birdcage

Crates.iobirdcage
lib.rsbirdcage
version0.8.1
sourcesrc
created_at2022-10-19 21:25:43.666712
updated_at2024-04-19 20:51:11.957273
descriptionCross-platform embeddable sandbox
homepage
repositoryhttps://github.com/phylum-dev/birdcage
max_upload_size
id691889
size403,281
Christian Dürr (cd-work)

documentation

https://docs.rs/birdcage

README

Birdcage

GitHub GitHub issues Contributor Covenant Discord Crate Documentation

Birdcage logo

About

Birdcage is a cross-platform embeddable sandboxing library allowing restrictions to Filesystem and Network operations using native operating system APIs.

Birdcage was originally developed for use by the Phylum CLI as an extra layer of protection against potentially malicious dependencies (see the blog post for details). To better protect yourself from these security risks, sign up now!

Birdcage focuses only on Filesystem and Network operations. It is not a complete sandbox preventing all side-effects or permanent damage. Applications can still execute most system calls, which is especially dangerous when execution is performed as root. Birdcage should be combined with other security mechanisms, especially if you are executing known-malicious code.

Example

An example for using Birdcage's API can be found in ./examples/sandbox, which runs an application with CLI-configurable restrictions applied.

Trying to run without any exceptions will produce an error:

$ cargo run --example sandbox -- echo "Hello, Sandbox\!"
Error: Os { code: 13, kind: PermissionDenied, message: "Permission denied" }

Running the same command with explicit permissions allows execution:

$ cargo run --example sandbox -- -e /usr/bin/echo -e /usr/lib echo "Hello, Sandbox\!"
Hello, Sandbox!

Check out cargo run --example sandbox -- --help for more information on how to use the example.

Supported Platforms

  • Linux via namespaces
  • macOS via sandbox_init() (aka Seatbelt)
Commit count: 68

cargo fmt