A x86_64 Linux application sandboxing tool demonstrating container isolation techniques via namespaces, cgroups, and seccomp.

Creates an isolated execution environment via:

• Namespace isolation: Separate UTS (hostname), PID, mount, network, and IPC namespaces
• Resource limits: CPU, memory, swap, and pid restrictions through cgroups v2
• Syscall filtering: Whitelist-based syscall filtering through seccomp-bpf
• Filesystem isolation: Separate read-only root filesystem through the pivot_root syscall and tmpfs/overlayfs
• Capability dropping: Removes all Linux capabilities from the sandboxed process

• Linux 4.5+ (for cgroups v2 support)
• x86_64 architecture
• Root or sudo access (for namespace and cgroup operations)

• GCC
• GNU make

Euclid requires a minimal Linux root filesystem to use as the container's root. Alpine has been used during development

# Create a directory for the rootfs
mkdir -p ~/alpine

# Download Alpine rootfs (grab the current link from the website)
cd ~/alpine
wget https://dl-cdn.alpinelinux.org/alpine/v3.23/releases/x86_64/alpine-minirootfs-3.23.3-x86_64.tar.gz

# Extract the rootfs
tar -xvf alpine-minirootfs-3.23.3-x86_64.tar.gz

# Remove the archive from the rootfs
rm -rf alpine-minirootfs-3.23.3-x86_64.tar.gz

Configuration of Euclid is compiled-in to reduce the attack surface that comes with having external configuration files. The constants to configure Euclid are located near the beginning of src/context.c.

Compile the project

make

Install the compiled binary

sudo make install

• make - Compile the binary
• make install – Install binary
• make clean – Remove build objects
• make fclean - Remove build objects and binary

Run the sandbox

sudo euclid

This launches the sandbox with the command specified in the configuration (/bin/sh by default).

GNU General Public License V2

Copyright (c) 2026 Jacob Niemeir