omegajail

The omegaUp sandbox. Creates a userspace container with seccomp-bpf syscall filtering in which the untrusted code is run.

sequenceDiagram
    participant C as Caller
    participant P as omegajail::Jail
    participant I as Sandboxed init
    participant J as Jailed process
    C->>P: let j = omegajail::Command::new(args).spawn()?;
    activate P;

    P->>I: clone(NEWUSER|NEWPID|NEWIPC|NEWUTS|NEWCGROUP)
    activate I;
    P->I: setup user namespace
    I->I: Setup all other namespaces
    I->>J: clone()
    activate J;
    I->>P: Setup CGroups Request
    P-->>I: Setup CGroups Response
    P-->>C: omegajail::Jail
    C->>P: j.wait()?;
    I->>J: Jailed process can start
    J->>J: Run jailed process
    alt process exits
        J-->>I: notification of exit
    else calls forbidden syscall
        J-->>I: seccomp-bpf notification
    end
    deactivate J;

    I-->>P: WaitidStatus
    deactivate I;
    P-->>C: JailResult
    deactivate P;

Example

let args = omegajail::Args{
  // ...
};
let result = omegajail::jail::Command::new(args).spawn()?.wait()?;
println!("{:?}", result);

About

The omegaUp sandbox

BSD 3-Clause "New" or "Revised" License

Languages

Language:Rust 54.7%Language:Python 39.3%Language:Makefile 2.3%Language:C++ 1.6%Language:Shell 1.3%Language:C# 0.2%Language:Go 0.1%Language:JavaScript 0.1%Language:Java 0.1%Language:Pascal 0.0%Language:C 0.0%Language:Kotlin 0.0%Language:Haskell 0.0%Language:Lua 0.0%Language:Ruby 0.0%