# Using a MAC policy to 'sandbox' a process without a jail



## pkc (Jan 5, 2019)

I am writing a utility that will be, among other things, interacting with the jail subsystem and managing running jails, so it does not seem possible for me to place it in a jail of its own to isolate it.

I have been doing some introductory reading on MAC but I was hoping someone knowledgeable could indicate if what I am trying to achieve is feasible.

Basically I would like to take the permissions that a non-root user has on my system, and add the ability to issue the jail system calls. Or, similarly, take the root permissions, which include the ability to issue jail system calls, and restrict almost everything else, including network access, filesystem access, etc.

I am doing this because I do not necessarily trust the runtime and package system of the language that I will be developing this utility in.


----------

