Cloudflare Sandbox is a software package designed for developers and system administrators to easily apply Linux seccomp system call filtering to applications. It simplifies the process of enhancing security by restricting the system calls a process can make, without needing to write any custom code.
Core Components & Usage
The package offers two main components for different types of executables:
libsandbox.so: A dynamically linked library for use with dynamically linked executables. It is injected using theLD_PRELOADdynamic linker option. This method allows for tighter filtering as it is executed after runtime framework initialization is complete.sandboxify: A command-line utility designed for statically linked executables. It launches the target application and applies the seccomp filter using ptrace.
Security Policy Configuration
Security policies are defined through simple environment variables:
SECCOMP_SYSCALL_ALLOW: A whitelist of allowed system calls. Any unlisted system call will terminate the process.SECCOMP_SYSCALL_DENY: A blacklist of forbidden system calls. Attempting a blacklisted call will terminate the process.
Key Features
- Codeless Configuration: Define security rules using simple, colon-separated lists in environment variables.
- Permissive Log Mode: Instead of terminating a process for a policy violation, the sandbox can be configured to log the attempt, which is useful for developing and debugging security policies.
- Targeted Filtering: Provides different tools for dynamically and statically linked binaries to achieve optimal security.
