Put a process in a sandbox where it can do least harm

Question

I'm looking for the concept to spawn a process such that:

• it has only access to certain libraries/APIs
• it cannot acess the file system or only specific parts
• it can do least harm should malicious code run in it

This concept is known as sandbox or jail.

It is required to do this for each major Operating system (Windows, MacOSX and Linux) and the question is conceptual (as in what to do, which APIs to use and and what to observe) rather then language specific.

answer requirements

I really want to accept an answer and give you 20 points for that. I cannot accept my own answer, and I don't have it yet anyway. So if you really want your answer to be accepted, please observe:

• The answer has to be specific and complete
• With specific I mean that it is more then a pointer to some resource on the internet. It has to summarize what the resource says about the topic at least.
• It may or may not contain example code, but if it does please write it in C
• I cannot accept an answer that is 2/3 complete even if the 2/3 that are there are perfect.

this question FAQ

• Is this homework? No.
• Why do you ask this like a homework question? If you ask a specific question and you want to get a specific answer, and you know how that answer should look like, even though you don't know the answer, that's the style of question you get.
• If you know how it should look like, why do you ask? 1) because I don't know all the answer 2) because on the internet there's no single place that contains all the details to this question in one place. Please also read the stackoverflow FAQ
• Why is the main part of your question how to answer this question? Because nobody reads the FAQ.

Answer 1

Mac OS X has a sandbox facility code-named Seatbelt. The public API for it is documented in the sandbox(7), sandbox_init(3), and related manual pages. The public API is somewhat limited, but the facility itself is very powerful. While the public API only lets you choose from some pre-defined sandboxes (e.g. “All sockets-based networking is prohibited”), you can also use the more powerful underlying implementation which allows you to specify exactly what operating system resources are available via a Scheme-like language. For example, here is an excerpt of the sandbox used for portmap:

(allow process-exec (regex #"^/usr/sbin/portmap$"))
(allow file-read-data file-read-metadata (regex
    #"^/etc"
    #"^/usr/lib/.*\.dylib$"
    #"^/var"
    #"^/private/var/db/dyld/"
    #"^/dev/urandom$"))
(allow file-write-data (regex
    #"^/dev/dtracehelper$"))

You can see many sandboxes used by the system in /usr/share/sandbox. It is easy to experiment with sandboxes by using the sandbox-exec(1) command.

For Windows, you may want to have a look at David LeBlanc’s “Practical Sandboxing” talk given at Black Hat USA 2007. Windows has no built-in sandboxing technology per se, so the techniques described leverage an incomplete mechanism introduced with Windows 2000 called SAFER. By using restricted tokens, one can create a process that has limited access to operating system resources.

For Linux, you might investigate the complicated SELinux mechanism: SELinux home, a HOWTO. It is used by Red Hat, for example, to harden some system services in some of their products.

Answer 2

For Windows there is a sandbox in Google Chrome. You may want to investigate it. It uses liberal BSD-like license.

For Linux there would be good old chroot or more sophisticated http://plash.beasts.org/wiki/.

OS X since Leopard has some SELinux-like protection available.