Runbox is an lightweight sandboxing system built from scratch in C, designed for understanding and implementing standard sandboxing practices. Utilizing Linux namespaces, seccomps & cgroups v2. It is open source, encouraging contributions and collaboration from the community. It is designed to be run from the command line, providing a minimal shell environment for executing commands within an isolated environment.

Key Features

• User Namespace: Isolates user and group IDs for contained processes.

• PID Namespace: Provides a separate isolated process tree.

• Mount Namespace: Creates an isolated filesystem using tmpfs and mounts essential directories as read-only.

• IPC Namespace: Offers isolation for System V IPC objects and POSIX message queues.

• Network Namespace: Supports full network isolation with plans for advanced setups.

• Seccomp: Implements a syscall allowlist filter using BPF.

• Cgroups v2: Limits resource usage by the sandbox, supporting CPU, memory, and PID limitations.