Sydbox v2.0.1

Publish date: Jun 15, 2021
Tags: release exherbo sandbox seccomp-bpf seccomp-notify libseccomp syd-2 aarch64 mips mips64 ppc ppc64 ppc64le s390 s390x parisc parisc64 riscv64

12 Years: SydBox-v2.0.1

I am happy to announce the release of SydBox-2.0.1, its third major release after serving as the default sandbox of Exherbo for 12 years since 2009.08.17.

Download

. @
Tar https://dev.exherbo.org/~alip/sydbox/sydbox-2.0.1.tar.bz2
SHA https://dev.exherbo.org/~alip/sydbox/sydbox-2.0.1.tar.bz2.sha1sum
GPG https://dev.exherbo.org/~alip/sydbox/sydbox-2.0.1.tar.bz2.sha1sum.asc
Git https://git.exherbo.org/git/sydbox-1.git
Hub https://github.com/sydbox/sydbox-1

Changes

libseccomp rather than PinkTrace

This release is a major release and is not backwards compatible. With this release SydBox no longer relies on ptrace to do the tracing rather they use the new seccomp-bpf and seccomp-user facilities of the Linux kernel. SydBox no longer depends on PinkTrace but depends on libseccomp.

New Architectures

SydBox-1 supports X86-64, X86, X32, Arm, AArch64, PowerPC, ppc64, and IA-64 architectures. SydBox-2 supports every architecture that libseccomp supports which means quite a few of new architectures added to the list. SydBox-2 supports X86-64, X86, X32, Arm, AArch64, MIPS, MIPC64, PowerPC, ppc64, ppc64le, S390, S390x, PA-RISC, and RISC64.

SydBox API v2

This release of SydBox changes the SydBox API version to 2. This means SydBox will be reading from files with the .syd-2 extension rather than .syd-1 from now on. The Paludis profile and the sample Firefox profile have already been ported to the new configuration format. One of the notable name changes is moving from whitelist & blacklist to allowlist & denylist.

New sandboxed system calls

With this release SydBox starts to sandbox faccessat2, sendmsg and recvmsg system calls. This means you may now allow and deny e.g. DNS calls to specific addresses. This was previously not possible. Note this is not a security issue as old SydBox, ie sydbox-1, still denies unwanted access to DNS requests on the previous bind() call, however they provided no way to allow access to certain DNS address for UDP calls, e.g. localhost or Google Public DNS, with:

core/sandbox/network:deny
allowlist/network/connect+inet:127.0.0.1@53
allowlist/network/connect+inet:8.8.8.8@53

New sandboxing restrictions

In addition, SydBox learned a couple of new global restriction options, namely core/restrict/general, core/restrict/io_control, and core/restrict/memory_map. These options allow the user the limit the general list of permitted system calls to one of the three predefined sets, and restrict some flags of ioctl and mmap system calls to provide added security.

Performance Increase

This release is noticably faster than Sydbox-1.2.1 in that it does not ptrace stop the processes anymore. The benchmark part at the end of this post has the details.

Paludis Support for API v2

Paludis support for SydBox API version 2 depends on this Merge Request. This is why Sydbox-2 package in arbor.git is masked for testing.

Bug Fixes

This release fixes a multithreaded execve race condition which caused hangs.

Build & Requirements

SydBox uses autotools and requires libseccomp-2.4.3 or newer. To build, simply do ./configure, make, make -j check and sudo make install. If you’re building from the GIT repository use the script ./autogen.sh before ./configure.

By default this will produce a statically linked SydBox binary. If you want use dynamic linking, give the --disable-static option to ./configure.

To use SydBox, Linux kernel version 5.11 or newer is recommended. Users who do not have such a new Linux kernel version may continue to use Sydbox-1.2.1. In addition, it is recommended that you enable the kernel configuration option CONFIG_CROSS_MEMORY_ATTACH so that SydBox can use the system calls process_vm_readv and process_vm_writev. These system calls are available in Linux since 3.2. Note SydBox will use the file /proc/pid/mem if these system calls are unavailable or not working.

After building SydBox, you can use the --test, or shortly -t, option to test if all the required facilities are present on the running system. If this command returns success, SydBox is usable on the running system:

$ sydbox --test || echo 'sydbox not usable!'
sydbox: Linux/chesswob 5.11
sydbox: [>] Checking for requirements...
sydbox: [*] cross memory attach is functional.
sydbox: [*] /proc/pid/mem interface is functional.
sydbox: [*] pidfd interface is functional.
sydbox: [*] seccomp filters are functional.
sydbox: [>] SydBox is supported on this system!

To verify SydBox is working correctly, either use make -j check during installation or use the helper utility sydtest to run the installed tests.

Benchmark

SydBox-1.2.1 vs. SydBox-2.0.1

SydBox-2.0.1 stops using ptrace altogether, uses seccomp-bpf and seccomp-notify. The tracee is no longer traced via ptrace() and notifications are received by first poll()ing the seccomp file descriptor followed by ioctl(SECCOMP_IOCTL_NOTIF_RECV,...) and the responses about system call actions are sent via ioctl(SECCOMP_IOCTL_NOTIF_SEND,...).

Setup

We compile Paludis, the package manager of the Exherbo GNU/Linux distribution, under old, new SydBox and without SydBox. Paludis was built from GIT. See detailed information below about options. Things to note are recommended tests are disabled and the installation happens two-fold where tahta is a simple binary pbin repository.

r   sys-apps/paludis:0::arbor scm to ::tahta-bin replacing scm
    "Paludis, the one true package mangler"
    bash-completion -doc -gemcutter pbin pink -python ruby search-index vim-syntax -xml zsh-completion PROVIDERS: elfutils
 PYTHON_ABIS: -2.7 3.6 3.7 3.8 3.9 RUBY_ABIS: -2.5 -2.6 2.7 -3.0 build_options: symbols=split jobs=12 dwarf_compress -reco
mmended_tests -trace work=tidyup
    Reasons: target (to be like sys-apps/paludis:0::(install_to_slash))

r   sys-apps/paludis:0::arbor scm to ::installed via binary created in tahta-bin replacing scm
    "Paludis, the one true package mangler"
    bash-completion -doc -gemcutter pbin pink -python ruby search-index vim-syntax -xml zsh-completion PROVIDERS: elfutils
 PYTHON_ABIS: -2.7 3.6 3.7 3.8 3.9 RUBY_ABIS: -2.5 -2.6 2.7 -3.0 build_options: symbols=split jobs=12 dwarf_compress -reco
mmended_tests -trace work=tidyup
    Reasons: target

