Sometimes, a piece of code carries a lot of security risk. Examples include:
- Commercial binary-only code to do document parsing. Document parsing often
goes wrong, and binary-only means no opportunity to fix it up.
- A web browser's core HTML parsing and rendering. This is such a large amount
of code that there will be security bugs.
- A JavaScript engine in Java. Accidents here would permit arbitrary calls to
Java methods.
Where a piece of code is very risky, and directly exposed to untrusted users
and untrusted input, it is sometimes desirable to sandbox this code. The hardest
thing about sandboxing is making the call whether the risk warrants the effort
to sandbox.
There are many approaches to sandboxing, including virtualization, jail
environments, network segregation and restricting the permissions code runs
with. This page covers technologies available to do the latter: restrict the
permission code runs with. See the following depending on which technology you
are using:
General Sandboxing
| Project/technology |
Description |
| Sandbox2
|
Linux sandboxing using
namespaces, resource limits and
seccomp-bpf syscall filters.
Provides the underlying
sandboxing technology for
Sandboxed API. |
| gVisor
|
Uses hardware virtualization
and a small syscall emulation
layer implemented in Go. |
| Project/technology |
Description |
| Firejail |
Lightweight sandboxing tool implemented as a SUID program with minimal dependencies. |
| Minijail |
The sandboxing and containment tool used in Chrome OS and Android. Provides an executable and a library that can be used to launch and sandbox other programs and code. |
| NSJail |
Process isolation for Linux using namespaces, resource limits and seccomp-bpf syscall filters. Can optionally make use of Kafel, a custom domain specific language, for specifying syscall policies. |
C/C++
| Project/technology |
Description |
| Sandboxed API
|
Reusable sandboxes for C/C++ libraries using
Sandbox2. |
| (Portable) Native Client
|
(Deprecated) Powerful technique to sandbox
C/C++ binaries by compiling to a restricted
subset of x86 (NaCl)/LLVM bytecode (PNaCl). |
Graphical/Desktop Applications
| Project/technology |
Description |
| Flatpak |
Built on top of Bubblewrap, provides sandboxing for Linux desktop applications. Puts an emphasis on packaging and distribution of native apps. |