Build | Tests |
---|---|
libiris is a cross-platform sandboxing harness. This project is not a production-ready sandboxing library, instead it aims at being a good development harness for codebases which need modifications or testing in preparation for sandboxing.
Sandboxing means reducing your program's ambient authority (what it can legitimately do) and the attack surface exposed to it (the amount of code it can trigger bugs in, to increase its ambient authority). This requires understanding internals about each OS and platform your project targets, and requires splitting your program into multiple processes (for reasons detailed in the docs). This takes a lot of time and effort, and has no user-visible added value on the short term. The goal of this project is to reduce entry costs, so that more developers try to sandbox their projects, and to document common solutions, so that developers without a security background are incentivized to reuse them instead of starting from scratch.
This repository contains:
docs
: documentation is critical for our goals. If the design or implementation of this library, or the design of OS mechanisms is not clear, open an issueworker
: the library loaded by sandboxed processes (workers) when they startpolicy
: a crate to specify exactly what a worker can dobroker
: the library which allows creating workers, based on a policyipc
: a crate which allows workers to send requests to their broker, and receive resources (when allowed)linux-entrypoint
: the very first function executed by Linux workers when they start, split off because it needs to be compiled without the Rust standard library (which may be in an inconsistent state after afork()
, e.g. due locks held by threads which do not exist anymore)tests
: an integration test suite for all the crates above
You will need:
- a stable Rust toolchain;
- on Linux, libseccomp, libcap, and their development package (e.g.
apt install libcap2 libcap-dev libseccomp2 libseccomp-dev
if you are running Debian); - this repository.
Then a simple cargo build
should be all it takes (otherwise, open an issue).
If you use this project, feedback would be appreciated (to sandbox what, on what kinds of platforms, was something hard to grasp, did you face any integration issue, etc).
Even if you do not use the project, you can help with code reviews and documentation reviews (especially about design choices and OS isolation internals).