sandbox is a minimalist, auditable, and hackable C program that builds a chrooted Linux environment around a target binary or a minimal shell environment, isolating execution in dedicated namespaces with tight controls on filesystem, user privileges, and process capabilities.
- π¦ Builds minimal chroot environments for a binary or a shell session
- π Isolates with Linux namespaces: mount, PID, UTS (hostname)
- π« Drops all Linux capabilities using libcap
- π€ Optionally drops to the unprivileged nobodyuser (--user)
- π Supports tracing with strace(--trace)
- ποΈ Auto-copies required dynamic libraries with ldd
- π§© Extensible: add extra files with --extras <file>
- ποΈ Auto-populates /etc/passwdand/etc/groupas needed
- π§Ή Wipes environment variables for safety
- πͺΆ Less than 1000 lines, easy to audit and extend
usage:
sudo ./sandbox <rootfs> [<target-binary>] [--user] [--extras <file>] [--trace <args...>]- Minimal shell sandbox:
sudo ./sandbox /tmp/mychroot - Drops you into /bin/shwith essential tools (ls,cat, ...).
 
- Drops you into 
- Run a specific binary:
sudo ./sandbox /tmp/mychroot /usr/bin/ls 
- Trace a binary (copies all files accessed during run):
sudo ./sandbox /tmp/mychroot /usr/bin/curl --trace "https://example.com"
- Sandbox as unprivileged user (nobody):sudo ./sandbox /tmp/mychroot --user - Not compatible with --trace.
 
- Not compatible with 
- Add extra files:
sudo ./sandbox /tmp/mychroot --extras extras.txt - extras.txtcontains a list of absolute file paths, one per line.
 
- Creates a new mount, PID, and UTS namespace
- Builds up a new root filesystem (<rootfs>) with essential binaries/libraries
- Optionally copies a target binary and its dependencies
- Optionally adds files specified in --extras
- Optionally traces binary with straceto discover runtime file dependencies
- Optionally switches to UID/GID 65534 (nobody)
- Drops all Linux capabilities and wipes environment variables
- Executes /bin/sh(or the target) inside the chroot
- Namespaces isolate filesystem, process IDs, and hostname from the host
- Capabilities are dropped, so even root inside the sandbox is powerless
- No environment variables (except a safe PATH)
- User nobody: further restricts privilege for untrusted code (unless tracing)
- No seccomp: intentionally left out for simplicity (easy to add)
- Not a container runtime, but a tight, auditable educational sandbox
- For maximum isolation, use on a dedicated VM or test system
- If running untrusted code, combine with system-level controls (AppArmor, SELinux, VM isolation)
Build and run a minimal shell sandbox:
sudo ./sandbox /tmp/sandbox-root
# You are now in a sandboxed /bin/shRun a binary with minimal rootfs:
sudo ./sandbox /tmp/sandbox-root /usr/bin/wc- Only works on Linux with root (needs namespaces, chroot, mounts)
- No seccomp syscall filtering
- No cgroup or resource limiting
- No user namespace yet (for rootless operation)
Pull requests and feature requests are welcome!
File issues or send PRs on GitHub.
This tool is for research purposes.
Do not rely on it for strong security isolation of malicious code in production environments.