How to sandbox applications?

security

I want to run small untrusted programs, but restrict them from accessing any files outside of their folder, network access, and everything else that they don't really need. What is the simplest way to achieve this?


Solution 1:

If they are really untrusted, and you want to be sure, you'd set up a separate box. Either really, or virtually.

Further, you don't want that box to be in the same network as your important stuff, if you are paranoid enough. In all solutions you'd set up a separate user with no rights, so not to open too much tools to the would-be compromiser.

  • So the safest option would be a separate box removed physically from your network.
  • You could give in a bit by adding it to the physical network, but on a different subnet: no 'real' connection inside
  • A virtual machine would be an option, but might have to give up some performance

If you are bound on running it on the same box, you have for instance, this option

  • chroot. This is a default option for doing this for lots of people, and for non-specific threats it might even work. But it is NOT a security option, and can be broken out of rather easily. I'd suggest to use this as intended, i.e. not for security.

In the end you might need to set up a specific sandboxing model without the hassle of virtualization or separate boxes, or the still-at-risk situation of chroot. I doubt this is what you meant, but look at this link for some more in-depth information.

Solution 2:

Firejail is fairly new and in constant development. Easy to use.

You can simply:

sudo apt-get install firejail
firejail app

Solution 3:

Full virtualization/emulation (VirtualBox)

One possible solution is virtualization software such as VirtualBox which you can find in the software centre.

  • Install Virtual box
  • Create a virtual machine with networking enabled
  • Install Ubuntu or perhaps a lighter desktop such as Lubuntu
  • Fully update the installed OS (inside Virtual box)
  • Disable Networking on the virtual machine
  • Take a snapshot

You can now install the software you don't trust to see what it does. It can't upset the outside world or you host OS as it does not have access.

It may trash your virtual machine however but if it does you can just restore from your snapshot.

There may be other methods to limit the destructive power of untrusted software but this is the most robust method I can think of.

Container-based virtualization (Docker/LXC)

Another option may be LXC more information here

LXC is the userspace control package for Linux Containers, a lightweight virtual system mechanism sometimes described as “chroot on steroids”.

LXC builds up from chroot to implement complete virtual systems, adding resource management and isolation mechanisms to Linux’s existing process management infrastructure.

It's available in the software centre. I have no experience with however.

Solution 4:

Docker will help you to set up containers that you can run off of your current kernel, yet keep contained away from the rest of your system. It seems pretty cutting edge but there's an Ubuntu focus an good documentation.

Related

How to install suggested packages in apt-get
Use of /opt and /usr/local directories in the context of a PC
How can I install Python 2.6 on 12.04?
How to fix error W: Target Packages (main/binary-amd64/Packages) is configured multiple times in my sources.list file? [duplicate]
DNS set to systemd's 127.0.0.53 - how to change permanently?
How to hide terminal output when executing a command?
ssh -L (error: bind: Address already in use)
What should I do when I get 'There are stopped jobs' error?
How do I search for a process by name without using grep?
How to run Visual Studio Code as root
Upgrading from the command line? [duplicate]
bc: set number of digits after decimal point