SANDBOX(8) User Commands SANDBOX(8)NAMEsandbox - Run cmd under an SELinux sandboxSYNOPSISsandbox [-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T
tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i
file ]...] [ -t type ] cmd
sandbox [-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T
tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i
file ]...] [ -t type ] -S
DESCRIPTION
Run the cmd application within a tightly confined SELinux domain. The
default sandbox domain only allows applications the ability to read and
write stdin, stdout and any other file descriptors handed to it. It is
not allowed to open any other files. The -M option will mount an
alternate homedir and tmpdir to be used by the sandbox.
If you have the policycoreutils-sandbox package installed, you can use
the -X option and the -M option. sandbox-X allows you to run X appli‐
cations within a sandbox. These applications will start up their own X
Server and create a temporary home directory and /tmp. The default
SELinux policy does not allow any capabilities or network access. It
also prevents all access to the users other processes and files. Files
specified on the command that are in the home directory or /tmp will be
copied into the sandbox directories.
If directories are specified with -H or -T the directory will have its
context modified with chcon(1) unless a level is specified with -l. If
the MLS/MCS security level is specified, the user is responsible to set
the correct labels.
-H homedir
Use alternate homedir to mount over your home directory.
Defaults to temporary. Requires -X or -M.
-i file
Copy this file into the appropriate temporary sandbox directory.
Command can be repeated.
-I inputfile Copy all files listed in inputfile into the
appropriate temporary sandbox directories.
-l Specify the MLS/MCS Security Level to run the sandbox with.
Defaults to random.
-M Create a Sandbox with temporary files for $HOME and /tmp.
-s--shred
Shred temporary files created in $HOME and /tmp, before delet‐
ing.
-t type
Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t
for -X.
Examples:
sandbox_t - No X, No Network Access, No Open, read/write on
passed in file descriptors.
sandbox_min_t - No Network Access
sandbox_x_t - Printer Ports
sandbox_web_t - Ports required for web browsing
sandbox_net_t - All network ports
-T tmpdir
Use alternate tempory directory to mount on /tmp. Defaults to
tmpfs. Requires -X or -M.
-S Run a full desktop session, Requires level, and home and tmpdir.
-w windowsize
Specifies the windowsize when creating an X based Sandbox. The
default windowsize is 1000x700.
-W windowmanager
Select alternative window manager to run within sandbox-X.
Default to /usr/bin/matchbox-window-manager.
-X Create an X based Sandbox for gui apps, temporary files for
$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
-d Set the DPI value for the sanbox X Server. Defaults to the cur‐
rent X Sever DPI.
-c Use control groups to control this copy of sandbox. Specify
parameters in /etc/sysconfig/sandbox. Max memory usage and cpu
usage are to be specified in percent. You can specify which
CPUs to use by numbering them 0,1,2... etc.
-C Use capabilities within the sandbox. By default applications
executed within the sandbox will not be allowed to use capabili‐
ties (setuid apps), with the -C flag, you can use programs
requiring capabilities.
SEE ALSOruncon(1), seunshare(8), selinux(8)AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com> and
Thomas Liu <tliu@fedoraproject.org>
sandbox May 2010 SANDBOX(8)
