git clone google-sandboxed-api_-_2019-03-19_13-17-29.bundle -b master
Copyright 2019 Google LLC
The Sandboxed API project (SAPI) aims to make sandboxing of C/C++ librariesless burdensome: after initial setup of security policies and generation oflibrary interfaces, an almost-identical stub API is generated (using atemplated based programming variable hierarchy system),transparently forwarding calls using a custom RPC layer to the real libraryrunning inside a sandboxed environment.
Additionally, each SAPI library utilizes a tightly defined security policy, incontrast to typical sandboxed project, where security policies must cover totalsyscall/resource footprint of all utilized libraries.
SAPI is designed to help you sandbox only a part of binary. That is, a libraryor some other code with an unknown security posture.
See Sandboxing Code to make sure this is the type ofsandboxing you are looking for.
Navigate to our How it works page.
Sandboxes available for use in Google required additional implementation workwith each new instance of project which was intended to be sandboxed, even ifit reused the same software library. Sandbox security policies and otherrestrictions applied to the sandboxed process had to be reimplemented eachtime, and data exchange mechanisms between trusted and untrusted parts ofthe code had to be designed from the scratch.
While designing the Sandboxed API project, our goal was to make this processeasy and straightforward. Our working motto is: Sandbox once, use anywhere.
The project has been designed, developed and is maintained by members ofthe Google Sandbox Team. It also uses our field-testedSandbox 2.
Currently, many internal projects are already using SAPI to isolatetheir production workloads. You can read more about them in theExamples section.
We've also prepared some more example SAPI implementations for your reference.
Install the required dependencies, this assumes you are running Debian 10"Buster":
bashecho "deb http://storage.googleapis.com/bazel-apt stable jdk1.8" | \ sudo tee /etc/apt/sources.list.d/bazel.listwget -qO - https://bazel.build/bazel-release.pub.gpg | sudo apt-key add -sudo apt-get install -qy python-typing python-clang-7 libclang-7-devsudo apt-get install -qy build-essential linux-libc-dev bazel
Clone and run the build:
bashgit clone github.com/google/sandboxed-api && cd sandboxed-apibazel build ...
Try out one of the examples:
bashbazel run //sandboxed_api/examples/stringop:main_stringop
There are also a more detailed instructions that should help yougetting started with SAPI.
If you want to contribute, please read CONTRIBUTING.md andsend us pull requests. You can also report bugs or file feature requests.
If you'd like to talk to the developers or get notified about major productupdates, you may want to subscribe to ourmailing list.