StemJail

StemJail is an open-source proof of concept to isolate groups of processes pertaining to the same activity into an environment exposing only the relevant subset of user data. Dynamic activity discovery allows seamless integration into the user workflow. Moreover, StemJail is designed to run without intrusive changes to the system and to be configured and used by any unprivileged user thanks to the Linux user namespaces. Last but not least, StemJail is developed in Rust to help prevent a wide range of recurring security vulnerabilities, without performance compromise.

Overview

Presentations

AsiaCCS 2016 (en)

SSTIC 2015 (fr)

Code

fdpass

File descriptor passing through UNIX socket

fd

File descriptors utilities

mnt

Parse mount points

stemflow

Access-control policy engine used by StemJail

stemjail

Evolving jails for user activities

tty

Create and use pseudoterminal