Open OmgImAlexis opened 2 years ago
Definitely! I mentioned the findings of my initial Linux research in the readme.
We basically need to find a suitable sandbox implementation that we want to instrument with node-safe on Linux. In the readme I listed our minimum sandbox requirements further down as well.
It's a shame AppArmor dropped their --file
option support a few years back, would've been perfect for our use-case 😄
Using AppArmor might still be possible by adding node-safe to the sudoers file, but I haven't checked yet how quick profile loading actually is (we generate dynamic sandbox profiles each invocation).
If anyone has an idea which Linux sandbox implementation would be the most suitable for us or does some further research please report your findings here :)
and windows support
Hello, I'd love to see node-safe on Linux too and as the main author of sydbox, I want to say sydbox mostly fits your purposes. Let me give a short review and pointers for further reading. Feel free to ping me for any questions:
We're looking for a fast (no lengthy boot), non-root implementation we can control through the command line or environment. Minimum control we need is file system access (read/write separately), networking (at least outbound connections) and process forking. Ideally the filtering is file path based and supports extended (bash 4 like) globbing or regex.
SYD_QUICK_BOOT=1
or syd -q
which makes startup faster in return for sacrificing one layer of defense against some container breaks (ie memfd self-reexec, the next layer of defense is procfs hardening).allow/read,stat+${HOME}/Desktop/**/*.png
or allow/exec+/usr/**/bin/[bd]ash
. In addition there's Lock which uses Landlock. The paths for lock sandboxing are checked at kernel level, hence they are prefixes, not globs. We have many more sandboxing types (such as TPE, SegvGuard and Binary Verification!), see the syd(7) manual page for more information.trace/allow_safe_bind:1
when Syd auto-allowlists successful bind addresses for subsequent connects.syd -msandbox/pid:on -mpid/max:1 -munshare/user,pid:1 node...
, you effectively limit node to a single thread.Here are a few more links if you want to learn further:
Would love to see linux support.