Sydbox v2.0.1
Publish date: Jun 15, 2021Tags: release exherbo sandbox seccomp-bpf seccomp-notify libseccomp syd-2 aarch64 mips mips64 ppc ppc64 ppc64le s390 s390x parisc parisc64 riscv64
Table of contents
- 12 Years: SydBox-v2.0.1
- Download
- Changes
- libseccomp rather than PinkTrace
- New Architectures
- SydBox API v2
- New sandboxed system calls
- New sandboxing restrictions
- Performance Increase
- Paludis Support for API v2
- Bug Fixes
- Benchmark
- Setup
- Timing
- strace –summary-only
- sydbox-2.0.1 paludis compile under strace
- sydbox-1.2.1 paludis compile under strace
- Observations
- sydbox-1.2.1:src_compile
- sydbox.git:src_compile
12 Years: SydBox-v2.0.1
I am happy to announce the release of SydBox-2.0.1, its third major release after serving as the default sandbox of Exherbo for 12 years since 2009.08.17.
- Read the fine manual at https://sydbox.exherbo.org
- Check out Pandora! https://pandora.exherbo.org which is a SydBox helper to make sandboxing practical for everyone!
Download
- The tarball is signed with this key.
- Use:
keybase pgp pull alip - Browse: https://git.exherbo.org/sydbox-1.git/
- Exheres:
Changes
libseccomp rather than PinkTrace
This release is a major release and is not backwards compatible. With this release SydBox no longer relies on ptrace to do the tracing rather they use the new seccomp-bpf and seccomp-user facilities of the Linux kernel. SydBox no longer depends on PinkTrace but depends on libseccomp.
New Architectures
SydBox-1 supports X86-64, X86, X32, Arm, AArch64, PowerPC, ppc64, and IA-64 architectures. SydBox-2 supports every architecture that libseccomp supports which means quite a few of new architectures added to the list. SydBox-2 supports X86-64, X86, X32, Arm, AArch64, MIPS, MIPC64, PowerPC, ppc64, ppc64le, S390, S390x, PA-RISC, and RISC64.
SydBox API v2
This release of SydBox changes the SydBox API version to 2. This means SydBox
will be reading from files with the .syd-2 extension rather than .syd-1 from now
on. The Paludis profile
and the sample Firefox profile
have already been ported to the new configuration format. One of the notable
name changes is moving from whitelist & blacklist to
allowlist & denylist.
New sandboxed system calls
With this release SydBox starts to sandbox
faccessat2,
sendmsg and
recvmsg
system calls. This means you may now allow and deny e.g.
DNS calls to
specific addresses. This was previously not possible. Note this is not
a security issue as old SydBox, ie sydbox-1, still denies unwanted
access to DNS
requests on the previous bind() call, however they provided
no way to allow access to certain
DNS address for UDP calls, e.g.
localhost or
Google Public DNS,
with:
core/sandbox/network:deny
allowlist/network/connect+inet:127.0.0.1@53
allowlist/network/connect+inet:8.8.8.8@53
New sandboxing restrictions
In addition, SydBox learned a couple of new global restriction options, namely core/restrict/general, core/restrict/io_control, and core/restrict/memory_map. These options allow the user the limit the general list of permitted system calls to one of the three predefined sets, and restrict some flags of ioctl and mmap system calls to provide added security.
Performance Increase
This release is noticably faster than Sydbox-1.2.1 in that it does not ptrace stop the processes anymore. The benchmark part at the end of this post has the details.
Paludis Support for API v2
Paludis support for SydBox API version 2 depends on this Merge Request. This is why Sydbox-2 package in arbor.git is masked for testing.
Bug Fixes
This release fixes a multithreaded execve race condition which caused hangs.
Build & Requirements
SydBox uses autotools
and requires libseccomp-2.4.3 or newer.
To build, simply do ./configure, make, make -j check and sudo make install.
If you’re building from the GIT repository
use the script ./autogen.sh before ./configure.
By default this will produce a statically linked SydBox binary. If you want use
dynamic linking, give the --disable-static option to ./configure.
