seccomp-nurse: secure sandbox on Linux

tl;dr?

seccomp-nurse is a sandboxing framework based on SECCOMP. It is designed to run applications in a kind of jail (enforced by the kernel). It does not use ptrace() at all.

Architecture

seccomp-nurse uses two processes, one running the "untrusted code" and the other is the helper, it is the referee between the untrusted process and the kernel.

seccomp-nurse architecture: two threads, two processes
Global architecture of seccomp-nurse

Because a SECCOMP process can only call read, write, sigreturn and _exit, this is insufficient to execute even the simplest binary. To work around this limitation, the untrusted process is splitted into two threads (called untrustee and trustee):

The helper is a Python application implementing access control: when a syscall is called in the untrustee, the helper is notified and takes the decision to deny, deleguate it to the trustee or let the untrustee execute the syscall (if the syscall executed by the untrustee is not allowed by the kernel, it will be killed by SIGKILL).

How to use it?

  $ git clone git://github.com/nbareil/seccomp-nurse.git
  $ cd seccomp-nurse/
  $ make
  $ ./sanbdox -- /usr/bin/python

Easy, isn't it?

Screencast

Here is a demonstration of seccomp-nurse running the python interpreter in the sandbox. The purpose of this video is to show the ACL engine configured to restrict the open() syscall to whitelisted directories only (/secret not being included obviously). However, access() ACL was configured to always return "OK", thus, it is accessible from the interpreter.

Status

Current limitations

At the moment, there is no security check implemented. The sandbox is wide open! It will be the next step.

References

Availability

Releases

No release has been made yet but you can clone the development repository!

Sources

seccomp-nurse is a free software available under the GNU Public Licence 2! Sources are availables on github: http://github.com/nbareil/seccomp-nurse/

Acknowledgment

This work was funded by the European Commission under contract IST-FP6-033576 (through the XtreemOS project) and EADS Innovation Works.