How to sandbox applications?
I want to run small untrusted programs, but restrict them from accessing any files outside of their folder, network access, and everything else that they don't really need. What is the simplest way to achieve this?
Solution 1:
If they are really untrusted, and you want to be sure, you'd set up a separate box. Either really, or virtually.
Further, you don't want that box to be in the same network as your important stuff, if you are paranoid enough. In all solutions you'd set up a separate user with no rights, so not to open too much tools to the would-be compromiser.
- So the safest option would be a separate box removed physically from your network.
- You could give in a bit by adding it to the physical network, but on a different subnet: no 'real' connection inside
- A virtual machine would be an option, but might have to give up some performance
If you are bound on running it on the same box, you have for instance, this option
-
chroot
. This is a default option for doing this for lots of people, and for non-specific threats it might even work. But it is NOT a security option, and can be broken out of rather easily. I'd suggest to use this as intended, i.e. not for security.
In the end you might need to set up a specific sandboxing model without the hassle of virtualization or separate boxes, or the still-at-risk situation of chroot
. I doubt this is what you meant, but look at this link for some more in-depth information.
Solution 2:
Firejail is fairly new and in constant development. Easy to use.
You can simply:
sudo apt-get install firejail
firejail app
Solution 3:
Full virtualization/emulation (VirtualBox)
One possible solution is virtualization software such as VirtualBox which you can find in the software centre.
- Install Virtual box
- Create a virtual machine with networking enabled
- Install Ubuntu or perhaps a lighter desktop such as Lubuntu
- Fully update the installed OS (inside Virtual box)
- Disable Networking on the virtual machine
- Take a snapshot
You can now install the software you don't trust to see what it does. It can't upset the outside world or you host OS as it does not have access.
It may trash your virtual machine however but if it does you can just restore from your snapshot.
There may be other methods to limit the destructive power of untrusted software but this is the most robust method I can think of.
Container-based virtualization (Docker/LXC)
Another option may be LXC more information here
LXC is the userspace control package for Linux Containers, a lightweight virtual system mechanism sometimes described as “chroot on steroids”.
LXC builds up from chroot to implement complete virtual systems, adding resource management and isolation mechanisms to Linux’s existing process management infrastructure.
It's available in the software centre. I have no experience with however.
Solution 4:
Docker will help you to set up containers that you can run off of your current kernel, yet keep contained away from the rest of your system. It seems pretty cutting edge but there's an Ubuntu focus an good documentation.