To use SydBox, Linux kernel version 5.11 or newer is recommended. Users who do not have such
a new Linux kernel version may continue to use Sydbox-1.2.1. In addition, it is
recommended that you enable the kernel configuration option CONFIG_CROSS_MEMORY_ATTACH
so that SydBox can use the system calls
process_vm_readv
and
process_vm_writev.
These system calls are available in Linux since 3.2. Note SydBox will use the file
/proc/pid/mem if these system calls are unavailable or not working.
After building SydBox, you can use the --test, or shortly -t, option to test if
all the required facilities are present on the running system. If this command returns
success, SydBox is usable on the running system:
$ sydbox --test || echo 'sydbox not usable!'
sydbox: Linux/chesswob 5.11
sydbox: [>] Checking for requirements...
sydbox: [*] cross memory attach is functional.
sydbox: [*] /proc/pid/mem interface is functional.
sydbox: [*] pidfd interface is functional.
sydbox: [*] seccomp filters are functional.
sydbox: [>] SydBox is supported on this system!
To verify SydBox is working correctly, either use make -j check during
installation or use the helper utility sydtest to run the installed tests.
Benchmark
SydBox-1.2.1 vs. SydBox-2.0.1
SydBox-2.0.1 stops using ptrace altogether, uses seccomp-bpf and seccomp-notify.
The tracee is no longer traced via ptrace() and notifications are received by
first poll()ing the seccomp file descriptor followed by
ioctl(SECCOMP_IOCTL_NOTIF_RECV,...) and the responses about system call actions
are sent via ioctl(SECCOMP_IOCTL_NOTIF_SEND,...).
Setup
We compile Paludis, the package manager of the Exherbo GNU/Linux distribution, under old, new SydBox and without SydBox. Paludis was built from GIT. See detailed information below about options. Things to note are recommended tests are disabled and the installation happens two-fold where tahta is a simple binary pbin repository.
r sys-apps/paludis:0::arbor scm to ::tahta-bin replacing scm
"Paludis, the one true package mangler"
bash-completion -doc -gemcutter pbin pink -python ruby search-index vim-syntax -xml zsh-completion PROVIDERS: elfutils
PYTHON_ABIS: -2.7 3.6 3.7 3.8 3.9 RUBY_ABIS: -2.5 -2.6 2.7 -3.0 build_options: symbols=split jobs=12 dwarf_compress -reco
mmended_tests -trace work=tidyup
Reasons: target (to be like sys-apps/paludis:0::(install_to_slash))
r sys-apps/paludis:0::arbor scm to ::installed via binary created in tahta-bin replacing scm
"Paludis, the one true package mangler"
bash-completion -doc -gemcutter pbin pink -python ruby search-index vim-syntax -xml zsh-completion PROVIDERS: elfutils
PYTHON_ABIS: -2.7 3.6 3.7 3.8 3.9 RUBY_ABIS: -2.5 -2.6 2.7 -3.0 build_options: symbols=split jobs=12 dwarf_compress -reco
mmended_tests -trace work=tidyup
Reasons: target
Total: 1 reinstalls, 1 binaries
Timing
$ time cave resolve paludis -zx1
Before: sydbox-1.2.1
real 4m23.706s
user 20m58.527s
sys 4m42.370s
After: sydbox-2.0.1
real 3m33.447s
user 19m40.533s
sys 2m40.566s
PALUDIS_DO_NOTHING_SANDBOXY=1
real 3m20.771s
user 18m24.741s
sys 2m26.128s
strace –summary-only
sydbox-2.0.1 paludis compile under strace
src_configure
=== Done src_configure
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ------------------
39.36 1.367534 683767 2 1 wait4
22.48 0.780800 5 138336 ioctl
14.37 0.499382 5 92231 rt_sigprocmask
8.93 0.310261 6 46113 1 poll
5.07 0.176051 6 25587 process_vm_readv
2.16 0.075143 7 9887 535 open
1.73 0.059992 5 10169 close
1.50 0.052256 7 6573 read
1.25 0.043391 5 7233 getdents64
1.07 0.037095 7 5090 lseek
0.93 0.032336 5 5903 813 pidfd_send_signal
0.59 0.020328 5 3769 fcntl
0.23 0.008104 10 766 readlink
0.15 0.005302 6 815 pidfd_open
0.06 0.001936 6 277 mmap
0.05 0.001837 9 200 munmap
0.05 0.001709 6 274 process_vm_writev
0.02 0.000522 5 93 1 lstat
0.00 0.000052 5 9 brk
0.00 0.000000 0 3 1 rt_sigreturn
0.00 0.000000 0 1 fork
0.00 0.000000 0 1 execve
0.00 0.000000 0 1 kill
0.00 0.000000 0 1 uname
0.00 0.000000 0 4 mprotect
0.00 0.000000 0 14 rt_sigaction
0.00 0.000000 0 2 fstat
0.00 0.000000 0 1 arch_prctl
0.00 0.000000 0 1 stat
0.00 0.000000 0 1 set_tid_address
0.00 0.000000 0 1 pipe2
0.00 0.000000 0 10 6 seccomp
0.00 0.000000 0 1 pidfd_getfd
------ ----------- ----------- --------- --------- ------------------
100.00 3.474031 9 353369 1358 total
src_compile
=== Done src_compile
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ------------------
80.63 145.185365 72592682 2 1 wait4
3.22 5.795783 7 734218 5395 open
2.58 4.644428 5 848820 ioctl
2.25 4.048522 5 737836 close
2.15 3.862470 5 689551 4 getdents64
1.86 3.354042 8 395087 read
1.66 2.983437 5 565887 rt_sigprocmask
1.50 2.692074 7 373792 3 lseek
1.10 1.985650 5 382404 8610 pidfd_send_signal
1.00 1.805214 7 247541 process_vm_readv
0.96 1.731252 6 282954 1 poll
0.93 1.668314 4 347934 fcntl
0.05 0.096012 12 7657 readlink
0.05 0.087147 11 7616 munmap
0.03 0.060660 6 9011 pidfd_open
0.03 0.059201 7 8015 mmap
0.00 0.001625 5 274 process_vm_writev
0.00 0.000660 7 93 1 lstat
0.00 0.000149 5 27 brk
0.00 0.000007 7 1 madvise
0.00 0.000003 1 3 1 rt_sigreturn
0.00 0.000000 0 1 fork
0.00 0.000000 0 1 execve
0.00 0.000000 0 1 kill
0.00 0.000000 0 1 uname
0.00 0.000000 0 4 mprotect
0.00 0.000000 0 14 rt_sigaction
0.00 0.000000 0 2 fstat
0.00 0.000000 0 1 arch_prctl
0.00 0.000000 0 1 stat
0.00 0.000000 0 1 set_tid_address
0.00 0.000000 0 1 pipe2
0.00 0.000000 0 10 6 seccomp
0.00 0.000000 0 1 pidfd_getfd
------ ----------- ----------- --------- --------- ------------------
100.00 180.062015 31 5638762 14022 total
sydbox-1.2.1 paludis compile under strace
src_configure
=== Done src_configure
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ------------------
37.65 4.399665 5 807047 rt_sigprocmask
28.99 3.387842 18 188124 1 wait4
20.97 2.450048 6 387644 ptrace
10.70 1.250251 6 203389 12743 lstat
1.20 0.139687 6 21078 process_vm_readv
0.16 0.018968 8 2231 read
0.08 0.008920 11 745 open
0.07 0.008303 9 873 munmap
0.05 0.006230 6 893 mmap
0.04 0.004998 6 745 close
0.03 0.003545 12 280 writev
0.03 0.003237 6 487 1 stat
0.02 0.002678 9 286 readlink
0.01 0.000968 7 137 process_vm_writev
0.00 0.000006 1 4 brk
0.00 0.000005 5 1 ioctl
0.00 0.000000 0 4 mprotect
0.00 0.000000 0 12 rt_sigaction
0.00 0.000000 0 2 fstat
0.00 0.000000 0 1 fork
0.00 0.000000 0 1 execve
