12 مستودعات
Mechanisms for executing administrative tasks in isolated, secure processes to minimize system attack surfaces.
Distinguishing note: Focuses on process-level security isolation for administrative tasks, distinct from general-purpose authentication or encryption libraries.
Explore 12 awesome GitHub repositories matching security & cryptography · Privileged Process Isolation. Refine with filters or upvote what's useful.
FlClash is a cross-platform proxy client designed to manage network traffic through configurable rules and system-level tunnel integration. It functions as a native system orchestrator, coordinating application lifecycle events and background services across desktop and mobile environments. The application utilizes a modular architecture that enables extensibility through local plugins and foreign function interfaces, allowing for direct interaction with native system libraries. It maintains security by isolating restricted administrative tasks within a privileged helper process, which valida
Executes restricted administrative tasks in a separate secure process to safely manage system network tunnels and core services.
Shizuku is a framework that enables standard mobile applications to interact with restricted system-level interfaces and services. By acting as a bridge between the user space and protected system functions, it allows applications to perform privileged operations that are typically inaccessible due to standard operating system sandbox limitations. The project functions by routing requests through a persistent background service, which facilitates communication with internal system services and remote interfaces. This architecture allows for the execution of system-level tasks and the manageme
Routes restricted system requests through a high-privilege background process to bypass sandbox limitations.
This project serves as a comprehensive technical reference for the architecture and design of data-intensive applications. It provides a structured analysis of the fundamental principles required to build reliable, scalable, and maintainable software systems, covering the core trade-offs inherent in modern data infrastructure. The repository explores the mechanics of distributed data management, including strategies for replication, partitioning, and achieving consensus across multiple nodes. It details the design of storage engines, indexing techniques, and transaction management models, whi
Implements process-level security isolation to minimize system attack surfaces and manage authority.
TrollStore is an application installer for iOS that enables the deployment of unsigned software on restricted mobile devices. By bypassing standard code signature verification and security sandbox requirements, it allows users to install and execute applications that originate from outside official distribution channels. The utility functions as an entitlement injection tool, modifying application metadata during installation to grant elevated system permissions. It achieves this by injecting developer certificates into software bundles and utilizing kernel-level modifications to permit the e
Executes application binaries with elevated system credentials to bypass standard security sandboxes.
Gluetun is a containerized network utility designed to route traffic from multiple Docker containers through a secure virtual private network tunnel. It functions as a network gateway that encapsulates outgoing internet traffic to provide privacy and security for isolated application services. The project distinguishes itself by utilizing Linux network namespaces to isolate container traffic, ensuring that all outgoing packets are forced through a dedicated tunnel interface. It supports both OpenVPN and WireGuard protocols, managing the connection lifecycle and routing logic as a sidecar cont
Executes network configuration tasks in isolated, privileged processes to manage kernel routing tables securely.
Gunicorn is a production-grade WSGI HTTP server designed for deploying Python web applications. It functions as a process manager that utilizes a pre-fork worker model, where a master process initializes the application and spawns multiple child processes to handle incoming requests in parallel. This architecture ensures high performance and stability by isolating application execution within persistent worker processes. The server distinguishes itself through its flexible concurrency models and robust process lifecycle management. It supports interchangeable worker types, including synchrono
Executes worker processes under specific user and group identities to enforce security and minimize attack surfaces.
Win32-OpenSSH is a secure shell suite that provides an OpenSSH port for Windows operating systems. It consists of an SSH server for remote management and authentication, a secure shell client for establishing encrypted connections, and an SFTP server for managing files. The project enables secure remote administration of Windows servers and workstations via a command line interface. It supports encrypted file transfers using SFTP and SCP protocols and allows for cross-platform remote management of Windows systems from Linux or macOS environments. The implementation integrates with Windows se
Uses a privilege-separated process model to isolate the monitor from unprivileged child processes for increased security.
gosu هو مبدل هوية مستخدم قائم على Go ومغلف عملية مصمم لتنفيذ الأوامر تحت هوية مستخدم ومجموعة محددة. يعمل كملف ثنائي خفيف الوزن لتبديل هويات المستخدم وإعادة توجيه الإشارات قبل تنفيذ عملية مستهدفة. تركز الأداة على تحسين نقطة دخول الحاوية وإدارة المستخدم داخل حاويات Docker. وتتيح تنفيذ العمليات كمستخدمين غير جذريين (non-root) مع ضمان وصول إشارات نظام التشغيل إلى العملية الفرعية وتأسيس الأمر المستهدف كعملية أساسية. تدير الأداة تبديل هوية عملية Linux وتنفيذ العمليات ذات الامتيازات. وتستخدم استدعاءات النظام لتبديل الهوية وتوفر توريث التدفق القياسي لربط العملية المستهدفة بتدفقات الإدخال والإخراج الموجودة.
Executes binaries with specific user/group credentials while ensuring proper environment variable inheritance.
sudo-rs هي أداة نظام منخفضة المستوى ومنفذ أوامر مميز مكتوب بلغة Rust. توفر تنفيذاً آمناً للذاكرة لـ sudo وsu لتشغيل البرامج بصلاحيات المستخدم الخارق أو مستخدم بديل وتبديل صلاحيات الجلسة إلى هويات مستخدمين محليين آخرين. يتكامل المشروع مع وحدات أمان النواة ليعمل كمشغل عمليات في بيئة معزولة (sandboxed)، مما يقيد موارد النظام وقدرات العمليات أثناء التنفيذ. تتضمن الأداة دعماً لترجمة النظام متعدد اللغات، باستخدام كتالوجات رسائل مجمعة لتوفير نصوص واجهة مستخدم مترجمة بناءً على لغة النظام.
Provides mechanisms to spawn new system processes with elevated root-level credentials by altering user and group IDs.
This project is a containerized Linux desktop streamer that renders a full operating system interface in a web browser using encoded video streams. It allows for remote access to various Linux distributions and serves as a platform for browser-based application hosting. The system supports GPU acceleration via KVM and direct hardware passthrough to enable low-latency graphics rendering and video encoding. It also features volume mapping for home directory persistence, ensuring that user data and portable applications survive environment updates. Additional capabilities include the creation o
Creates a secure kiosk environment by disabling terminal and sudo access.
Kore is an event-driven web and WebSocket server framework designed for building high-performance web services and APIs in C or Python. It functions as a secure, concurrent application framework that utilizes non-blocking I/O and isolated worker processes to handle high-concurrency traffic. The project is distinguished by a security-first architecture that features OS-level process sandboxing, privilege separation, and the isolation of private encryption keys into dedicated processes. It enables zero-downtime deployments through dynamic module hot-reloading and provides automated TLS certific
Isolates private encryption keys into dedicated processes to prevent compromise of the primary worker processes.
TizenTubeCobalt is a third-party YouTube client and ad-blocking video player developed for the Tizen operating system. It functions as a Tizen OS application that bridges native C++ functions with JavaScript execution to provide a customized media experience on smart TVs. The application distinguishes itself through advanced content filtering and playback optimizations. It removes video advertisements and uses community-sourced data to automatically skip sponsored segments. Additionally, it includes a video content filter to remove clickbait titles and misleading thumbnails. The project cove
Utilizes operating system primitives to restrict process privileges and isolate sensitive operations from the main application.