Sandboxing Linux

Hi

I am a newbie to Linux currently trying out Puppy Linux via Live CD.

I want to know whether there is a program that is effectively like Sandboxie that will run on Puppy Linux to protect internet facing applications, just as in Windows?

Thank you

Terry

 

There is no need for anything like that in Linux.

 

Well, it's not really necessary for a desktop box, but yes there are numerous ways to do it with linux. I can think of 3 ways off the top of my head:

Linux (and all Unices) have a built-in utility called chroot. With it you can create a new account and use chroot to sandbox it from the rest of the system.

Another way is to use a Mandatory Access Control system like SELinux, AppArmor, SMACK, Tomoyo, or Grsecurity. Fedora comes with SELinux enabled and Ubuntu comes with AppArmor. All distros can be made to use one of the above MAC's. With these MAC's you can create an application specific sandbox. That is, you can allow the application to do what it needs to do and nothing else. This means exploits will not work against it because this mandatory policy wont allow it. SELinux also has a feature called "sandbox -x" that will open a new GUI window that cannot interact with the rest of the system. So, for instance, you could use this new window to run an instance of Firefox in, and nothing firefox does can affect anything on the system.

A third way is to simply use a virtual machine.

 

systrace should do the trick. Just remember, nothing is perfect, and do not rely on any security program to be impenetrable and do whatever the heck you want and expect no repercussions. Being smart will do a ton more for you than any other program.

Cheers,

Alphalutra1