https://github.com/duncaen/playground

Sandbox, container or whatever utilities for linux.
https://github.com/duncaen/playground

Last synced: 10 months ago
JSON representation

Sandbox, container or whatever utilities for linux.

• Host: GitHub
• URL: https://github.com/duncaen/playground
• Owner: Duncaen
• License: isc
• Created: 2017-02-19T03:35:31.000Z (over 9 years ago)
• Default Branch: master
• Last Pushed: 2020-04-01T13:53:30.000Z (about 6 years ago)
• Last Synced: 2025-01-13T17:42:00.578Z (over 1 year ago)
• Language: C
• Homepage:
• Size: 31.3 KB
• Stars: 2
• Watchers: 5
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README
  • License: LICENSE

Awesome Lists containing this project

README

          
playground

==========

Sandbox, container or (whatever you want to call it) utilities for linux.

There is still a lot to do, `pledge` should already work, but it might be

renamed later to be not confused with a similar api for a different OS.

At the moment `newns` is just an idea with some very basic code that does

not even compile and some docs on how or what it should do.

Usage

-----

To just restrict the allowed systemcalls:

	$ pledge -p "proc rpath" sh

To create a new "container" (unshare all possible namespaces) and share the

base filesystem (/{bin,sbin,lib,var,usr,etc}) with it:

	$ newns -f "base container" sh

Or both together:

	$ newns -f "base container" pledge -p "proc rpath" sh

Install

-------

	$ make

	# make install

libpledge

---------

The main API is the `pledge(2)` function, the other functions are just a bonus

that might be useful but aren't in most cases, its suggested to only use this

function.

`pledge(2)` makes use of seccomp layering, the first `pledge(2)` call creates

a whitelist with allowed systemcalls and if necessary a second layer with

filters that look at arguments of systemcalls. Subsequent `pledge(2)` calls

blacklist systemcalls that are not part of the new promises and adds the

filter layer if necessary. The BPF filters are as small as possible and

never blacklist systemcalls twice and never blacklists systemcalls that

were not initially whitelisted.

There are some differences to the OpenBSD `pledge(2)` systemcall.

The OpenBSD implementation drops filters if `execve(2)` is called,

this is not possible at this time with `seccomp(2)`.

Furthermore in OpenBSDs implementation it is possible to use systemcalls

that operate in specific paths like `/tmp` without priviously promising it.

The `paths` argument for `pledge(2)` from OpenBSDs pledge is deprecated

and `pledge(2)` returns `EINVAL` if its not `NULL` this API does the same.

`int pledge(const char *, const char *[]);`

	Restrict systemcalls based on the supplied `promises` string.

	Subsequent calls reduce the systemcalls further.

`uint64_t pledge_flags(const char *);`

	Converts a list of space separated `promises` to flags.

`struct sock_fprog *pledge_whitelist(uint64_t flags);`

	Creates a `seccomp(2)` `BPF(2)` filter program that whitelists systemcalls.

`struct sock_fprog *pledge_blacklist(uint64_t flags, uint64_t oldflags);`

	Creates a `seccomp(2)` `BPF(2)` filter program to blacklists previously

	whitelisted systemcalls.

`struct sock_fprog *pledge_filter(uint64_t flags, uint64_t oldflags);`

	Creates a `seccomp` `BPF(2)` filter program that filters previously

	whitelisted systemcalls based on its arguments.