Total: 1 reinstalls, 1 binaries

Timing

$ time cave resolve paludis -zx1

Before: sydbox-1.2.1

real    4m23.706s
user    20m58.527s
sys     4m42.370s

After: sydbox-2.0.1

real    3m33.447s
user    19m40.533s
sys     2m40.566s

PALUDIS_DO_NOTHING_SANDBOXY=1

real    3m20.771s
user    18m24.741s
sys     2m26.128s

strace –summary-only

sydbox-2.0.1 paludis compile under strace

src_configure

=== Done src_configure
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ------------------
 39.36    1.367534      683767         2         1 wait4
 22.48    0.780800           5    138336           ioctl
 14.37    0.499382           5     92231           rt_sigprocmask
  8.93    0.310261           6     46113         1 poll
  5.07    0.176051           6     25587           process_vm_readv
  2.16    0.075143           7      9887       535 open
  1.73    0.059992           5     10169           close
  1.50    0.052256           7      6573           read
  1.25    0.043391           5      7233           getdents64
  1.07    0.037095           7      5090           lseek
  0.93    0.032336           5      5903       813 pidfd_send_signal
  0.59    0.020328           5      3769           fcntl
  0.23    0.008104          10       766           readlink
  0.15    0.005302           6       815           pidfd_open
  0.06    0.001936           6       277           mmap
  0.05    0.001837           9       200           munmap
  0.05    0.001709           6       274           process_vm_writev
  0.02    0.000522           5        93         1 lstat
  0.00    0.000052           5         9           brk
  0.00    0.000000           0         3         1 rt_sigreturn
  0.00    0.000000           0         1           fork
  0.00    0.000000           0         1           execve
  0.00    0.000000           0         1           kill
  0.00    0.000000           0         1           uname
  0.00    0.000000           0         4           mprotect
  0.00    0.000000           0        14           rt_sigaction
  0.00    0.000000           0         2           fstat
  0.00    0.000000           0         1           arch_prctl
  0.00    0.000000           0         1           stat
  0.00    0.000000           0         1           set_tid_address
  0.00    0.000000           0         1           pipe2
  0.00    0.000000           0        10         6 seccomp
  0.00    0.000000           0         1           pidfd_getfd
------ ----------- ----------- --------- --------- ------------------
100.00    3.474031           9    353369      1358 total

src_compile

=== Done src_compile
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ------------------
 80.63  145.185365    72592682         2         1 wait4
  3.22    5.795783           7    734218      5395 open
  2.58    4.644428           5    848820           ioctl
  2.25    4.048522           5    737836           close
  2.15    3.862470           5    689551         4 getdents64
  1.86    3.354042           8    395087           read
  1.66    2.983437           5    565887           rt_sigprocmask
  1.50    2.692074           7    373792         3 lseek
  1.10    1.985650           5    382404      8610 pidfd_send_signal
  1.00    1.805214           7    247541           process_vm_readv
  0.96    1.731252           6    282954         1 poll
  0.93    1.668314           4    347934           fcntl
  0.05    0.096012          12      7657           readlink
  0.05    0.087147          11      7616           munmap
  0.03    0.060660           6      9011           pidfd_open
  0.03    0.059201           7      8015           mmap
  0.00    0.001625           5       274           process_vm_writev
  0.00    0.000660           7        93         1 lstat
  0.00    0.000149           5        27           brk
  0.00    0.000007           7         1           madvise
  0.00    0.000003           1         3         1 rt_sigreturn
  0.00    0.000000           0         1           fork
  0.00    0.000000           0         1           execve
  0.00    0.000000           0         1           kill
  0.00    0.000000           0         1           uname
  0.00    0.000000           0         4           mprotect
  0.00    0.000000           0        14           rt_sigaction
  0.00    0.000000           0         2           fstat
  0.00    0.000000           0         1           arch_prctl
  0.00    0.000000           0         1           stat
  0.00    0.000000           0         1           set_tid_address
  0.00    0.000000           0         1           pipe2
  0.00    0.000000           0        10         6 seccomp
  0.00    0.000000           0         1           pidfd_getfd
------ ----------- ----------- --------- --------- ------------------
100.00  180.062015          31   5638762     14022 total

sydbox-1.2.1 paludis compile under strace

src_configure

=== Done src_configure
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ------------------
 37.65    4.399665           5    807047           rt_sigprocmask
 28.99    3.387842          18    188124         1 wait4
 20.97    2.450048           6    387644           ptrace
 10.70    1.250251           6    203389     12743 lstat
  1.20    0.139687           6     21078           process_vm_readv
  0.16    0.018968           8      2231           read
  0.08    0.008920          11       745           open
  0.07    0.008303           9       873           munmap
  0.05    0.006230           6       893           mmap
  0.04    0.004998           6       745           close
  0.03    0.003545          12       280           writev
  0.03    0.003237           6       487         1 stat
  0.02    0.002678           9       286           readlink
  0.01    0.000968           7       137           process_vm_writev
  0.00    0.000006           1         4           brk
  0.00    0.000005           5         1           ioctl
  0.00    0.000000           0         4           mprotect
  0.00    0.000000           0        12           rt_sigaction
  0.00    0.000000           0         2           fstat
  0.00    0.000000           0         1           fork
  0.00    0.000000           0         1           execve
  0.00    0.000000           0         1           kill
  0.00    0.000000           0         1           uname
  0.00    0.000000           0         2           fcntl
  0.00    0.000000           0         1           getcwd
  0.00    0.000000           0         1           arch_prctl
  0.00    0.000000           0         1           set_tid_address
------ ----------- ----------- --------- --------- ------------------
100.00   11.685351           7   1613991     12745 total

