Sandboxing in Linux with Zero Lines of Code

Explore Linux sandboxing techniques without writing code in this 49-minute conference talk by Ignat Korchagin from Cloudflare. Delve into the problem of process isolation, understand process startup stages, and examine a concrete example. Learn about protecting against readbystand, distributing lib sandbox, combining approaches, including dynamic libraries, filtering and collecting system calls, and setting sandbox limits. Discover how to modify allowed or blocked system calls and understand the implications of sandboxing executables. Gain valuable insights into enhancing security and process isolation in Linux environments through this informative presentation from the Linux Foundation.

Introduction
The Problem
Overview
Process Startup Stages
Concrete Example
Questions
Answering Questions
How do you protect against readbystand
Is lib sandbox distributed by distros
Can we use both approaches
How to include dynamic libraries
How to filter system calls
How to collect system calls
How to sandboxify a limit
Can you change allowed or blocked system calls
What happens when you try to sandbox an executable
Out of question
Outro