evalbox uses independent isolation mechanisms. Each provides protection even if another is bypassed.
┌─────────────────────────────────────────────────────────────┐
│ │ Landlock v5 │ Filesystem, Network│
│ │ │ Signal, IPC │
├───────────┼───────────────────────────┼─────────────────────┤
│ │ Seccomp BPF │ Syscalls │
├───────────┼───────────────────────────┼─────────────────────┤
│ │ rlimits │ Resources │
├───────────┼───────────────────────────┼─────────────────────┤
│ │ Privilege Hardening │ NO_NEW_PRIVS, │
│ │ │ securebits, caps │
└───────────┴───────────────────────────┴─────────────────────┘
Kernel-enforced access control (requires Linux 6.12+, Landlock ABI 5).
No namespaces or pivot_root needed — Landlock operates on real filesystem paths.
Filesystem rules:
read-only: /usr, /lib, /lib64, /bin, /etc, /proc, /nix/store*
read-write: workspace/work, workspace/tmp, workspace/home
write: /dev (for /dev/null, /dev/zero, /dev/urandom)
no access: everything else
Network control (ABI 4+):
- Blocks
LANDLOCK_ACCESS_NET_BIND_TCP - Blocks
LANDLOCK_ACCESS_NET_CONNECT_TCP - Optional: enable with
.network(true)
Signal isolation (ABI 5):
LANDLOCK_SCOPE_SIGNAL— blocks signals to processes outside the sandbox
IPC isolation (ABI 5):
LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET— blocks connections to abstract unix sockets outside the sandbox
Landlock ABI versions:
| ABI | Kernel | Features |
|---|---|---|
| 1 | 5.13 | Basic filesystem |
| 2 | 5.19 | Truncate control |
| 3 | 6.2 | File permissions |
| 4 | 6.7 | Network TCP control |
| 5 | 6.12 | Signal + abstract unix socket scoping |
Security properties:
- Enforced at kernel level (bypass-resistant)
- Cannot be disabled after application
- Works unprivileged with
NO_NEW_PRIVS
Syscall filtering with immediate termination on violation.
Filter approach: Whitelist (allow known-safe syscalls, kill on others)
Blocked syscall categories:
| Category | Syscalls | Reason |
|---|---|---|
| Namespaces | clone(CLONE_NEW*), unshare, setns |
Prevent new namespaces |
| Mounting | mount, umount, pivot_root |
Prevent FS manipulation |
| Debugging | ptrace, process_vm_* |
Prevent process injection |
| Kernel | reboot, kexec_load, init_module |
Prevent system damage |
| Privilege | setuid, setgid, setgroups |
Prevent escalation |
| Keyring | keyctl |
Not namespaced |
| eBPF | bpf |
Kernel attack surface |
| Fileless | memfd_create, execveat |
Bypass Landlock |
Argument filtering:
| Syscall | Blocked Arguments | Reason |
|---|---|---|
clone |
CLONE_NEWUSER, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWIPC, CLONE_NEWUTS, CLONE_NEWCGROUP |
Block namespace creation |
clone3 |
Entirely blocked (returns ENOSYS) |
Cannot inspect flags in userspace struct |
socket |
AF_NETLINK, SOCK_RAW |
Block kernel interfaces |
ioctl |
TIOCSTI, TIOCSETD, TIOCLINUX |
Block terminal injection |
Violation behavior: SECCOMP_RET_KILL_PROCESS (SIGSYS, signal 31)
Prevent denial-of-service attacks via kernel-enforced rlimits.
| Resource | Limit | Purpose |
|---|---|---|
RLIMIT_DATA |
256 MiB | Memory usage |
RLIMIT_CPU |
timeout * 2 + 60s | CPU time limit |
RLIMIT_FSIZE |
16 MiB | Output file size |
RLIMIT_NOFILE |
256 | File descriptor limit |
RLIMIT_NPROC |
64 | Fork bomb prevention |
RLIMIT_CORE |
0 | Core dumps disabled |
RLIMIT_STACK |
8 MiB | Stack size |
Note: RLIMIT_AS (virtual address space) is intentionally not set. Modern runtimes like Go, Java, and V8 pre-allocate large virtual ranges but only commit small portions.
Permanent privilege reduction applied before seccomp:
| Mechanism | Effect |
|---|---|
PR_SET_NO_NEW_PRIVS |
Cannot gain privileges via exec (setuid, file caps) |
SECBIT_NOROOT (locked) |
Root has no special privilege |
SECBIT_NO_SETUID_FIXUP (locked) |
Capabilities not adjusted on UID change |
SECBIT_KEEP_CAPS (locked) |
Cannot keep caps through exec |
SECBIT_NO_CAP_AMBIENT_RAISE (locked) |
Cannot set ambient capabilities |
| Drop all 64 capabilities | No capability-based operations possible |
Basic I/O: read, write, close, lseek, pread64, pwrite64
File ops: openat, stat, fstat, access, readlink
Memory: mmap, mprotect, munmap, brk, mremap
Process: fork, vfork, execve, exit, exit_group, wait4
Signals: rt_sigaction, rt_sigprocmask, rt_sigreturn, kill, tgkill
Time: clock_gettime, nanosleep, gettimeofday
Sockets: socket*, connect, bind, listen, accept, send*, recv*
Events: epoll_*, poll, select
Note: kill and tgkill are allowed because Landlock ABI 5 provides signal scoping — signals can only reach processes within the sandbox.
