3

I would like to download/compile/run various c/c++ libraries from the net. These are mostly half-baked, obscure and/or abandoned projects, some of them from questionable sources. How can I ensure that they run in a safe "sandbox" type of environment? I mean that they don't touch filesystem/network resources. They should only return values for function calls I make to them.

Preferably a solution for both Win/Linux, but at least for Linux

Improve this question
5

2 Answers 2

Reset to default
7

For Linux, this is ideal workload for a container. You can do this simply using Docker (http://docker.io). This enables containers to be easily created and destroyed in a matter of seconds - far quicker than a VM.

For Windows, you are stuck using a VM as far as I know.

Improve this answer
1
  • I am not sure, but isn't CAMEYO something similar on Windows ? cameyo.com
    – Devid
    Commented May 19, 2014 at 11:41
0

Running the software as an unprivileged user is usually enough. Unless you're using a kernel which is vulnerable to root escalation.

sudo adduser SandBoxGuy
sudo passwd SandBoxGuy

Now login as SanBoxGuy and run your software, the software will not be able to access the files of other users or do any damage outside of the SandBoxGuy user's directory.

All that assumes that your kernel is not vulnerable to root escalation.

A bigger answer can be found here. It was written with the Raspberry Pi + Xserver in mind but it more or less suits any Linux system.

Improve this answer
1
  • That other use would still be able to read files, which might not be what the OP wants.
    – Kritzefitz
    Commented Sep 30, 2016 at 5:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .