Files in the top-level directory from the latest check-in

examples
LICENSE.txt
README.md
sandbox.sh

FreeBSD Sandbox

A simple sandboxing script for FreeBSD using chroot, allowing you to run untrusted scripts or binaries on your system while limiting the attack surface. Based on my sandbox for Linux script. Note that the primary goal is to prevent access to your home directory, not to secure against all possible attacks.

Features

No configuration or setup needed, simply run sandbox.sh in any directory
A sandbox is created per directory that it is run inside, so for example each directory inside ~/Projects/ can have it's own sandbox.
A read-only copy of the base OS is mounted into the sandbox, ensuring it cannot be modified from the sandbox. All sandboxes thus also inherit any OS updates automatically.
A unionfs overlay allows for installation and modification of /usr/local per-sandbox, i.e. you can install software inside of the sandbox specific to that sandbox without affecting the host OS. This makes it possible to run conflicting versions of software in different sandboxes. Sandboxes also inherit software installed in the host OS.
You can specify packages to be installed into the sandbox by creating a file called pkg.packages and put one package per line.
Your home directory is not mounted into the sandbox, thus protecting access to your sensitive files (e.g. .ssh or .mozilla). Each sandbox gets it's own home directory (these are stored in ~/sandboxes/...)
For convenience, your ~/Downloads directory is mounted into the sandbox (which reduces security a bit, so comment out the mount line if you don't need this).

Installation

Copy the sandbox.sh script into your path, e.g. ~/bin or /usr/local/bin. The sudo package is required.

Usage

Simply cd into a directory you want and then run sandbox.sh. You can also pass a command to run as arguments, e.g. sandbox.sh firefox https://freebsd.org

To install packages into the sandbox, create a file called pkg.packages with one package per line.

Use cases

Explore the sandboxing: cd /tmp && sandbox.sh, then note that the /tmp folder is now ~/app inside the sandbox. If you ls -la ~, you see a new home folder, and ls -la ~/Downloads has your downloads. Now touch ~/test.txt && touch test2.txt. Now exit then ls ~/sandboxes/-tmp/home to find the test.txt file, and ls to find the test2.txt file.
Let's say you want a Firefox profile for Telegram that is separate to your main browsing profile. Create the folder ~/firefox/telegram, then cd ~/firefox/telegram && sandbox.sh firefox https://web.telegram.org.
Let's say you want to work on a Python 2 project, but don't want to install Python 2 on your host system. Create a project directory, e.g. mkdir -p ~/Projects/py2 then echo python2 > ~/Projects/py2/pkg.packages. Now you can enter the sandbox: cd ~/Projects/py2 && sandbox.sh. It may ask for your sudo password and will install Python 2 into the sandbox the first time. Now python2 will run Python 2. If you exit the sandbox, Python 2 is not available, but re-enter the sandbox and it is back.
If you need to use npm for example, but are worried about all the supply-chain attacks, then run sandbox.sh first to limit attack surface.

Limitations

Only file system level isolation is provided with chroot, but the trade-off is ease-of-use. For better isolation, an experimental jail feature is being worked on, however note that the X socket and clipboard, etc. are other attack surfaces, so a jail may still not provide adequate security.
If you rename any directory in the path to your sandbox, you will get a new sandbox. You will need to manually rename the appropriate directories inside ~/sandboxes to re-associate the sandbox.

Contact

Toby Kurien