sandbox is a tool orginally used in gentoo to monitore and restrict the access to the filesystem for an process. For example, dependent on the configuration a process started with sandbox can't write to any files in directorys which are are over the directory where the sandbox started. If such a process try to write to files where it is not permitted, the sandbox stops and the process get killed. It is also possible to restrict read-access with sandbox, but with default-configuration sandbox gives read-access to the complete filesystem. (however the process gets restricted by the userrights)

There is none comparable tool on Debian to do that, so i tried to port sandbox from gentoo to debian. To do so, first you have to download the sandbox-source. For me, i foundet it on http://dev.gentoo.org/~vapier/dist/, where the last Version (2010/02/11) is 2.2

wget http://dev.gentoo.org/~vapier/dist/sandbox-2.2.tar.lzma

lzma is an compress-format that is not included by default on debian, so maybe you have to install it with

aptitude install lzma

then, we can unpack the source

lzma -d sandbox-2.2.tar.lzma
tar -xf sandbox-2.2.tar

then go into the directory and type ./configure

cd sandbox-2.2

Look at the Output: Maybe you will find follow row:

checking for gawk... no
checking for mawk... mawk

sandbox can't compile with mawk, so you need gawk. If you see the rows above you have to install gawk

aptitude install gawk

then, type "./configure" again. now, you should find this row on output

checking for gawk... gawk

If you see this line, and no line with "mawk", it is correct.

Now we could type "make" to build all and it would work, but maybe you want make some cosmetic changes first.

since sandbox comes from gentoo, it want's to have its config in /usr/etc. But debian-software have its config in /etc/, so we want to tell sandbox to use its config on this place. There are 2 options:

both would go with debian-conventions, so its your decission.

I used the first way.

./configure --sysconfdir=/etc/

If you want so, you can also "personalize" your sandbox by using a custom banner. By default, sandbox starts with this output:

============================= Gentoo path sandbox ==============================

But you can open ./src/sandbox.c and change this line to somewhat you want. (Maybe "Debian path sandbox"? :) )

Now we are ready to build and install sandbox.

just type

make && make install 

if the make-process is completed, you can use sandbox. When you type "sandbox", it starts with a default-shell. Also you can "sandbox [command]" if you want to start something other with sandbox. Feel free to try somewhat like "echo foo > ../bar". By default-configuration sandbox will give you an error-message and kill the session.

There is no manpage for sandbox, but you will find some information in the comments in the config-files.


CategorySoftware