Skip to content
/ libiris Public

libiris is a (work in progress) cross-platform sandboxing library

10 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mtth-bfft/libiris

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

126 Commits
.cargo
.cargo
 
 
bindings/C
bindings/C
 
 
broker
broker
 
 
docs
docs
 
 
ipc-messages
ipc-messages
 
 
ipc
ipc
 
 
linux-entrypoint
linux-entrypoint
 
 
policy
policy
 
 
tests
tests
 
 
worker
worker
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

libiris

Build Tests
Linux Debian 11
Windows 7 SP1  7 SP1

libiris is a cross-platform sandboxing harness. This project is not a production-ready sandboxing library, instead it aims at being a good development harness for codebases which need modifications or testing in preparation for sandboxing.

Sandboxing means reducing your program's ambient authority (what it can legitimately do) and the attack surface exposed to it (the amount of code it can trigger bugs in, to increase its ambient authority). This requires understanding internals about each OS and platform your project targets, and requires splitting your program into multiple processes (for reasons detailed in the docs). This takes a lot of time and effort, and has no user-visible added value on the short term. The goal of this project is to reduce entry costs, so that more developers try to sandbox their projects, and to document common solutions, so that developers without a security background are incentivized to reuse them instead of starting from scratch.

This repository contains:

  • docs: documentation is critical for our goals. If the design or implementation of this library, or the design of OS mechanisms is not clear, open an issue
  • worker: the library loaded by sandboxed processes (workers) when they start
  • policy: a crate to specify exactly what a worker can do
  • broker: the library which allows creating workers, based on a policy
  • ipc: a crate which allows workers to send requests to their broker, and receive resources (when allowed)
  • linux-entrypoint: the very first function executed by Linux workers when they start, split off because it needs to be compiled without the Rust standard library (which may be in an inconsistent state after a fork(), e.g. due locks held by threads which do not exist anymore)
  • tests: an integration test suite for all the crates above

Compilation

You will need:

  • a stable Rust toolchain;
  • on Linux, libseccomp, libcap, and their development package (e.g. apt install libcap2 libcap-dev libseccomp libseccomp-dev if you are running Debian);
  • this repository.

Then a simple cargo build should be all it takes (otherwise, open an issue).

Contributing

If you use this project, feedback would be appreciated (to sandbox what, on what kinds of platforms, was something hard to grasp, did you face any integration issue, etc).

Even if you do not use the project, you can help with code reviews and documentation reviews (especially about design choices and OS isolation internals).

About

libiris is a (work in progress) cross-platform sandboxing library

Resources

Readme
Activity

Stars

10 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages