I came across this lovely lightning talk about sandboxing using, among other things, Capsicum on FreeBSD:
It was posted on the Erlang forums as well:
In the lightning talk, Krasen talks about NIF:s and C nodes for interoperability and combining that with sandboxing techniques. I’m using ports for processing Word documents – i.e. unzipping and XML parsing – and figure that should be possible to sandbox in a similar manner.
If anyone would be interested in sharing any experience or resources doing this I would be most grateful
I have done something similar in Freebsd with Jails.
Where I wanted an environment completely locked down for evaluating code from “external” sources. Im using ports and the only data allowed to flow back and forth is a stream of text.
The environment running the code is completely locked down, minimal user privileges in a readonly setup.
Heard of capsicum previously, but never explored it. So I will definitely have a look at it =) so thank you for the link
