Cross-platform embeddable sandboxing

Overview

Birdcage

This library is still under development and not ready to be used yet.

About

Birdcage is a cross-platform embeddable sandboxing library allowing restrictions to Filesystem and Network operations using native operating system APIs.

Birdcage is not a complete sandbox preventing all side-effects or permanent damage. Applications can still execute most system calls, which is especially dangerous when execution is performed as root. Do not use Birdcage as a safety barrier for known-malicious code and keep other security mechanisms like user restrictions in place.

Usage

You can run applications inside Birdcage's sandbox by running the sandbox example:

cargo run --example sandbox -- -e /usr/bin/echo -e /usr/lib echo "Hello, Sandbox\!"

Check out cargo run --example sandbox -- --help for more information on how to use the example.

Supported Platforms

  • Linux (5.13+)
  • macOS
Comments
  • Add environment variable filtering

    Add environment variable filtering

    This adds some super trivial handling for environment variables to the sandbox, simply by removing any variable that isn't part of the exception list.

    See phylum-dev/cli#703.

    opened by cd-work 1
  • Add code of conduct, PR template, and security policy

    Add code of conduct, PR template, and security policy

    These items were missing from this repository as can be seen on the Community Standards page.

    This does not fix every item on that page, but it is a good start.

    opened by kylewillmon 0
  • `aarch64` support

    `aarch64` support

    • Changed dependency URI of rust-landlock
    • Updated test matrix to include aarch64 self-hosted runners

    Actions are going to fail on Linux until phylum-dev/rust-landlock#1 is merged; we should re-dispatch them once reviews are approved and before merging.

    opened by andreaphylum 0
  • Does not compile on arm64

    Does not compile on arm64

    The rust-landlock crate does not compile on arm64. It fails with the following error:

    error[E0425]: cannot find value `__NR_LANDLOCK_CREATE_RULESET` in this scope
    Error:   --> /home/runner/.cargo/git/checkouts/rust-landlock-d80c47128915e4ea/1e09cb0/src/uapi/mod.rs:41:13
       |
    41 |     syscall(__NR_LANDLOCK_CREATE_RULESET as i64, attr, size, flags) as c_int
       |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ not found in this scope
    
    error[E0425]: cannot find value `__NR_LANDLOCK_ADD_RULE` in this scope
    Error:   --> /home/runner/.cargo/git/checkouts/rust-landlock-d80c47128915e4ea/1e09cb0/src/uapi/mod.rs:47:13
       |
    47 |     syscall(__NR_LANDLOCK_ADD_RULE as i64, ruleset_fd, rule_type, rule_attr, flags) as c_int
       |             ^^^^^^^^^^^^^^^^^^^^^^ not found in this scope
    
    error[E0425]: cannot find value `__NR_LANDLOCK_RESTRICT_SELF` in this scope
    Error:   --> /home/runner/.cargo/git/checkouts/rust-landlock-d80c47128915e4ea/1e09cb0/src/uapi/mod.rs:51:13
       |
    51 |     syscall(__NR_LANDLOCK_RESTRICT_SELF as i64, ruleset_fd, flags) as c_int
       |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^ not found in this scope
    
    For more information about this error, try `rustc --explain E0425`.
    error: could not compile `landlock` due to 3 previous errors
    

    Here is a link to the code where it is clear that those constants are only defined for the x86_64 architecture.

    bug high priority 
    opened by kylewillmon 0
  • Implement or circumvent `LANDLOCK_ACCESS_FS_REFER` in `rust-landlock`

    Implement or circumvent `LANDLOCK_ACCESS_FS_REFER` in `rust-landlock`

    Currently, renames are prevented by Landlock due to the absence of LANDLOCK_ACCESS_FS_REFER (defined as (1ULL << 13)).

    This blocks some omnipresent operations in npm, such as calls to fs.rename that will fail with this counterintuitive (but documented) error:

    EXDEV: cross-device link not permitted, link something -> something_else
    

    Can we just add the constant to rust-landlock, or are there other considerations that would make that ineffective?

    opened by andreaphylum 0
  • Add executable tests

    Add executable tests

    Tests should be added to verify that executables work.

    Acceptance criteria

    • Execution tests/fs.rs
    • Execution tests in tests/full_sandbox.rs

    Requires #1 to be implemented first.

    opened by cd-work 0
  • Add networking tests

    Add networking tests

    Tests should be added to verify that networking works.

    Acceptance criteria

    • New tests/networking.rs
    • Networking tests in tests/full_sandbox.rs

    Requires #1 to be implemented first.

    opened by cd-work 0
  • Add more tests to cover behaviors of the sandboxes

    Add more tests to cover behaviors of the sandboxes

    There are some non-intuitive use cases that should be covered by tests. For example, asking for write permissions on a non-existent file won't work, as the permission necessary for creating a file belongs on its parent directory.

    opened by andreaphylum 0
Owner
Phylum
Phylum
SEFF - Simple Embeddable Font Format

SEFF - Simple Embeddable Font Format This crate is designed to allow decent text rendering in resource-constrained environments like microcontrollers.

Cliff L. Biffle 3 May 2, 2022
Cross-platform live-reloading GFM compatible markdown viewer

A simple cross-platform markdown viewer Usage markdown-viewer use the system file dialog to choose a markdown file to view markdown-viewer my_file.md

Ben Richeson 5 Sep 21, 2022
Platform fighter, inspired by Super Smash Bros.

GUT CHAMPION Summary Gut Champion is a platformer fighter inspired by Super Smash Bros. The goal is to knock the enemy off stage. The more you hit you

Eino Korte 2 Sep 19, 2022
A lightweight platform-accelerated library for biological motif scanning using position weight matrices.

?? ?? lightmotif A lightweight platform-accelerated library for biological motif scanning using position weight matrices. ??️ Overview Motif scanning

Martin Larralde 16 May 4, 2023
Secure sandboxing system for untrusted code execution

Godbox Secure sandboxing system for untrusted code execution. It uses isolate which uses specific functionnalities of the Linux kernel, thus godbox no

Nathanael Demacon 19 Dec 14, 2022
Cross-platform, cross-browser, cross-search-engine duckduckgo-like bangs

localbang Cross-platform, cross-browser, cross-search-engine duckduckgo-like bangs What are "bangs"?? Bangs are a way to define where to search inside

Jakob Kruse 7 Nov 23, 2022
An opinionated, monolithic template for Bevy with cross-platform CI/CD, native + WASM launchers, and managed cross-platform deployment.

??️ Bevy Shell - Template An opinionated, monolithic template for Bevy with cross-platform CI/CD, native + WASM launchers, and managed cross-platform

Kurbos 218 Dec 30, 2022
Fusion is a cross-platform App Dev ToolKit build on Rust . Fusion lets you create Beautiful and Fast apps for mobile and desktop platform.

Fusion is a cross-platform App Dev ToolKit build on Rust . Fusion lets you create Beautiful and Fast apps for mobile and desktop platform.

Fusion 1 Oct 19, 2021
A static, type inferred and embeddable language written in Rust.

gluon Gluon is a small, statically-typed, functional programming language designed for application embedding. Features Statically-typed - Static typin

null 2.7k Dec 29, 2022
AgateDB is an embeddable, persistent and fast key-value (KV) database written in pure Rust

AgateDB is an embeddable, persistent and fast key-value (KV) database written in pure Rust. It is designed as an experimental engine for the TiKV project, and will bring aggressive optimizations for TiKV specifically.

TiKV Project 535 Jan 9, 2023
Simple, extendable and embeddable scripting language.

duckscript duckscript SDK CLI Simple, extendable and embeddable scripting language. Overview Language Goals Installation Homebrew Binary Release Ducks

Sagie Gur-Ari 356 Dec 24, 2022
Embeddable ED in rust

Add-ED The standard editor, now as a library Some time ago I decided to write an ED clone with syntax highlighting. On my way to that goal I needed to

null 4 Sep 30, 2022
Pure rust embeddable key-value store database.

MHdb is a pure Rust database implementation, based on dbm. See crate documentation. Changelog v1.0.3 Update Cargo.toml v1.0.2 Update Cargo.toml v1.0.1

Magnus Hirth 7 Dec 10, 2022
A small embeddable scripting language

There is currently a tree-walking interpreter called bird in progress, but the plan is to have a bytecode vm in the end language_name is a small embed

nils 15 Dec 10, 2022
ChiselStore is an embeddable, distributed SQLite for Rust, powered by Little Raft.

ChiselStore ChiselStore is an embeddable, distributed SQLite for Rust, powered by Little Raft. SQLite is a fast and compact relational database manage

null 516 Jan 2, 2023
whydia is a small embeddable scripting language

whydia is a small embeddable scripting language It's inspired by Javascript, Lox, Lua, Python, Rust and more Reference Overview Declaring variables us

Adi Yenuubarii 4 Apr 15, 2022
A simple, human-friendly, embeddable scripting language

Mica Language reference · Rust API A simple, human-friendly scripting language, developed one feature at a time. Human-friendly syntax inspired by Rub

Mica programming language 32 Dec 30, 2022
SEFF - Simple Embeddable Font Format

SEFF - Simple Embeddable Font Format This crate is designed to allow decent text rendering in resource-constrained environments like microcontrollers.

Cliff L. Biffle 3 May 2, 2022
An embeddable dynamic programming language for Rust.

rune Visit the site ?? - Read the book ?? An embeddable dynamic programming language for Rust. Contributing If you want to help out, there should be a

The Rune Programming Language 1.1k Dec 27, 2022
Embeddable tree-walk interpreter for a "mostly lazy" Lisp-like scripting language.

ceceio Embeddable tree-walk interpreter for a "mostly lazy" Lisp-like scripting language. Just a work-in-progress testbed for now. Sample usage us

Vinícius Miguel 7 Aug 18, 2022