encapsulate provides a locked down view on a Linux environment, which is suitable for running untrusted code.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Patrick Georgi f776a3d20b Add LICENSE file 4 years ago
LICENSE Add LICENSE file 4 years ago
Makefile Add dependency 9 years ago
README.markdown Create mount point internally instead of requesting it as argument 9 years ago
encapsulate.c Guarantee zero termination of the inner command line 5 years ago



Linux utility to isolate a process and its children while providing a full environment easily. Makes use of Linux’s namespace capabilities and is thus totally unportable. It also might require more Linux kernel options than you have enabled.


encapsulate writable-subtree|tree2|tree3|... command args...



  • detaches itself (and its children) from the system’s mount point table, IPC table, process ID table and network stack instance,
  • mounts the current filesystem view to a temporary directory,
  • marks it read-only,
  • mounts the writable-subtrees (delimited by |) at its “native” location into the new directory hierarchy,
  • chroots to the newly mounted root directory,
  • chdirs to the current directory (but inside the chroot),
  • setuids back to the current user,
  • and finally calls command with args

A separate process waits for all this to finish and deletes the temporary directory afterwards.

The result is that command runs in a system similar to the real one with a couple of exceptions. First, only files below writable-subtree are writable, everything else (including /tmp, unless that’s the directory you choose) is read-only. Second, command can’t inspect many aspects of the system (such as currently running processes) or interact with processes easily. Third, network is blocked, so if command attempts to run a spam-bot, it will fail.


encapsulate /tmp|/home/foo bash

This starts a shell with “just the same” filesystem view as normal, but with everything but /tmp and /home/foo (and their subdirectories) readonly. The new view is mounted to a temporary directory, but that happens in a separate namespace, so this isn’t visible to the host system except for an empty directory in /tmp.