Sandboxing untrusted code is useful when you have to rely on third-party developed software where you don't have access to source code, or you don't have resources to perform a source code assessment. Sandboxing can also be useful as an additional security boundary for your own code.
Sandbox2 is an open-source C++ security sandbox for Linux written by security engineers at Google. With Sandbox2 you can restrict the runtime environment to the minimum required for genuine operations, thus limiting the impact of potential code execution vulnerabilities.
Sandbox2 can be used to sandbox entire programs or portions of programs written in C/C++.
Sandbox2 Explained — Describes Sandbox2's underlying technology and architecture.
Getting Started — Provides guidance helping you implement your own Sandbox2 sandbox.
Examples — Provides examples demonstrating how to use Sandbox2 in different scenarios and how to write policies.
FAQ — Addresses frequent queries regarding Sandbox2.
Sandbox2 is part of Sandboxed API (SAPI). You can download the source code from: https://github.com/google/sandboxed-api/tree/main/sandboxed_api/sandbox2.