse.git
 $ cd seccomp-nurse/
 $ make
 $ ./sandbox -- /usr/bin/pdftotext ~/resume.pdf /tmp/resume.txt

Easy, isn’t it?

Current limitations

  • dlopen() not supported yet
  • clone() (so fork() and threads) will never be supported
  • socket(): work in progress!
  • exec*() will never be supported

At the moment, there is no security check implemented. The sandbox is wide open! It will be the next step.

References

Availability

seccomp-nurse is a free software available under the GNU Public Licence 2! Sources are availables on github: http://github.com/nbareil/seccomp-nurse/

Acknowledgment

This work was funded by the European Commission under contract IST-FP6-033576 (through the XtreemOS project) and EADS Innovation Works.

Something went wrong with that request. Please try again.