Ali Polatel

sydbox moved to projects.0x90.dk.
The new clone url is: git://projects.0x90.dk/sydbox.git
The new wiki is on: https://projects.0x90.dk/wiki/sydbox

sydbox-0.2_alpha is released.

• Wait for all children to exit by default. This can be unset using the command line option -X or the magic command wait/eldest.
• Let the children continue their execution by calling ptrace(PTRACE_CONT, ...) instead of attempting to kill them during exit for wait/eldest mode.

sydbox-0.1 is released.

• Add magic commands addexec and rmexec.
• Fix loading of options from environment.
• Sandbox sendto() calls.
• Extend network whitelist to work for deny mode.
• Intercept lstat() calls for magic stat as well.
• Exit with correct error code when child is terminated by a signal.
• Many performance improvements.

To compensate for network latency during playing chess games over internet, internet chess servers like Fics and Icc use proprietary protocols called timeseal and timestamp. They distribute statically linked stripped binaries which acts like a bridge between chess clients and the chess server.

To make sure these tools don’t do anything nasty, I use sydbox to sandbox them. Sydbox’ master extends network whitelisting support for network mode deny. So I use it like:

alip@harikalardiyari> cat ~/bin/timeseal
#!/bin/sh
# vim: set sw=4 et sts=4 tw=80 :
SYDBOX_NO_CONFIG=1 \
SYDBOX_NET_WHITELIST=inet://69.36.243.188:23 \
sydbox -N -M deny -- \
"$HOME"/bin/ics/timeseal.Linux-i386 69.36.243.188 23
alip@harikalardiyari>

SYDBOX_NO_CONFIG makes sydbox not read its configuration file and SYDBOX_NET_WHITELIST adds the address, in this case freechess.org, to the network whitelist.

Now that addpredict is dead, the next thing to implement for sydbox is proper network sandboxing. I’ve been working for the past three days to do that.

First of all let’s define what we want:

• A way to intercept socket() family calls.
• The ability to deny only non-local connections.
• The ability to deny connect()’s to only addresses that were bind()‘ed by children that were running under the same sydbox instance.
• Ability to whitelist certain addresses.

The first is easy. We already have a framework for intercepting many system calls and adding support for socket() wasn’t a problem. The only problem is on architectures which has the socketcall() system call and implement all other calls on top of this single system call, we need to decode this socketcall() into it’s subcalls. So we need two functions trace_decode_socketcall and trace_get_addr. Implementing those were easy because strace already has similar functions.

Now that we can intercept socket calls the next step is to deny only non-local connections. This means just checking the address of the connection if it matches 127.0.0.1 or ::1. Simple and efficient.

The third step is somewhat complicated. We have to check the return value of bind calls and if they succeeded, note these addresses and corresponding ports. This means a form of whitelist is required.

Having implemented the whitelist for step 3, it was easy to expand it to take its elements from user configuration file or magic commands.

It’s all done! Here’s how it looks like in the configuration file:

[main]
...
# whether sydbox should do network sandboxing
# defaults to false
network = false
...
# Network specific options are specified in the net group
[net]
# Network sandboxing default
# One of allow, deny, local
# Defaults to allow
default = allow
# Whether connect(2) requests should be restricted to addresses that were
# bind(2)'ed by one of the parents.
# Defaults to false
restrict_connect = false
# Additional addresses to be allowed when restrict_connect is set.
# This is a list of addresses in one of the possible forms:
# unix:///path/to/socket
# inet://ipv4_address:port
# inet6://ipv6_address:port
whitelist = unix:///var/run/nscd/socket

In addition to that there are magic commands so that the package mangler can change those options at runtime. See the manual page for more information.

Update : Fixed links thanks to cuerty.