[clug] Process sandboxing

Daniel Black daniel.subs at internode.on.net
Tue Jul 19 00:24:14 MDT 2011

On Thu, 14 Jul 2011 01:43:34 PM jm wrote:
> Anyone have any thoughts on sand boxing a process on linux? I was
> originally thinking of using chroot, but this still leaves network
> access and a few other holes open. The objective is to allow untrusted
> third parties to upload scripts to a server for it to run with the only
> way to communicate out being via functions I provide.

> It seems all the
> most common scripting languages make it nearly impossible to easily
> remove/limit functionality from the language.


> So the overhead of going
> that way would be a killer most likely involving modifying the
> interpreter for each language used. The alternative would be to get the
> OS to limit what the scripts can do.

Like selinux permission associated with network applied to the processes. 
Allowed communication could be through an allowed proxy or other processes 
running in a different context.

More information about the linux mailing list