Sandboxing Code

Sometimes, a piece of code carries a lot of security risk. Examples include:

  • Commercial binary-only code to do document parsing. Document parsing often goes wrong, and binary-only means no opportunity to fix it up.
  • A web browser's core HTML parsing and rendering. This is such a large amount of code that there will be security bugs.
  • A JavaScript engine in Java. Accidents here would permit arbitrary calls to Java methods.

Where a piece of code is very risky, and directly exposed to untrusted users and untrusted input, it is sometimes desirable to sandbox this code. The hardest thing about sandboxing is making the call whether the risk warrants the effort to sandbox.

There are many approaches to sandboxing, including virtualization, jail environments, network segregation and restricting the permissions code runs with. This page covers technologies available to do the latter: restrict the permission code runs with. See the following depending on which technology you are using:

General Sandboxing

Project/technology Description
Sandbox2 Linux sandboxing using namespaces, resource limits and seccomp-bpf syscall filters. Provides the underlying sandboxing technology for Sandboxed API.
gVisor Uses hardware virtualization and a small syscall emulation layer implemented in Go.

Sandbox command-line tools

Project/technology Description
Firejail Lightweight sandboxing tool implemented as a SUID program with minimal dependencies.
Minijail The sandboxing and containment tool used in Chrome OS and Android. Provides an executable and a library that can be used to launch and sandbox other programs and code.
NSJail Process isolation for Linux using namespaces, resource limits and seccomp-bpf syscall filters. Can optionally make use of Kafel, a custom domain specific language, for specifying syscall policies.

C/C++

Project/technology Description
Sandboxed API Reusable sandboxes for C/C++ libraries using Sandbox2.
(Portable) Native Client (Deprecated) Powerful technique to sandbox C/C++ binaries by compiling to a restricted subset of x86 (NaCl)/LLVM bytecode (PNaCl).

Graphical/Desktop Applications

Project/technology Description
Flatpak Built on top of Bubblewrap, provides sandboxing for Linux desktop applications. Puts an emphasis on packaging and distribution of native apps.