Crates.io | extrasafe |
lib.rs | extrasafe |
version | 0.5.1 |
source | src |
created_at | 2022-03-02 08:42:27.702713 |
updated_at | 2024-04-16 22:08:36.053535 |
description | Make your code extrasafe by reducing what it can access. |
homepage | |
repository | https://github.com/boustrophedon/extrasafe |
max_upload_size | |
id | 542084 |
size | 288,275 |
fn main() {
println!("disabling syscalls...");
extrasafe::SafetyContext::new()
.enable(
extrasafe::builtins::SystemIO::nothing()
.allow_stdout()
.allow_stderr()
).unwrap()
.apply_to_all_threads().unwrap();
// Opening files now fails!
let res = File::create("should_fail.txt");
assert!(res.is_err());
println!("but printing to stdout still works!");
eprintln!("and so does stderr!");
}
You've used safe and unsafe Rust: now your code can be extrasafe.
extrasafe is an easy-to-use wrapper around various Linux security tools, including seccomp filters syscall-filtering functionality to prevent your program from calling syscalls you don't need, the Landlock Linux Security Module for more fine-grained control over IO operations, and user namespaces for broader isolation. These tools are used by systemd, Chrome, container runtimes, and application sandboxes like bubblewrap and firejail.
The goal of extrasafe is to make it easy to add extra security to your own programs without having to rely on external configuration by the person running the software.
seccomp is very mildly complicated, so we provide simple defaults that make it hard to misuse: Deny-by-default with pre-selected sets of syscalls to enable.
Additionally, we support slightly advanced use-cases:
We also support using Landlock to allow specific, targeted access to the filesystem:
fn main() {
let tmp_dir = tempfile::tempdir().unwrap().into_path();
extrasafe::SafetyContext::new()
.enable(
extrasafe::builtins::SystemIO::nothing()
.allow_create_in_dir(&tmp_dir)
.allow_write_file(&tmp_dir)
).unwrap()
.apply_to_current_thread().unwrap();
// Opening arbitrary files now fails!
assert!(File::open("/etc/passwd")
.is_err());
// But the directory we allowed works
assert!(File::create(tmp_dir.join("my_output.txt"))
.is_ok());
// And other syscalls are still disallowed
assert!(std::net::UdpSocket::bind("127.0.0.1:0")
.is_err());
}
For examples of using user namespaces via extrasafe's Isolate
, and more detailed information on the rest of extrasafe's features, check out the user guide here and take a look at the examples directory
Application developers who want to tightly control what their programs can and cannot do.
If you're developing a library, there are three things you can do:
extrasafe::RuleSet
that covers the functionality of your libraryinit
function that does any IO-related work ahead of time (e.g. reading config files, SSL certificates)You don't want to use extrasafe directly in your library because you don't know what other functionality your dependents will be using.
Currently extrasafe only supports x86_64
. If you'd like to help support other archs please open an issue.
You may be able to use extrasafe to help test certain edge-cases, like the network being unavailable or not being able to read files, but I think that use-case would be better served by a separate library. Email me if you're interested in this!
So you can be extra safe. Suppose your program has a dependency with an undiscovered RCE lurking somewhere: extrasafe allows you to partially hedge against that by disabling access to functionality and files you don't need.
unshare
.AF_NETLINK
, which can be filtered with seccompAF_NETLINK
sockets are disabled by default with extrasafe.Seccomp filters are a somewhat blunt tool.
open
calls, or indeed any syscall arguments that are pointers (but we now support Landlock!)Why not both? Keep reading.
systemd supports filtering child processes' syscalls with seccomp via the SystemCallFilter
attribute. See e.g. this blog post and the systemd documentation
Issues:
pledge
To those sysadmins or devops reading this and saying "but I don't want to trust that the developers wrote their seccomp filter correctly!" - great! Defense in depth is the goal, and you can and should continue to use AppArmor or your preferred choice of external security control system.
As mentioned above, you should continue to use Linux Security Modules like AppArmor and SELinux! Not every program will be using extrasafe.
In the same way, from the perspective of a developer, there's no guarantee that the person running your code is using them. When there's a bug in your open-source code running on thousands of machines outside of your control, it's much nicer to know that it's not easily exploitable and can be fixed at your leisure, rather than having to coordinate a massive patch-and-upgrade effort to secure the systems.
make test
make lint
make coverage