软件加固/安全沙箱>> sandboxed-api>> 返回
项目作者: google

项目描述 :
Sandboxed API自动为C / C ++库生成沙箱
高级语言: C++
项目地址: git://github.com/google/sandboxed-api.git
创建时间: 2019-03-07T09:30:45Z
项目社区:https://github.com/google/sandboxed-api
开源协议:Apache License 2.0
关键词:
security sandbox sandboxing security-hardening
下载



Bazel build status
CMake build status



Sandboxed API

Copyright 2019-2025 Google LLC

Introduction

The open-source Sandboxed API (SAPI) project builds on top of Google’s
Sandbox2 and
aims to make sandboxing of C/C++ libraries less burdensome.

Sandboxed API provides three main benefits:

  • Instead of sandboxing entire programs or having to change source code to be
    able to sandbox a part of a program as with Sandbox2, individual C/C++
    libraries can be sandboxed with SAPI. As a result, the main program is
    isolated from code execution vulnerabilities in the C/C++ library.

  • Our working motto is: Sandbox once, use anywhere. Libraries sandboxed with
    Sandboxed API can be reused easily, which removes the burden for future
    projects. Before Sandboxed API, sandboxes available for use at Google
    required additional implementation work with each new instance of a project
    which was intended to be sandboxed, even if it reused the same software
    library. Sandbox2 policies and other restrictions applied to the sandboxed
    process had to be reimplemented each time, and data exchange mechanisms
    between trusted and untrusted parts of the code had to be designed from
    scratch.

  • Each SAPI library utilizes a tightly defined security policy, in contrast
    to the typical sandboxed project, where security policies must cover the
    total syscall/resource footprint of all utilized libraries.

Sandboxed API (SAPI) has been designed, developed, and is maintained by members
of the Google Sandbox Team. It also uses our field-tested Sandbox2. Currently,
many internal projects are using SAPI to isolate their production workloads.

Sandbox2 is also open-sourced as part of the SAPI project and can be used
independently.

Documentation

Developer documentation is available at Sandboxed API
and Sandbox2.

We recommend reading SAPI Getting Started
guide, or Sandbox2 Getting Started
respectively.

If you are interested in a general overview of sandboxing technologies, see
https://developers.google.com/code-sandboxing.

Dependencies

SAPI and Sandbox2 both support Bazel and CMake build systems. The following
dependencies are required on Debian 10 Buster:

  1. sudo apt-get update
  2. sudo apt-get install -qy
  3.   bazel \
  4.   build-essential \
  5.   ccache \
  6.   cmake \
  7.   g++-12 \
  8.   gcc-12 \
  9.   git \
  10.   gnupg \
  11.   libcap-dev \
  12.   libclang-18-dev \
  13.   libffi-dev \
  14.   libncurses-dev \
  15.   linux-libc-dev \
  16.   llvm-18-dev \
  17.   libzstd-dev \
  18.   ninja-build \
  19.   pkg-config \
  20.   python3 \
  21.   python3-absl \
  22.   python3-clang-16 \
  23.   python3-pip \
  24.   unzip \
  25.   wget \
  26.   zip \
  27.   zlib1g-dev

LLVM

SAPI offers two header generators, based on
Python and
LLVM Libtooling.

We aim to provide support for at least the latest three LLVM release and
cross-check with Debian stable.

Getting Involved

If you want to contribute, please read CONTRIBUTING.md and
send us pull requests. You can also report bugs or file feature requests.

If you’d like to talk to the developers or get notified about major product
updates, you may want to subscribe to our
users@googlegroups.com">mailing list or sign up with this
link.