Skip to content
This repository has been archived by the owner on Nov 9, 2017. It is now read-only.

valpackett/sandblast

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits

.gitignore

.gitignore

 
 

COPYING

COPYING

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

admin.c

admin.c

 
 

admin.h

admin.h

 
 

config.c

config.c

 
 

config.h

config.h

 
 

logging.c

logging.c

 
 

logging.h

logging.h

 
 

memory.c

memory.c

 
 

memory.h

memory.h

 
 

sandblast.1

sandblast.1

 
 

sandblast.c

sandblast.c

 
 

Repository files navigation

This was a good learning experiment, but jail(8) is actually fine.

Sandblast ISC License

Sandblast is a sandbox/container tool for FreeBSD.

Like jail(8), but:

  • no persistent/system-wide config files like jail.conf
  • just pass JSON (or nginx-style) configuration for ONE jail as a file or to stdin
  • it will manage nullfs/unionfs mounts and RCTL resource limits
  • (manage, as in, both set and clean up)

Dependencies

  • FreeBSD, obviously -- at least 10.x
  • pkg install pkgconf libucl
  • For CPU and memory limiting

Installation

For now, git clone, make and sudo make install.

Usage

Sandblast runs configuration files parsed by libucl, which allows both a human-friendly (nginx-style) configuration language and JSON.

Here's an example:

ipv4 = ["192.168.122.67", "128.4.4.4"]; # one address or array of addresses
ipv6 = 2001:dbca::2; # one address or array of addresses
net_iface = vtnet0;
hostname = myjail;
# jailname = myjail; # default: same as hostname
# securelevel = 3; # default: 3
# devfs_ruleset = 4; # default: 4
resources { # rctl deny
	pcpu = 50;
}
mount = [ # nullfs/unionfs (automatically uses unionfs when "to" is the same)
	{ from = /usr/jails/base/10.2-RELEASE, to = /, readonly = true },
	{ from = /tmp/myjail-storage, to = / },
	{ from = /usr/local, to = /usr/local, readonly = true },
	{ from = /home/user, to = /home/user }
]
script = "#!/bin/sh\nTERM=screen-256color exec sh";

Security

This code has not been audited yet!

Configuration parsing (libucl) is sandboxed using Capsicum.

Trust

  • The jail configuration files are trusted. When building PaaS/CI/hosting/etc. services, you need to make sure your software generates valid configuration that doesn't eat your system.
  • Except for the script field, which is untrusted -- it's executed inside of the jail.

setuid

You can run sandblast as a non-root user if you set the setuid bit on the sandblast binary, like so:

$ sudo chmod 4755 /usr/local/bin/sandblast

Copyright

Copyright (c) 2014-2016 Greg V greg@unrelenting.technology
Available under the ISC license, see the COPYING file

About

No description, website, or topics provided.

Resources

Readme

License

ISC license
Activity

Stars

10 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages