Sandboxing Emacs with SydB☮x

by syd 2 months ago

GNU/Linux ◆ screen-256color ◆ zsh 251 views

In this video I demonstrate sandboxing Emacs with SydB☮x.

Check out the following links to learn more about SydB☮x:

More by syd

/home/alip                                                                      -bash-5.2$ # Let's try to call an external function                             -bash-5.2$ ls                                                                   {"cap":"p","cmd":"-bash","ctx":"access","cur":1,"cwd":"/home/alip","id":"syd","l:1000}                                                                          -bash: fork: Permission denied                                                  -bash-5.2$ # Let's try to spawn a subshell                                      -bash-5.2$ ( echo hello world )                                                 {"cap":"p","cmd":"-bash","ctx":"access","cur":1,"cwd":"/home/alip","id":"syd","l:1000}                                                                          -bash: fork: Permission denied                                                  -bash-5.2$ # All works as expected!                                             -bash-5.2$                                                                      logout                                                                          alip@pink ~ $ #

SydB☮x: Pid Sandboxing 03:09

by syd 3 months ago

alip@SydB☮x ~ $                                                                 alip@SydB☮x ~ $ # Looks good! I should prepare for snow :)                      alip@SydB☮x ~ $ # Let's disallow the address back again.                        alip@SydB☮x ~ $ esyd disallow_net --connect '5.9.243.187!80' # Note the quoting {"cfg":"allowlist/net/connect-5.9.243.187!80","cmd":"-bash","ctx":"config","cwd"1000}                                                                           alip@SydB☮x ~ $ curl wttr.in/Berlin # This is not going to work                 {"cfg":"allowlist/net/connect+0.0.0.0!35495","cmd":"curl wttr.in/Berlin","ctx":"134120,"uid":1000}                                                                                                                                              {"addr":"5.9.243.187!80","cap":"c","cmd":"curl wttr.in/Berlin","ctx":"access","c"uid":1000}                                                                     curl: (7) Failed to connect to wttr.in port 80 after 847 ms: Couldn't connect toalip@SydB☮x ~ $                                                                 alip@SydB☮x ~ $ # Allowlisting IP addresses it not al

SydB☮x: Network Sandboxing 05:33

by syd 3 months ago

alip@pink ~ $ # Let's start with a process that can work under low memory.      alip@pink ~ $ # How about busybox? Yes!                                         alip@pink ~ $ file $(which busybox)                                             /usr/host/bin/busybox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), stat8d49cfa86a259e044f25ee84750927bfc5, stripped                                    alip@pink ~ $ # All nice and static linked.                                     alip@pink ~ $ syd -puser -msandbox/mem:on -mmem/max:7M busybox sh # Let's drop t~ $ bash                                                                        {"cap":"m","cmd":"bash /usr/host/bin/neofetch --no_config","ctx":"access","cur":d","l":2,"max":7000000,"pid":13,"sys":"mmap","t":1701801218,"uid":1000}         alip@SydB☮x ~ $ # Nice, bash worked but neofetch failed on a memory error.      alip@SydB☮x ~ $                                                                 exit                                                                            ~ $ # Let's get the memory a bit tighter.                                       ~ $

SydB☮x: Memory Sandboxing 03:53

by syd 3 months ago

See all

You can download this recording in asciicast v2 format, as a .cast file.

Download

Replay in terminal

You can replay the downloaded recording in your terminal using the asciinema play command:

asciinema play 627055.cast

If you don't have asciinema CLI installed then see installation instructions.

Use with stand-alone player on your website

Download asciinema player from player's releases page (you only need .js and .css file), then use it like this:

<!DOCTYPE html>
<html>
<head>
  <link rel="stylesheet" type="text/css" href="asciinema-player.css" />
</head>
<body>
  <div id="player"></div>
  <script src="asciinema-player.min.js"></script>
  <script>
    AsciinemaPlayer.create(
      '/assets/627055.cast',
      document.getElementById('player'),
      { cols: 159, rows: 43 }
    );
  </script>
</body>
</html>

See asciinema player README for full usage instructions.

While this site doesn't offer GIF conversion at the moment, you can still do it yourself with the help of asciinema GIF generator utility - agg.

Once you have it installed run the following command to create GIF file:

agg https://asciinema.org/a/627055 627055.gif

Or, if you already downloaded the recording file:

agg 627055.cast 627055.gif

Check agg --help for all available options. You can change font family and size, select color theme, adjust speed and more.

See agg README for full usage instructions.