https://github.com/shawwwn/sbox

A shell script implementation of docker
https://github.com/shawwwn/sbox

container docker linux namespace sandbox

Last synced: 5 months ago
JSON representation

A shell script implementation of docker

• Host: GitHub
• URL: https://github.com/shawwwn/sbox
• Owner: shawwwn
• License: mit
• Created: 2019-07-31T10:49:05.000Z (almost 7 years ago)
• Default Branch: master
• Last Pushed: 2019-10-29T12:06:50.000Z (over 6 years ago)
• Last Synced: 2024-12-29T20:32:46.984Z (over 1 year ago)
• Topics: container, docker, linux, namespace, sandbox
• Language: C
• Homepage:
• Size: 157 KB
• Stars: 4
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# sBox

Run programs in a sandbox environment without writting to rootfs.



```bash

# sbox bash

Create new container "default" with snapshot at /tmp/sbox/default/snapshot

assigned ip 192.168.50.2 for sandbox

Enter container "default":

# pwd

/root

# ls

# mkdir xxxx          # create directory in sandbox

# cd xxxx/

# touch TEST          # create file in sandbox

#

# exit

exit

dirty

└── root

    ├── .bash_history

    └── xxxx

        └── TEST

2 directories, 2 files

36K data generated.

> Commit changes to snapshot? [Y/n] y

commited to /tmp/sbox/default/snapshot

Snapshot size 36K (1 files, 1 directories).

> Merge snapshot with local filesystem? [N/y] n

Abort.

#

# pwd

/root

# ls                  # nothing gets written to our rootfs

```

## Description:

Programs run in **sBox** still have access to your rootfs except all modifications to file system will be cached. You may chose to merge these changes on exit.

In addition, **sBox** is capable of doing the following:

- [x] Namespaces

    - [x] Internet Access

    - [x] Mount Points

    - [x] PID (process view)

    - [x] IPC (shared memory between processes)

    - [x] UTS (hostname)

    - [x] CGroup

- [x] CGroup Integration (cgroup controllers on sandbox main process)

- [x] Seccomp(syscall) Blacklist

- [x] Capability Blacklist

- [x] AppArmor Integration (profile per sandbox)

The [default sercurity profile](docs/sbox.md#note) of **sBox** can be a bit aggressive, you may want to tone it down if your program fails to run.

## Installation:

```bash

# dependencies, make adjustments for package managers other than apt

apt-get install iproute2 net-tools iptables bash grep diffutils findutils sudo ipcalc pcregrep tree attr libseccomp2 libseccomp-dev apparmor-utils cgroup-tools libapparmor-dev

make install # copy executeables to /usr/bin

```

## Usage:

* [sbox](docs/sbox.md)

* [sbox-fstool](docs/sbox-fstool.md)

* [sbox-mgt](docs/sbox-mgt.md)

* [sbox-seccomp.so](docs/sbox-seccomp.so.md)

* [sbox-aa.so](docs/sbox-aa.so.md)