Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Highly Portable Sandbox Facility For OpenBSD

Posted by timothy on from the hey-you-kids-can't-go-in-there dept.

An Anonymous Coward writes: "A new facility called 'systrace' has been developed by one of the OpenBSD developers. It allows enforcement of system call policies on untrusted binaries. For now it is only available OpenBSD-current, but the author claims it is highly portable and can easily be integrated into GNU/Linux systems. Eventually binary-only software is going to become more and more common in Linux, so this could be a another 'Good Thing(TM)' from the paranoids that brought us OpenSSH."

2 of 40 comments (clear)

  1. What's the overhead? by Drishmung · · Score: 3, Insightful

    What sort of performance hit does this impose? For instance, is it low enough to run nearly everything in the sandbox as a matter of course?

    --
    Protoplasm. Quiet Protoplasm. I like quiet protoplasm.
    1. Re:What's the overhead? by Espen+Skoglund · · Score: 3, Informative

      I can't imagine that the overhead is too large. As far as I can see, the intuitive way to implement this would be to generate a separate system call table for each sandboxed binary (i.e., in the same manner that you have separate syscall tables for running, e.g., emulated Linux binaries). This would impose no overhead on other executables and would for the most part not impose any overhead for the sanboxed binary either. A syscall which is unconditionally allowed simply works as usual. Other system calls like open(2) which often require a more complex test will have some overhead, though, but such open calls should not be in any time critical code anyway.