Skip to content

google/sandboxed-api

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 2 tags
Code

Latest commit

Sandboxed API Team and Copybara-Service Update PolicyBuilder to include wrappers for more syscall families th…
aff27f4 Dec 13, 2022
Update PolicyBuilder to include wrappers for more syscall families th… 
…at differ between platforms.

New wrappers:

- `AllowEpollWait` (`epoll_wait`, `epoll_pwait`, `epoll_pwait2`)
- `AllowInotifyInit` (`inotify_init`, `inotify_init1`)
- `AllowSelect` (`select`, `pselect6`)
- `AllowDup` (`dup`, `dup2`, `dup3`)
- `AllowPipe` (`pipe`, `pipe2`)
- `AllowChmod` (`chmod`, `fchmod`, `fchmodat`)
- `AllowChown` (`chown`, `lchown`, `fchown`, `fchownat`)
- `AllowReadlink` (`readlink`, `readlinkat`)
- `AllowLink` (`link`, `linkat`)
- `AllowSymlink` (`symlink`, `symlinkat`)
- `AllowMkdir` (`mkdir`, `mkdirat`)
- `AllowUtime` (`utime`, `utimes`, `futimens`, `utimensat`)
- `AllowAlarm` (`alarm`, `setitimer`)
- `AllowGetPGIDs` (`getpgid`, `getpgrp`)
- `AllowPoll` (`poll`, `ppoll`)

Updated wrappers:

- `AllowOpen` now includes `creat`. `openat` already grants the ability to create files, and is the designated replacement for `creat` on newer platforms.
- `AllowStat` now includes `fstatfs` and `fstatfs64`. The comment already claimed that these syscalls were included; I believe they were omitted by accident.
- `AllowUnlink` now includes `rmdir`. `unlinkat` already grants the ability to remove empty directories, and is the designated replacement for `rmdir` on newer platforms.

PiperOrigin-RevId: 495045432
Change-Id: I41eccb74fda250b27586b6b7fe4c480332e48846
aff27f4

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.bazelci
BazelCI: Install the packages with sudo
Apr 1, 2022
.github/workflows
GitHub Actions: Rename workflows, fix libxls
Jun 15, 2022
cmake
Handle S2 unwinding by trapping ptrace
Nov 30, 2022
contrib
contrib: More fixes for flags and logging migration
Oct 25, 2022
oss-internship-2020
Use Abseil's log/flags instead of glog/gflags
Oct 20, 2022
sandboxed_api
Update PolicyBuilder to include wrappers for more syscall families th…
Dec 13, 2022
.bazelignore
Build fixes for recent Bazel versions
Sep 25, 2020
.bazelrc
bazel: Set host C++ standard
Mar 31, 2022
.clang-format
Update .clang-format to prefer & and * to be close to the type
Sep 18, 2020
.gitignore
Make CMake superbuild behave more similar to FetchContent
Feb 3, 2021
.gitmodules
Remove pffft submodule entry
Feb 10, 2022
CMakeLists.txt
cmake: Use configure_file() to implement forced C++ linkage
Jun 9, 2022
CONTRIBUTING.md
Sandboxed API OSS release.
Mar 18, 2019
LICENSE
Change license link to HTTPS URL
Jan 28, 2022
README.md
Update README.md with current year
Jan 31, 2022
WORKSPACE
bazel: Reorganize dependencies
Apr 25, 2022
What is Sandboxed API? Documentation Getting Involved

README.md

Sandbox

Copyright 2019-2022 Google LLC

Bazel build status CMake build status

What is Sandboxed API?

The Sandboxed API project (SAPI) makes sandboxing of C/C++ libraries less burdensome: after initial setup of security policies and generation of library interfaces, a stub API is generated, transparently forwarding calls using a custom RPC layer to the real library running inside a sandboxed environment.

Additionally, each SAPI library utilizes a tightly defined security policy, in contrast to the typical sandboxed project, where security policies must cover the total syscall/resource footprint of all its libraries.

Documentation

Developer documentation is available on the Google Developers site for Sandboxed API.

There is also a Getting Started guide.

Getting Involved

If you want to contribute, please read CONTRIBUTING.md and send us pull requests. You can also report bugs or file feature requests.

If you'd like to talk to the developers or get notified about major product updates, you may want to subscribe to our mailing list or sign up with this link.

About

Generates sandboxes for C/C++ libraries automatically

developers.google.com/sandboxed-api/

Topics

security cplusplus sandbox sandboxing security-hardening sapi apache-license-2 cplusplus-17

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy

Stars

1.5k stars

Watchers

54 watching

Forks

182 forks

Releases 2

Full CMake support Latest
Sep 3, 2019
+ 1 release

Packages

No packages published

Contributors 30

+ 19 contributors

Languages