Show HN: Minimal container-like sandbox built from scratch in C
4 days ago
- #Sandboxing
- #Linux
- #Cgroups
- Runbox is a lightweight Linux sandboxing system built in C for educational purposes.
- Uses Linux namespaces for process isolation: User, PID, Mount, IPC, UTS, and Network.
- Supports full network isolation or no isolation with --enable-network flag.
- Implements pivot_root for an isolated filesystem and minimal shell environment.
- Drops powerful privileges, keeping only safe defaults for basic operations.
- Uses seccomp BPF for syscall allowlist filtering (currently aarch64 specific).
- Utilizes cgroups v2 for resource limitation (CPU, memory, and process limits).
- Command-line flags for configuration: --cpu, --memory, --pids, --enable-network, --disable-cgroups.
- Creates a dedicated cgroup subtree under /sys/fs/cgroup/runbox/ for each sandbox instance.
- Planned features include advanced network setups and external application execution.
- MIT licensed, contributions welcome via issues or pull requests.