adtac / fssb Goto Github PK
View Code? Open in Web Editor NEWA filesystem sandbox for Linux using syscall intercepts.
License: GNU General Public License v3.0
A filesystem sandbox for Linux using syscall intercepts.
License: GNU General Public License v3.0
Sorry, I didn't run your program in real but I suspect that this behavior exists.
I cloned the repo, ran make, and then ./launch_tests.sh. I got this output:
[steven@lzyrbt tests]$ sudo ./launch_tests.sh
Removing all /tmp/fssb-*
Launching tests
Launching test on test_no_syscalls
fssb: child exited with 0
fssb: sandbox directory: /tmp/fssb-1/
Launching check on test_no_syscalls
Assert in line 84 passed: check_no_syscalls
Launching test on test_save_empty_file
fssb: child exited with 0
fssb: sandbox directory: /tmp/fssb-2/
Launching check on test_save_empty_file
Assert in line 108 failed: check_save_empty_file
args = ('', '/tmp/fssb-2/f61bd54ddf9c9dce6076a3c8a7892e49 = save_empty_file\n')
kwargs = {}
'{} = {}\n'.format(empty_file_path, empty_file_name)
Traceback (most recent call last):
File "./tests.py", line 145, in <module>
main()
File "./tests.py", line 134, in main
test_check()
File "./tests.py", line 110, in check_save_empty_file
_assert(operator.eq, open(empty_file_path).read(), '')
IOError: [Errno 2] No such file or directory: '/tmp/fssb-2/f61bd54ddf9c9dce6076a3c8a7892e49'
I then compiled the code below as main.cpp:
#include <cstdio>
int main() {
freopen("myfile.txt", "w", stdout);
printf("Hello world\n");
}
I added printf statements in handle_syscalls in fssb.c. In the switch statement, I printed the current syscall (and relevant variables like pathname). I ran fssb on ./main and got:
[steven@lzyrbt tests]$ ../fssb -m -- ./main
handling syscall = SYS_access with pathname = /etc/ld.so.preload
handling syscall = SYS_stat
handling syscall = SYS_lstat
handling syscall = SYS_access with pathname = /usr/lib/tls/haswell/x86_64
handling syscall = SYS_stat
handling syscall = SYS_lstat
handling syscall = SYS_access with pathname = /usr/lib/tls/haswell
handling syscall = SYS_stat
handling syscall = SYS_lstat
handling syscall = SYS_access with pathname = /usr/lib/tls/x86_64
handling syscall = SYS_stat
handling syscall = SYS_lstat
handling syscall = SYS_access with pathname = /usr/lib/tls
handling syscall = SYS_stat
handling syscall = SYS_lstat
handling syscall = SYS_access with pathname = /usr/lib/haswell/x86_64
handling syscall = SYS_stat
handling syscall = SYS_lstat
handling syscall = SYS_access with pathname = /usr/lib/haswell
handling syscall = SYS_stat
handling syscall = SYS_lstat
handling syscall = SYS_access with pathname = /usr/lib/x86_64
handling syscall = SYS_exit_group
fssb: child exited with 0
fssb: sandbox directory: /tmp/fssb-3/
In addition, the file tests/myfile.txt was created and it contains "Hello world\n"
What is going on?
I would like to use this in a build system. /tmp will never be big enough to hold the build results in my case. It would be nice if there was a command-line option to use a different path than /tmp/fssb-*
root@aksus:~/fssb# make
cc -c -o fssb.o fssb.c
fssb.c: In function ‘handle_syscalls’:
fssb.c:73:9: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
for(int i = 0; i < 6; i++)
^
fssb.c:73:9: note: use option -std=c99, -std=gnu99, -std=c11 or -std=gnu11 to compile your code
yes, openssl is istalled, debian 8
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
int main(){
pid_t pid;
pid = fork();
printf("pid: %d\n",pid);
if(pid==0){
puts("hello?");
open("fuck.txt", O_CREAT, 0666);
}
return 0;
}
As we can see, we create an escaped file by using subprocess to operate files.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.