search

berstend / node-safe

🤠 Make using Node.js safe again with Deno-like permissions
https://node-safe.com
203 stars 8 forks source link

[Feature idea] linux support #4

Open OmgImAlexis opened 2 years ago

OmgImAlexis commented 2 years ago

Would love to see linux support.

berstend commented 2 years ago

Definitely! I mentioned the findings of my initial Linux research in the readme.

We basically need to find a suitable sandbox implementation that we want to instrument with node-safe on Linux. In the readme I listed our minimum sandbox requirements further down as well.

It's a shame AppArmor dropped their --file option support a few years back, would've been perfect for our use-case 😄

Using AppArmor might still be possible by adding node-safe to the sudoers file, but I haven't checked yet how quick profile loading actually is (we generate dynamic sandbox profiles each invocation).

If anyone has an idea which Linux sandbox implementation would be the most suitable for us or does some further research please report your findings here :)

alphaleadership commented 1 year ago

and windows support

alip commented 1 month ago

Hello, I'd love to see node-safe on Linux too and as the main author of sydbox, I want to say sydbox mostly fits your purposes. Let me give a short review and pointers for further reading. Feel free to ping me for any questions:

We're looking for a fast (no lengthy boot), non-root implementation we can control through the command line or environment. Minimum control we need is file system access (read/write separately), networking (at least outbound connections) and process forking. Ideally the filtering is file path based and supports extended (bash 4 like) globbing or regex.

  1. Syd startup is relatively fast. E.g: On Exherbo, our package manager Paludis executes Syd once per each exheres (package definition file). That means syd is executed hundreds of times in a row. You can further improve startup time with SYD_QUICK_BOOT=1 or syd -q which makes startup faster in return for sacrificing one layer of defense against some container breaks (ie memfd self-reexec, the next layer of defense is procfs hardening).
  2. Syd does not need root or any elevated privileges, and we will never add a feature to Syd that requires elevated privileges. That's a design decision we made at step 0. Our goal is make security easy to use and accessible.
  3. For filesystem access, Syd offers Read, Write, Stat, Exec and Ioctl sandboxing. All these sandboxing types accepts rsync-like globs as arguments and environment variables are expanded. More than one rule may be added and the last matching rule wins, e.g. allow/read,stat+${HOME}/Desktop/**/*.png or allow/exec+/usr/**/bin/[bd]ash. In addition there's Lock which uses Landlock. The paths for lock sandboxing are checked at kernel level, hence they are prefixes, not globs. We have many more sandboxing types (such as TPE, SegvGuard and Binary Verification!), see the syd(7) manual page for more information.
  4. For networking, Syd offers Network sandboxing where you can specify address patterns to bind or connect to using CIDR notation. We also have a convenience option trace/allow_safe_bind:1 when Syd auto-allowlists successful bind addresses for subsequent connects.
  5. To limit process forking under Syd, you have two main options Exec and PID sandboxing, where you either limit what binaries can be executed or how many processes (threads actually) are allowed to co-exist. PID sandboxing can be thought as a simple alternative to PID Cgroups and is typically used with PID namespaces. e.g. if you do syd -msandbox/pid:on -mpid/max:1 -munshare/user,pid:1 node..., you effectively limit node to a single thread.
  6. As I told before, rsync-like globs are supported. That should be adequate for your usecase.
  7. Syd allows dynamic configuration of the sandbox from within the sandbox. The API is very simple and based on stat(2) calls. There're C, Go, Perl, Python, Ruby, Emacs Lisp implementations of the Sydbox API. The C and Emacs Lisp implementations directly use the magic stat(2) calls. Other language bindings use the C library via FFI. Writing a pure Javascript version of the API should be trivial and give node-safe a lot of power in configuring the sandbox.
  8. Last but not least, Sydbox has a learning mode that you can use with Pandora!

Here are a few more links if you want to learn further: