seccomp-nurse

This project is now archived. It was a fun project but it does not compile/run anymore and there are far better mechanisms that have been implemented now: firejail, crosvm, gvisor, etc.

seccomp-nurse is a sandboxing framework based on SECCOMP.

 $ git clone git://github.com/nbareil/seccomp-nurse.git
 $ cd seccomp-nurse/
 $ make
 $ ./sandbox -- /usr/bin/pdftotext ~/resume.pdf /tmp/resume.txt

Easy, isn’t it?

• dlopen() not supported yet
• clone() (so fork() and threads) will never be supported
• socket(): work in progress!
• exec*() will never be supported

At the moment, there is no security check implemented. The sandbox is wide open! It will be the next step.

• Blog post about ”SECCOMP as a sandboxing solution?”
• Blog post about ”How system calls work on Linux?”
• Chrome browser:
  • Chromium’s seccomp Sandbox by Adam Langley
  • LWN’s article by Jake Edge

seccomp-nurse is a free software available under the GNU Public Licence 2! Sources are availables on github: http://github.com/nbareil/seccomp-nurse/

This work was funded by the European Commission under contract IST-FP6-033576 (through the XtreemOS project) and EADS Innovation Works.