The resulting API of the SAPI object is similar to the one of the original library. For example, when using zlib, the popular compression library, a code snippet like this compresses a chunk of data (error handling omitted for brevity):

void Compress(const std::string& chunk, std::string* out) {

z_stream zst{};

constexpr char kZlibVersion[] = "1.2.11";

CHECK(deflateInit_(&zst, /*level=*/4, kZlibVersion, sizeof(zst)) == Z_OK);





zst.avail_in = chunk.size();

zst.next_in = reinterpret_cast<uint8_t*>(&chunk[0]);

zst.avail_out = out->size();

zst.next_out = reinterpret_cast<uint8_t*>(&(*out)[0]);

CHECK(deflate(&zst, Z_FINISH) != Z_STREAM_ERROR);

out->resize(zst.avail_out);





deflateEnd(&zst);

}

Using Sandboxed API, this becomes:

void CompressSapi(const std::string& chunk, std::string* out) {

sapi::Sandbox sandbox(sapi::zlib::zlib_sapi_embed_create());

CHECK(sandbox.Init().ok());

sapi::zlib::ZlibApi api(&sandbox);





sapi::v::Array<uint8_t> s_chunk(&chunk[0], chunk.size());

sapi::v::Array<uint8_t> s_out(&(*out)[0], out->size());

CHECK(sandbox.Allocate(&s_chunk).ok() && sandbox.Allocate(&s_out).ok());

sapi::v::Struct<sapi::zlib::z_stream> s_zst;

constexpr char kZlibVersion[] = "1.2.11";

sapi::v::Array<char> s_version(kZlibVersion, ABSL_ARRAYSIZE(kZlibVersion));

CHECK(api.deflateInit_(s_zst.PtrBoth(), /*level=*/4, s_version.PtrBefore(),

sizeof(sapi::zlib::z_stream).ValueOrDie() == Z_OK));





CHECK(sandbox.TransferToSandboxee(&s_chunk).ok());

s_zst.mutable_data()->avail_in = chunk.size();

s_zst.mutable_data()->next_in = reinterpet_cast<uint8_t*>(s_chunk.GetRemote());

s_zst.mutable_data()->avail_out = out->size();

s_zst.mutable_data()->next_out = reinterpret_cast<uint8_t*>(s_out.GetRemote());

CHECK(api.deflate(s_zst.PtrBoth(), Z_FINISH).ValueOrDie() != Z_STREAM_ERROR);

CHECK(sandbox.TransferFromSandboxee(&s_out).ok());

out->resize(s_zst.data().avail_out);





CHECK(api.deflateEnd(s_zst.PtrBoth()).ok());

}

sudo apt-get install python-typing python-clang-7 libclang-7-dev linux-libc-dev

git clone github.com/google/sandboxed-api && cd sandboxed-api

bazel test //sandboxed_api/examples/stringop:main_stringop

Support more operating systems - So far, only Linux is supported. We will look into bringing Sandboxed API to the Unix-like systems like the BSDs (FreeBSD, OpenBSD) and macOS. A Windows port is a bigger undertaking and will require some more groundwork to be done.

New sandboxing technologies - With things like hardware-virtualization becoming almost ubiquitous, confining code into VMs for sandboxing opens up new possibilities.

Build system - Right now, we are using Bazel to build everything, including dependencies. We acknowledge that this is not how everyone will want to use it, so CMake support is high on our priority list.

Spread the word - Use Sandboxed API to secure open source projects. If you want to get involved, this work is also eligible for the Patch Reward Program.

Get involved





We are constantly looking at improving Sandboxed API and Sandbox2 as well as adding more features: supporting more programming runtimes, different operating systems or alternative containment technologies.



