2023-11-01 16:17:51 +08:00
|
|
|
|
# x2t 沙箱
|
|
|
|
|
|
|
|
|
|
|
|
为了避免 x2t 解析文档时,被通过内存溢出而执行未信任代码,对 x2t 做一层沙箱,限制 syscall 调用
|
|
|
|
|
|
|
|
|
|
|
|
## Quick start
|
|
|
|
|
|
|
|
|
|
|
|
### Setup
|
|
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
|
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
### Build
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
cargo build
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
### Run
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
cargo run
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2023-11-01 21:53:20 +08:00
|
|
|
|
### Generate syscalls with strace
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
strace -f --output x2t-syscalls.txt /path/to/x2t some.xml
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
### Generate syscalls with tracing mode
|
|
|
|
|
|
|
|
|
|
|
|
cargo 开启 tracing-mode 后,宏找不到环境变量和文件不会失败,可以直接生成一个。
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
cargo run --features tracing-mode -- -l x2t-syscalls.txt /path/to/x2t some.xml
|
2023-11-01 21:57:53 +08:00
|
|
|
|
sort x2t-syscalls.txt < uniq | sponge > x2t-syscalls.txt
|
2023-11-01 21:53:20 +08:00
|
|
|
|
```
|
|
|
|
|
|
|
2023-11-01 21:57:53 +08:00
|
|
|
|
更新 syscall 列表后重新构建二进制会生成新的 sandbox。
|
|
|
|
|
|
|
2023-11-01 16:17:51 +08:00
|
|
|
|
## 项目结构
|
|
|
|
|
|
|
|
|
|
|
|
- [项目](/)
|
|
|
|
|
|
- [x2t-syscalls.txt](/x2t-syscalls.txt): x2t 用到的 syscall
|
|
|
|
|
|
- [build.rs](/build.rs): 解决少数构建平台无法找到 libseccomp 的问题
|
|
|
|
|
|
- [x2t-sandbox-rulegen](/x2t-sandbox-rulegen/): 通过 macro 直接从 syscall 列表生成代码,不用内嵌syscall名字文本了,不容易被修改
|
|
|
|
|
|
- Cargo.toml/Cargo.lock/rust-toolchain.toml: 已经被配置为默认构建静态链接的二进制
|
|
|
|
|
|
- optional: flake.nix/flake.lock: nix 搭建的、完全统一的统一开发环境,配置为默认构建静态链接的二进制
|
|
|
|
|
|
- .envrc: 如果不适用nix,注释掉,或者 direnv block 一下不加载就行
|
|
|
|
|
|
- .gitignore
|
2023-11-01 16:28:21 +08:00
|
|
|
|
|
|
|
|
|
|
## TODOs
|
|
|
|
|
|
|
|
|
|
|
|
- 看看怎么样对特定的 syscall 限制参数,尤其是
|
|
|
|
|
|
- execve
|
|
|
|
|
|
- prctl
|
