Skip to content

richfelker/usand

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
LICENSE.md
 
 
README.md
 
 
usand.sh
 
 
usand Premise Usage How it works

README.md

usand

A convenient, minimal unshare(1)-based sandbox.

The current version is a proof-of-concept stage. It lacks options for tuning its behavior, and it not claimed to be secure for running potentially malicious programs.

Premise

Run programs natively in your host filesystem, but without the ability to write outside the tree based at the current working directory.

Usage

usand.sh [cmd [args...]]

If cmd is omitted, the unshare(1) default of invoking a shell is used. In the future, support for options to tune the sandboxing behavior may be added; if so they will be placed before cmd.

How it works

In a new namespace, all existing mounts are bind-remounted read-only, then new bind mounts are made to get back a writable view of the working directory and some essential nodes from /dev. Then, another derived namespace is created, with capabilities dropped, so that the mounts can't be unprotected from within.

See the (very short) script for details.

About

usand - convenient and minimal unshare(1)-based sandbox

Resources

Readme

License

MIT license

Stars

39 stars

Watchers

5 watching

Forks

3 forks

Releases

No releases published

Packages

No packages published

Languages