Sandboxing processes 13. January 2016
Yesterday, my interest in sandboxing a program I didn’t fully trust finally surpassed my laziness to look at namespaces again. And after a few hours of coding, I created a small script that uses
unshare to encapsulate the newly launched process in new namespaces of all kinds (not much work there) and hardens the filesystem so that effectively, (hopefully) the only writable persistent directory is
$PWD, the process sees a minimal
/dev and fresh copies of temporary filesystems. In case you are interested in the script, here it is:
I’m always open for feedback, either via e-mail or on Github!