To me ‘a sandbox’ is a secured context, which is specific to whatever is in it. It is not a generic thing unless we are literally referring to a real-world box with sand in it, and I’ve kinda hit the breaking point with the term in tech. ‘A sandboxed application’ to me is an instrumented and controlled deployment of an application that can only make the sys/network/ipc calls the deployer expects and appreciates, which are then themselves filtered and monitored. A sandboxed deployment of an application? Sure. That’s a thing to me. But each application needs different privileges and does different things. Sandboxing an application may involve lots of different technologies. Eg the way I think about it, things like seccomp, apparmor, et al also aren’t themselves ‘sandboxes’, they’re enforcement mechanisms which rely on knowing and configuring them to monitor and enforce what the app should and shouldn’t do. A lot of things that assist with sandboxing may also be combined in different ways to get to a more secure environment, in which the app is sandboxed.
akerl_|1 month ago
https://en.wikipedia.org/wiki/Sandbox_(computer_security)
Notably, a sandbox exists to separate one thing from other things. Limiting/filtering/monitoring what the sandboxes thing can do are often components of that, but the underlying premise is about separation.
Containers, VMs, etc. are 100% examples of sandboxing based on the actual industry definition of the term.
moonlet|1 month ago
eyberg|1 month ago