{"id":20183438,"url":"https://github.com/duncaen/playground","last_synced_at":"2025-08-30T20:16:32.004Z","repository":{"id":71215271,"uuid":"82432834","full_name":"Duncaen/playground","owner":"Duncaen","description":"Sandbox, container or whatever utilities for linux.","archived":false,"fork":false,"pushed_at":"2020-04-01T13:53:30.000Z","size":32,"stargazers_count":2,"open_issues_count":0,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-01-13T17:42:00.578Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Duncaen.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-19T03:35:31.000Z","updated_at":"2022-10-24T17:43:11.000Z","dependencies_parsed_at":"2023-03-17T02:46:11.147Z","dependency_job_id":null,"html_url":"https://github.com/Duncaen/playground","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Duncaen%2Fplayground","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Duncaen%2Fplayground/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Duncaen%2Fplayground/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Duncaen%2Fplayground/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Duncaen","download_url":"https://codeload.github.com/Duncaen/playground/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241617649,"owners_count":19991721,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T02:45:53.597Z","updated_at":"2025-03-03T06:22:53.704Z","avatar_url":"https://github.com/Duncaen.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"playground\n==========\n\nSandbox, container or (whatever you want to call it) utilities for linux.\n\nThere is still a lot to do, `pledge` should already work, but it might be\nrenamed later to be not confused with a similar api for a different OS.\nAt the moment `newns` is just an idea with some very basic code that does\nnot even compile and some docs on how or what it should do.\n\nUsage\n-----\n\nTo just restrict the allowed systemcalls:\n\n\t$ pledge -p \"proc rpath\" sh\n\nTo create a new \"container\" (unshare all possible namespaces) and share the\nbase filesystem (/{bin,sbin,lib,var,usr,etc}) with it:\n\n\t$ newns -f \"base container\" sh\n\nOr both together:\n\n\t$ newns -f \"base container\" pledge -p \"proc rpath\" sh\n\n\nInstall\n-------\n\n\t$ make\n\t# make install\n\n\nlibpledge\n---------\n\nThe main API is the `pledge(2)` function, the other functions are just a bonus\nthat might be useful but aren't in most cases, its suggested to only use this\nfunction.\n\n`pledge(2)` makes use of seccomp layering, the first `pledge(2)` call creates\na whitelist with allowed systemcalls and if necessary a second layer with\nfilters that look at arguments of systemcalls. Subsequent `pledge(2)` calls\nblacklist systemcalls that are not part of the new promises and adds the\nfilter layer if necessary. The BPF filters are as small as possible and\nnever blacklist systemcalls twice and never blacklists systemcalls that\nwere not initially whitelisted.\n\nThere are some differences to the OpenBSD `pledge(2)` systemcall.\nThe OpenBSD implementation drops filters if `execve(2)` is called,\nthis is not possible at this time with `seccomp(2)`.\nFurthermore in OpenBSDs implementation it is possible to use systemcalls\nthat operate in specific paths like `/tmp` without priviously promising it.\nThe `paths` argument for `pledge(2)` from OpenBSDs pledge is deprecated\nand `pledge(2)` returns `EINVAL` if its not `NULL` this API does the same.\n\n\n`int pledge(const char *, const char *[]);`\n\n\tRestrict systemcalls based on the supplied `promises` string.\n\tSubsequent calls reduce the systemcalls further.\n\n\n`uint64_t pledge_flags(const char *);`\n\n\tConverts a list of space separated `promises` to flags.\n\n\n`struct sock_fprog *pledge_whitelist(uint64_t flags);`\n\n\tCreates a `seccomp(2)` `BPF(2)` filter program that whitelists systemcalls.\n\n\n`struct sock_fprog *pledge_blacklist(uint64_t flags, uint64_t oldflags);`\n\n\tCreates a `seccomp(2)` `BPF(2)` filter program to blacklists previously\n\twhitelisted systemcalls.\n\n\n`struct sock_fprog *pledge_filter(uint64_t flags, uint64_t oldflags);`\n\n\tCreates a `seccomp` `BPF(2)` filter program that filters previously\n\twhitelisted systemcalls based on its arguments.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduncaen%2Fplayground","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fduncaen%2Fplayground","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduncaen%2Fplayground/lists"}