Guide for building secure sandbox environments with gVisor, 9P, and JWT-based controls.
| Layer | Component | Protects Against |
|---|---|---|
| Runtime | gVisor (user-space kernel) | Kernel exploits, container escapes |
| Filesystem | 9P Protocol (isolated mounts) | Unauthorized file access, symlink attacks |
| Network | Egress Proxy (JWT-controlled) | Data exfiltration, C2 callbacks |
| Resources | cgroups (limits) | DoS, resource exhaustion |
| Process | Linux Namespaces (isolation) | Privilege escalation, lateral movement |
| Identity | JWT Authentication (ES256) | Unauthorized access, replay attacks |
# Clone the repository
git clone https://github.com/NeaByteLab/Sandbox-Guide.git
cd Sandbox-Guide
# Install gVisor
chmod +x scripts/install-gvisor.sh
sudo ./scripts/install-gvisor.sh
# Run security tests
chmod +x scripts/security-tests.sh
./scripts/security-tests.shgVisor requires Linux. Use Multipass to create an Ubuntu VM:
# Create and setup VM
multipass launch --name sandbox-test --cpus 2 --memory 4G --disk 20G
multipass mount $(pwd) sandbox-test:/home/ubuntu/sandbox-guide
multipass shell sandbox-test
# Inside VM - run the quick start
cd /home/ubuntu/sandbox-guide
bash scripts/quick-start.shFor the full guide, see docs/README.md.
Quick access to automation scripts in scripts/:
| Script | Purpose |
|---|---|
quick-start.sh |
Full setup automation |
install-gvisor.sh |
Install gVisor runtime |
security-tests.sh |
Run security validation suite |
envoy.yaml |
Egress proxy configuration |
auth-service.py |
JWT token generation service |
container-manager.py |
Container lifecycle management |
- Envoy Proxy Docs - HTTP proxy for JWT-based egress control
- gVisor Documentation - User-space kernel for container isolation
- Container Security Best Practices - Kubernetes security guidelines
- JWT Standards (RFC 8725) - JWT implementation best practices
Licensed under the Apache License, Version 2.0. See LICENSE for details.