[oss] Mbox: practical and effective sandboxing for non-root users

Lucian Mogosanu lucian.mogosanu at gmail.com
Tue Feb 11 10:14:27 EET 2014


Hi,

As a continuation to the seccomp API [1], I've stumbled upon Mbox [2], a
sandboxing application based on seccomp and/or ptrace.

Its main advantage seems to be creating sandboxes on the fly, some audit
features for applications running inside the sandbox (for files and
sockets) and the ability to commit changes back to the host file-system.
The application's interface is also a lot friendlier than seccomp's. My
favourite use case is creating sandboxed development environments for
various packaging systems (e.g. PIP, Cabal).

There are also a paper and some slides on the bottom of Mbox's page [2],
I highly recommend taking a look if you're interested in the subject.

[1]: http://ocw.cs.pub.ro/courses/cns/labs/lab-10#seccomp_1p
[2]: http://pdos.csail.mit.edu/mbox/

Lucian


More information about the oss mailing list