src_compile

=== Done src_compile
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ------------------
 45.63  170.513233          27   6263660         3 wait4
 34.08  127.356059           4  25513255           rt_sigprocmask
 20.00   74.731989           5  12510882           ptrace
  0.14    0.512506           5     87994      4109 lstat
  0.06    0.221801           8     27329           read
  0.03    0.119041          12      9599           open
  0.03    0.097510           7     13377       305 process_vm_readv
  0.02    0.058519           6      9599           close
  0.01    0.029136          11      2647           readlink
  0.00    0.012643           9      1382           munmap
  0.00    0.010049           6      1520           mmap
  0.00    0.004153           7       550           readlinkat
  0.00    0.002650           9       280           writev
  0.00    0.002314           4       490           fcntl
  0.00    0.000671           4       137           process_vm_writev
  0.00    0.000529           6        85         1 stat
  0.00    0.000302           7        40           utimensat
  0.00    0.000036           5         7           brk
  0.00    0.000005           5         1           ioctl
  0.00    0.000000           0         4           mprotect
  0.00    0.000000           0         1           fork
  0.00    0.000000           0         1           execve
  0.00    0.000000           0         1           kill
 0.00    0.000000           0         1           uname
  0.00    0.000000           0        12           rt_sigaction
  0.00    0.000000           0         2           fstat
  0.00    0.000000           0         1           getcwd
  0.00    0.000000           0         1           arch_prctl
  0.00    0.000000           0         1           set_tid_address
------ ----------- ----------- --------- --------- ------------------
100.00  373.673146           8  44442859      4418 total

Observations

When we compare the src_compile of a Paludis build with SydBox-2.0.1 and SydBox-1.2.1 under strace we notice the differences in system call usage clearly. Below is a filtered group of system calls which are core to tracing functionality. Sydbox-2.0.1 has more variety in the number of system calls they use. In total SydBox-1.2.1 calls 44301311 system calls. 28% of these system calls is ptrace which is an expensive system call. Meanwhile, SydBox-2.0.1 calls 3117293 system calls in total and this is a considerable decrease in the number of total calls from the old SydBox version, omitting ptrace and wait4 calls replacing them with pidfd_getfd, seccomp, ioctl and poll.

sydbox-1.2.1:src_compile

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ------------------
 45.63  170.513233          27   6263660         3 wait4
 34.08  127.356059           4  25513255           rt_sigprocmask
 20.00   74.731989           5  12510882           ptrace
  0.03    0.097510           7     13377       305 process_vm_readv
  0.00    0.000671           4       137           process_vm_writev

sydbox.git:src_compile

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ------------------
 80.63  145.185365    72592682         2         1 wait4
  2.58    4.644428           5    848820           ioctl
  2.15    3.862470           5    689551         4 getdents64
  1.66    2.983437           5    565887           rt_sigprocmask
  1.50    2.692074           7    373792         3 lseek
  1.10    1.985650           5    382404      8610 pidfd_send_signal
  1.00    1.805214           7    247541           process_vm_readv
  0.96    1.731252           6    282954         1 poll
  0.03    0.060660           6      9011           pidfd_open
  0.00    0.001625           5       274           process_vm_writev
  0.00    0.000000           0        10         6 seccomp
  0.00    0.000000           0         1           pidfd_getfd

Links

Updates