A sandbox is a software which artificially limits access to the specific resources on the target according to the assigned policy. The sandbox installs hooks to the kernel syscalls and other sub-systems in order to interrupt the events triggered by the application. From the application point of view, application working as usual, but when it wants to access, for instance, /dev/kmem the sandbox software decideds against the assigned sandbox scheme whether to grant or deny access.
In our case, the sandbox is a kernel module which uses MAC (Mandatory Access Control) Framework developed by the TrustedBSD team. All necessary hooks were introduced to the FreeBSD kernel.
The 'sandboxing' idea is not new, for instance, the Apple has developed sandboxing utility for OSX and iOS in order to protect the system and its integrity. The Apple's sandbox is also based on the MAC Framework, but slightly modified.
A built into kernel MAC Framework kernel programming interface provides functionality to interrupt and override the requests sent from userspace applications and security labelling of the protected entities. This approach does not require to modify system's syscall table or any other entities. Upon execution reaches MAC procedure, MAC Framework is checking if any security extension's controlling functions is attached to the current instance. If any, the MAC Framework will execute the code and return the decision to the kernel, which was taken against the loaded policy.
The development has reached point where some functionality could be demonstrated.
In demo there are demonstrated: integrity protection mechanisms, sandboxing process, sandbox cotnrol, applying constraints on the executables.