maybe update in future
Sandbox In Linux
File system isolation
chroot jail
chroot(1): /usr/bin/chroot ; chroot(2): a function of glibc
chroot(1) chroot - run command or interactive shell with special root directory chroot [OPTION] NEWROOT [COMMAND [ARG]…]
chroot(2) chroot - change root directory int chroot(const char *path);
chroot is in order to change fs root. however, it’s not a secure feature. It could be escape via this tool(chw00t).
restricted bash
If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell.
much tricks to bypass rbash, it’s always with the chroot
Process monitor
ptrace
ptrace is a syscall. tracer process have the whole control of the tracee.
seccomp
seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a “secure” state where it can only make user configured system calls
Container
-
LXC:
LXC combines the kernel’s cgroups and support for isolated namespaces to provide an isolated environment for applications
-
Docker
Docker containers are very similar to LXC containers, and they have similar security features. When you start a container with docker run, behind the scenes Docker creates a set of namespaces and control groups for the container.
resources isolation
based on Cgroup
control isolation
based on namespace
Control Hijack (hook)
Lib hook
http://stackoverflow.com/a/27735456/2737403
https://github.com/daveho/EasySandbox