Chroot & Sandbox Hardening

---

Published: Sat, Jan 31, 26

Implement system isolation techniques with chroot and sandbox environments to protect critical applications.

---

Chroot & Sandbox Hardening on Arch Linux

This guide demonstrates how to isolate applications in a secure sandbox environment using Bubblewrap (bwrap). The sandbox provides process, filesystem, and user namespace isolation, allowing you to safely test or run programs without affecting the host system.

---

1. Install required packages

sudo pacman -Syu bubblewrap firejail apparmor

---

2. Prepare the sandbox user and home directory

Create a dedicated user for sandboxing (if not existing)

sudo useradd -m sandbox

Create a secure home directory for the sandbox

sudo mkdir -p /home/sandbox sudo chown sandbox:sandbox /home/sandbox sudo chmod 700 /home/sandbox

This ensures the sandboxed environment has a proper home directory and UID/GID mapping.

---

3. Create the sandbox environment

bwrap \
  --bind /srv/chroot/app / \
  --ro-bind /etc/passwd /etc/passwd \
  --ro-bind /etc/group /etc/group \
  --bind /home/sandbox /home/sandbox \
  --dev /dev \
  --proc /proc \
  --unshare-all \
  --unshare-user \
  --uid 1000 --gid 1000 \
  --ro-bind /usr /usr \
  --ro-bind /lib /lib \
  --tmpfs /tmp \
  --tmpfs /run \
  --die-with-parent \
  --clearenv \
  --setenv HOME /home/sandbox \
  --setenv USER sandbox \
  --setenv LOGNAME sandbox \
  --setenv PATH /usr/bin \
  --setenv TERM xterm-256color \
  /bin/bash

---

Explanation:

--bind /srv/chroot/app /: Mounts your chroot application directory as root inside the sandbox.
--ro-bind /etc/passwd /etc/passwd and --ro-bind /etc/group /etc/group: Allow UID/GID mapping so the username shows properly.
--bind /home/sandbox /home/sandbox: Provides a writable home directory.
--dev /dev and --proc /proc: Give minimal device/proc access.
--unshare-all --unshare-user --uid 1000 --gid 1000: Isolate namespaces and run as unprivileged user.
--ro-bind /usr /usr and --ro-bind /lib /lib: Provide necessary binaries and libraries read-only.
--tmpfs /tmp --tmpfs /run: Use ephemeral writable tmp directories.
--clearenv and --setenv ...: Reset environment variables for security and usability.
/bin/bash: Start a bash shell inside the sandbox.

---