Dangerous: ptrace, mount, reboot, kexec_load, init_module
Namespaces: clone3, unshare, setns (blocked or filtered)
Privilege: setuid, setgid, setresuid, setresgid
Kernel: bpf, perf_event_open, keyctl
Fileless: memfd_create, execveat (together enable fileless exec)
| Syscall | Handling |
|---|---|
clone |
Allowed, but CLONE_NEW* flags blocked |
clone3 |
Returns ENOSYS (glibc falls back to clone) |
socket |
Allowed, but AF_NETLINK and SOCK_RAW blocked |
ioctl |
Allowed, but TIOCSTI, TIOCSETD, TIOCLINUX blocked |
| Threat | Mitigation |
|---|---|
| Arbitrary code execution | Sandboxed environment |
| Filesystem escape | Landlock v5 path rules |
| Network access | Landlock network control (ABI 4+) + seccomp socket filtering |
| Process injection | ptrace blocked by seccomp |
| Privilege escalation | NO_NEW_PRIVS + seccomp + capability drop |
| Resource exhaustion | rlimits + timeouts |
| Fork bombs | RLIMIT_NPROC |
| Terminal injection | TIOCSTI/TIOCLINUX blocked by seccomp |
| Fileless malware | memfd_create + execveat blocked by seccomp |
| Cross-sandbox signals | Landlock signal scoping (ABI 5) |
| Abstract unix socket abuse | Landlock IPC scoping (ABI 5) |
| Threat | Reason |
|---|---|
| Kernel exploits | Requires kernel hardening (grsecurity, etc.) |
| Side-channel attacks | Spectre/Meltdown require CPU mitigations |
| Container breakout via 0-day | Defense in depth limits impact |
| Covert channels | Timing-based data exfiltration possible |
evalbox's seccomp policy blocks attack vectors for many kernel CVEs:
| CVE | Attack Vector | Blocked By |
|---|---|---|
| CVE-2024-1086 | AF_NETLINK + nf_tables | Socket filtering |
| CVE-2022-0185 | fsconfig + user namespace | CLONE_NEWUSER blocked |
| CVE-2022-0492 | cgroups + user namespace | CLONE_NEWUSER blocked |
| CVE-2017-5226 | TIOCSTI terminal injection | ioctl filtering |
| CVE-2019-13272 | ptrace PTRACE_TRACEME | ptrace blocked |
| CVE-2021-3490 | eBPF verifier bypass | bpf blocked |
| Path | Access | Purpose |
|---|---|---|
workspace/work |
Read-Write | User files |
workspace/tmp |
Read-Write | Temporary files |
workspace/home |
Read-Write | Home directory |
/usr |
Read-Only + Execute | Binaries, libraries |
/lib |
Read-Only + Execute | Shared libraries |
/lib64 |
Read-Only + Execute | 64-bit libraries |
/bin |
Read-Only + Execute | Binaries |
/etc |
Read-Only | System config |
/proc |
Read-Only | Process info (no execute) |
/dev |
Read + Write | null, zero, urandom |
/nix/store |
Read-Only + Execute | NixOS paths (if present) |
| Path | Contains | Risk if Accessible |
|---|---|---|
/home (host) |
User data | Data theft |
/root |
Root home | Credential theft |
/sys |
Kernel interfaces | Kernel manipulation |
/var |
System state | Log manipulation |
/run |
Runtime data | Socket access |
Run the security test suite to verify isolation:
# Run all security tests
cargo test -p evalbox-sandbox --test security_tests -- --ignored
# Run specific category
cargo test -p evalbox-sandbox --test security_tests seccomp -- --ignored
cargo test -p evalbox-sandbox --test security_tests filesystem -- --ignored
cargo test -p evalbox-sandbox --test security_tests network -- --ignored
cargo test -p evalbox-sandbox --test security_tests cve -- --ignoredOr via Nix:
nix run .#test-all| Category | Tests | Coverage |
|---|---|---|
| Seccomp | 9 | ptrace, mount, reboot, clone, socket, keyctl, bpf |
| Filesystem | 8 | /etc/shadow, /root, path traversal, symlinks |
| Network | 5 | External, localhost, loopback, DNS |
| Resources | 7 | Timeout, memory, PIDs, output limit |
| CVE | 10 | Real-world exploits blocked |
| Requirement | How to Verify |
|---|---|
| Kernel 6.12+ | uname -r |
| Landlock ABI 5 | cat /sys/kernel/security/lsm should include landlock |
| Seccomp enabled | grep SECCOMP /boot/config-$(uname -r) |
| Unprivileged BPF disabled | sysctl kernel.unprivileged_bpf_disabled=1 (recommended) |
Run evalbox check to verify all requirements automatically.