sandbox.md 1.2 KB
Sandbox
Description
Sandbox provides a simple way to enable basic seccomp system call filtering in any application on Linux (even proprietary one) via environment variables. It is very similar to SystemCallFilter= functionality in systemd, but with some advantages:
- it doesn't have some of
systemdlimitations: > the execve, exit, exit_group, getrlimit, rt_sigreturn, sigreturn system calls and the system calls for querying time and sleeping are implicitly whitelisted... - it can provide tighter filtering for dynamically linked binaries
Categories
- Hardening
Black Hat sessions
Code
https://github.com/cloudflare/sandbox
Lead Developer(s)
Ignat Korchagin - Cloudflare https://github.com/cloudflare