maybe update in future
Sandbox In Linux
File system isolation
chroot(1): /usr/bin/chroot ; chroot(2): a function of glibc
chroot(1) chroot - run command or interactive shell with special root directory chroot [OPTION] NEWROOT [COMMAND [ARG]…]
chroot(2) chroot - change root directory int chroot(const char *path);
chroot is in order to change fs root. however, it’s not a secure feature. It could be escape via this tool(chw00t).
If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell.
much tricks to bypass rbash, it’s always with the chroot
ptrace is a syscall. tracer process have the whole control of the tracee.
seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a “secure” state where it can only make user configured system calls
LXC combines the kernel’s cgroups and support for isolated namespaces to provide an isolated environment for applications
Docker containers are very similar to LXC containers, and they have similar security features. When you start a container with docker run, behind the scenes Docker creates a set of namespaces and control groups for the container.
based on Cgroup
based on namespace