[Exherbo-dev] sydbox-1 is nearly there!

Ali Polatel alip at exherbo.org
Sat Sep 29 10:26:36 UTC 2012


Hello,

After nearly two years I began working on a sydbox replacement¹ she is
finally nearing completion. This mail is meant both as a preliminary
announcement and help request.

sydbox-1 has been in ::arbor for sometime as sydbox[~scm]² and paludis
supports it since version `0.78.1'. The git repository hosted on
exherbo.org³. Before going on to tell you about
her I want to kindly ask you to help me with some tasks:

- Proof read the manual page⁴. I am still unsure about the configuration
   file format and the magic command API so now is the time to share your
   ideas and views to help make sydbox-1 better.

- For brave souls, unmask it and install it. Especially important is to
   run its tests. To do that you have to set the environment variable
   PALUDIS_DO_NOTHING_SANDBOXY⁵. You will notice that it doesn't depend
   on pinktrace anymore. This is because sydbox-1 includes a rewrite of
   pinktrace which will eventually be released as pinktrace-1.

- Once again for brave souls, use it on your system. I am especially
   interested in how it performs during the `src_test' phase of
   exhereseses so please make sure tests are enabled if you do so and
   report back any issues (accompanied with a poem of your choosing!).
   It is always a good idea to have a pbin of the package in question
   to easily rollback changes in case you hit a severe bug⁶.

If you are bored, you can stop reading now. I will go on to introduce
sydbox-1.

### Why?
I am not a professional programmer. However, I have gained many
experiences after writing sydbox-0 and watching it perform as the
default sandbox of Exherbo. sydbox-0 has many shortcomings and drawbacks
which made it rather hard to maintain. Such as:

	- sydbox-0 was based on the now unmaintained `catbox' initially.
	  There are many design issues which didn't fit with our use
	  cases for Exherbo.
	- Being GPL-2 licensed it was problematic to share code with
	  the well-established `ptrace(2)' based projects like `strace'
	  and `truss' (of FreeBSD). I have partially solved this problem
	  by writing pinktrace - a BSD3 licensed library providing thin
	  wrappers around certain `ptrace(2)' calls but this was not
	  enough. (See below about `pinktrace-easy')
	- Being a crucial part of the system set, dependencies like
	  `GLib' was obviously a bad idea.
	- Over the years as sydbox-0 codebase grew there were unforeseen
	  code maintenance problems making it difficult to add new
	  features.

### Features of sydbox-1

Below are main features of sydbox-1. You may consult the manual page³
for more information.

	- No external dependencies. `GLib' dependency is gone for good
	  among with the ini-format configuration file. sydbox-1 uses
	  JSON format for configuration.
	- Most of the `ptrace(2)' work is now abstracted by a
	  callback-driven higher-level BSD3 licensed library called
	  `pinktrace-easy'. This makes both the maintenance easier and
	  code sharing with `strace' less problematic.
	- Well designed, well documented magic command API which fits in
	  with the configuration file format and provides an easier
	  experience during command line invocation.
	- Process dump can be obtained by sending sydbox-1 the `SIGUSR1'
	  signal (or `SIGUSR2' for a more verbose dump). This makes it
	  easier to debug sydbox hangs.
	- Better signal handling to make sydbox more immune to
	  interrupts.
	- More powerful and configurable rsync-like pattern matching.
	- Support for secure computing mode aka seccomp⁷. This requires
	  Linux-3.5 or newer and `CONFIG_SECCOMP=y' and
	  `CONFIG_SECCOMP_FILTER=y` kernel configuration options. sydbox[~scm]
	  exheres has a seccomp option to pass `--enable-seccomp' to
	  econf. This is one of the key features which may make sydbox-1
	  faster compared to sydbox-0 because in this mode sydbox only
	  traces the sandboxed system calls. Tracing other commonly used
	  system calls - think threaded applications calling
	  sched_yield() - is therefore avoided.
	- Logging is easier to filter. This still needs some work
	  though.
	- Port numbers can now be entered as service names which will be
	  queried from the `services(5)' database.
	- Unsupported socket families can be whitelisted/blacklisted.
	- New magic commands exec/resume_if_match and
	  exec/kill_if_match are added. These commands may be used to
	  resume or kill matching binaries upon successful execution.
	  Paludis has `esandbox resume' and `esandbox kill' commands as
	  an interface for exheres-0 (Make sure `esandbox api' returns 1
	  before using them). See systemd.exlib as an example on
	  how we can now restart services from within exhereseses
	  without worrying about sandboxing.
	- Read sandboxing to prevent unwanted filesytem reads.
	- Black listing is now also supported in addition to
	  white listing. This may be used to make an `allow by default
	  and black list unwanted accesses' sandboxing policy.
	- Many bugs fixed, some new system calls are sandboxed.

### How can I thank you?

Send me poems⁸!

¹: She used to be called `pandora' in the early days.
²: Not sydbox[~0-scm] which is the old one.
³: http://git.exherbo.org/sydbox-1.git/
⁴: http://dev.exherbo.org/~alip/sydbox/sydbox.html
⁵: Eventually sydbox-1 will install its tests so this phase is going to
    be more convenient.
₆: sydbox-1 has been tested for some time by kind people and I have
    heard about only one such issue so far but it is always a good idea
    to be cautious.
⁷: http://lwn.net/Articles/475043/
⁸: http://dev.exherbo.org/~alip/sydbox/poems.txt

		-alip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20120929/f4413fbf/attachment.pgp>


More information about the Exherbo-dev mailing list