[oss] Mbox: practical and effective sandboxing for non-root users

Razvan Deaconescu razvan.deaconescu at cs.pub.ro
Tue Feb 11 10:24:07 EET 2014


Lucian Mogosanu <lucian.mogosanu at gmail.com> writes:
> Hi,
>
> As a continuation to the seccomp API [1], I've stumbled upon Mbox [2], a
> sandboxing application based on seccomp and/or ptrace.
>
> Its main advantage seems to be creating sandboxes on the fly, some audit
> features for applications running inside the sandbox (for files and
> sockets) and the ability to commit changes back to the host file-system.
> The application's interface is also a lot friendlier than seccomp's. My
> favourite use case is creating sandboxed development environments for
> various packaging systems (e.g. PIP, Cabal).
>
> There are also a paper and some slides on the bottom of Mbox's page [2],
> I highly recommend taking a look if you're interested in the subject.
>
> [1]: http://ocw.cs.pub.ro/courses/cns/labs/lab-10#seccomp_1p
> [2]: http://pdos.csail.mit.edu/mbox/

This looks nice. We may consider it for next year, though we talked
about ditching the defense part and focus on web and network security
topics.

Razvan


More information about the oss mailing list