Sandboxing processes
Yesterday, my interest in sandboxing a program I didn’t fully trust finally surpassed my laziness to look at namespaces again. And after a few hours of coding, I created a small script that uses unshare
to encapsulate the newly launched process in new namespaces of all kinds (not much work there) and hardens the filesystem so that effectively, (hopefully) the only writable persistent directory is $PWD
, the process sees a minimal /dev
and fresh copies of temporary filesystems. In case you are interested in the script, here it is:
I’m always open for feedback, either via e-mail or on Github!