Sandboxing Linux

Discussion in 'all things UNIX' started by TerryWood, Dec 27, 2009.

Thread Status:
Not open for further replies.
  1. TerryWood

    TerryWood Registered Member

    Jan 14, 2006

    I am a newbie to Linux currently trying out Puppy Linux via Live CD.

    I want to know whether there is a program that is effectively like Sandboxie that will run on Puppy Linux to protect internet facing applications, just as in Windows?

    Thank you

  2. Kerodo

    Kerodo Registered Member

    Oct 5, 2004
    There is no need for anything like that in Linux.
  3. chronomatic

    chronomatic Registered Member

    Apr 9, 2009
    Well, it's not really necessary for a desktop box, but yes there are numerous ways to do it with linux. I can think of 3 ways off the top of my head:

    Linux (and all Unices) have a built-in utility called chroot. With it you can create a new account and use chroot to sandbox it from the rest of the system.

    Another way is to use a Mandatory Access Control system like SELinux, AppArmor, SMACK, Tomoyo, or Grsecurity. Fedora comes with SELinux enabled and Ubuntu comes with AppArmor. All distros can be made to use one of the above MAC's. With these MAC's you can create an application specific sandbox. That is, you can allow the application to do what it needs to do and nothing else. This means exploits will not work against it because this mandatory policy wont allow it. SELinux also has a feature called "sandbox -x" that will open a new GUI window that cannot interact with the rest of the system. So, for instance, you could use this new window to run an instance of Firefox in, and nothing firefox does can affect anything on the system.

    A third way is to simply use a virtual machine.
  4. Alphalutra1

    Alphalutra1 Registered Member

    Dec 17, 2005
    systrace should do the trick. Just remember, nothing is perfect, and do not rely on any security program to be impenetrable and do whatever the heck you want and expect no repercussions. Being smart will do a ton more for you than any other program.


Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.