maybe update in future

Sandbox In Linux

File system isolation

chroot jail

chroot(1): /usr/bin/chroot ; chroot(2): a function of glibc

chroot(1) chroot - run command or interactive shell with special root directory chroot [OPTION] NEWROOT [COMMAND [ARG]…]

chroot(2) chroot - change root directory int chroot(const char *path);

chroot is in order to change fs root. however, it’s not a secure feature. It could be escape via this tool(chw00t).

restricted bash

If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell.

much tricks to bypass rbash, it’s always with the chroot

Process monitor


ptrace is a syscall. tracer process have the whole control of the tracee.


seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a “secure” state where it can only make user configured system calls


  • LXC:

    LXC combines the kernel’s cgroups and support for isolated namespaces to provide an isolated environment for applications

  • Docker

    Docker containers are very similar to LXC containers, and they have similar security features. When you start a container with docker run, behind the scenes Docker creates a set of namespaces and control groups for the container.

resources isolation

based on Cgroup

control isolation

based on namespace

Control Hijack (hook)

Lib hook

vm hook

syscall hook