Sandboxing a Linux Application

Explore the intricacies of sandboxing Linux applications in this comprehensive conference talk from NDC Security 2022. Delve into the methods of isolating applications from the rest of the Linux system, safely evaluating downloaded code, and understanding how Docker sets up new filesystems. Learn to create your own sandbox using available Linux APIs, gaining insights into how major projects like Chromium and Docker utilize these techniques for system protection and problem-solving. Cover topics including namespaces, user and PID namespaces, file system manipulation, and Seccomp for system protection. Gain practical knowledge through an example application, exploring concepts such as running as root, creating new mount points, and implementing temporary file systems.

Intro
Who am I
Disclaimer
What is a Sandbox
Why use a Sandbox
Application expectations
Setting up a sandbox
Example application
namespaces
usernamespace
mappings
running as root
making a new file system
making a new mount point
making a temporary file system
proc file system
new proc namespace
pid namespace
Create new namespace
Clone newnet
Build the application
Protect the system
Seccomp
Seccomp Program
libsec comp
argument checks
compare strings