This week’s highlighted open-source project aims to make it less burdensome to create sandboxes of C/C++ libraries.
Google’s Sandboxed API (SAPI) was made open-source earlier this week. In addition, it also made its core sandboxing project, Sandbox2, available as part of the Sandboxed API.
SAPI works by creating an almost-identical stub API after security policies are set up and library interfaces are created. The API forwards calls to the real library running in a sandboxed environment by using a custom RPC layer.
According to Google, each SAPI library uses a tightly defined security policy, unlike in typical sandboxes, where security policies cover the total syscall and resource footprint of all of the utilized libraries.
“Many popular software containment tools might not sufficiently isolate the rest of the OS, and those which do, might require time-consuming redefinition of security boundaries for each and every project that should be sandboxed,” Google wrote in a post.
Google created the project with the following motto in mind: “Sandbox once, use anywhere.” It wanted to make the sandboxing process as easy and straightforward as possible.
Though SAPI currently is for software libraries written in C, Google may add support for more languages in the future. The company also wants to add support for more operating systems, add new sandboxing technologies, and add support for CMake.