0.00 0.000000 0 1 kill
0.00 0.000000 0 1 uname
0.00 0.000000 0 2 fcntl
0.00 0.000000 0 1 getcwd
0.00 0.000000 0 1 arch_prctl
0.00 0.000000 0 1 set_tid_address
------ ----------- ----------- --------- --------- ------------------
100.00 11.685351 7 1613991 12745 total
src_compile
=== Done src_compile
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ------------------
45.63 170.513233 27 6263660 3 wait4
34.08 127.356059 4 25513255 rt_sigprocmask
20.00 74.731989 5 12510882 ptrace
0.14 0.512506 5 87994 4109 lstat
0.06 0.221801 8 27329 read
0.03 0.119041 12 9599 open
0.03 0.097510 7 13377 305 process_vm_readv
0.02 0.058519 6 9599 close
0.01 0.029136 11 2647 readlink
0.00 0.012643 9 1382 munmap
0.00 0.010049 6 1520 mmap
0.00 0.004153 7 550 readlinkat
0.00 0.002650 9 280 writev
0.00 0.002314 4 490 fcntl
0.00 0.000671 4 137 process_vm_writev
0.00 0.000529 6 85 1 stat
0.00 0.000302 7 40 utimensat
0.00 0.000036 5 7 brk
0.00 0.000005 5 1 ioctl
0.00 0.000000 0 4 mprotect
0.00 0.000000 0 1 fork
0.00 0.000000 0 1 execve
0.00 0.000000 0 1 kill
0.00 0.000000 0 1 uname
0.00 0.000000 0 12 rt_sigaction
0.00 0.000000 0 2 fstat
0.00 0.000000 0 1 getcwd
0.00 0.000000 0 1 arch_prctl
0.00 0.000000 0 1 set_tid_address
------ ----------- ----------- --------- --------- ------------------
100.00 373.673146 8 44442859 4418 total
Observations
When we compare the src_compile of a Paludis build with
SydBox-2.0.1 and SydBox-1.2.1 under strace we notice the differences in
system call usage clearly. Below is a filtered group of system calls which
are core to tracing functionality. Sydbox-2.0.1 has more variety in the number
of system calls they use. In total SydBox-1.2.1 calls 44301311 system calls.
28% of these system calls is
ptrace
which is an expensive system call. Meanwhile, SydBox-2.0.1 calls 3117293
system calls in total and this is a considerable decrease in the number of
total calls from the old SydBox version,
omitting ptrace and
wait4 calls
replacing them
with
pidfd_getfd,
seccomp,
ioctl and
poll.
sydbox-1.2.1:src_compile
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ------------------
45.63 170.513233 27 6263660 3 wait4
34.08 127.356059 4 25513255 rt_sigprocmask
20.00 74.731989 5 12510882 ptrace
0.03 0.097510 7 13377 305 process_vm_readv
0.00 0.000671 4 137 process_vm_writev
sydbox.git:src_compile
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ------------------
80.63 145.185365 72592682 2 1 wait4
2.58 4.644428 5 848820 ioctl
2.15 3.862470 5 689551 4 getdents64
1.66 2.983437 5 565887 rt_sigprocmask
1.50 2.692074 7 373792 3 lseek
1.10 1.985650 5 382404 8610 pidfd_send_signal
1.00 1.805214 7 247541 process_vm_readv
0.96 1.731252 6 282954 1 poll
0.03 0.060660 6 9011 pidfd_open
0.00 0.001625 5 274 process_vm_writev
0.00 0.000000 0 10 6 seccomp
0.00 0.000000 0 1 pidfd_getfd
Links
- Linux
- Wikipedia:Seccomp
- pidfd_send_signal,
- pidfd_getfd
- process_vm_readv
- process_vm_writev
- kernelnewbies.org/Linux-5.6
- LWN article about pidfd_getfd
SECCOMP_USER_NOTIF_FLAG_CONTINUE: commit, commit, and commit.
Updates
- 2021.06.15: Added link to my PGP key.
- 2021.06.15: Added link to Exheres for Smarties.