spawn

May 7, 2026

While developing a software project, it may be useful to verify the stability of the program or library by denying the ability to execute child processes. This helps ensure the top program is stable in such cases by using an interposer. This technique is demonstrated for Linux, macOS, and Windows on compilers including GCC, Clang, MSVC, NVHPC, and oneAPI. This is not a cybersecurity sandbox, but rather a limited development tool to test stability of the top program when child process launches fails.

Use this interposer demo by:

git clone https://github.com/scivision/interposer-nochild

cd interposer-nochild

cmake --workflow --preset default

Run the interposer with most other programs by:

Windows: build/no-children.exe myprogram.exe arg1 args ...
macOS: DYLD_INSERT_LIBRARIES=build/libnochild.dylib myprogram arg1 args ...
Linux: LD_PRELOAD=build/libnochild.so myprogram arg1 args ...

Actual sandboxing tools can additionally deny access to resources including filesystem, network, and/or child processes such as:

Linux: Firejail
macOS: App Sandbox
Windows: Windows Sandbox