System and Application level virtualization for Linux?

Discussion in 'sandboxing & virtualization' started by RoamMaster, Sep 15, 2010.

Thread Status:
Not open for further replies.
  1. RoamMaster

    RoamMaster Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    47
    I've had a block of my hard drive partitioned off as Ex3 fro a while. I finally started using Linux a bit for a few utilities that don't exist on Windows.
    But, I've been reluctant to use it for browsing because I've become used to having my browser in SandboxIE and my system protected by Returnil.

    I know that the user is non root by default, but I'm not fully confident as it stands.
    Is there something like this for Linux?
     
  2. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Unfortunatelly i am afraid that there is currently no product that provides browser sandboxing and virtualization on Linux (but i may be wrong of course).
    There is a very few instant restore or rollback software solutions such as Returnil for a full system, not for a single application (browser, mail client etc.).
    But as you are in the right place, it would be interesting to take a look at ExtBrowser which provides an access to a Linux partiction from Windows:http://www.paragon-software.com/home/extbrowser/

    It is free with registration to get the serial key.
    Paragon offers excellent free and paid products like their recent virtualization application for Windows Paragon go Virtual
    http://www.paragon-software.com/home/go-virtual/

    Linux and Windows regards :)
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    First, I'm going to assume following:

    System virtualization - something like reboot, revert changes?
    Application virtualization - something like sandboxie?

    Well, system, you have live CDs! Pretty much any Linux comes as a fully usable live CD, so you enjoy yourself and then reboot, going back to normal.

    Application wise, there are all kinds of programs that can do sandboxing, including the built-in chroot environment mechanism, plus several programs that build on it and offer extended functionality.

    Now, a question? Why do you need those? Why would you bother?
    What benefit do you see in trying such solutions, or rather, what kind of a problem are you trying to solve?

    Mrk
     
  4. adam993

    adam993 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    203
    Location:
    Poland
  5. RoamMaster

    RoamMaster Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    47
    That'll make transferring files easier(and safer) :)
    Thank you.

    Yes to both.

    One of the main things I use Ubuntu for is video encoding. I need write access to the hard drive for that.

    Yeah, I pretty much knew this, from reading around. But it sounds like a huge pain, and I'm too lazy to learn all that :p
    The reason I use Returnil and SandboxIE is because they're easy to setup.

    If I had to deal with spending 50+ hours in a manual to learn them, I'd just deal with spyware/malware :D

    My primary concern is persistent keyloggers.
    Linux doesn't have an application based firewall capability, so should I get one, it will definitely be getting out without problems(unless it's stupid enough to use only exotic ports).
    I know you'll respond that a user isn't a root, and so they can't install outside their own home directory. But that assumes the program(written specifically for Linux), can't access sudo.
    In the last year, through regular browsing, I've had two programs manage to install themselves(temporarily thanks to Returnil) into my system volume.
    Now I realize in that period of time, I probably wouldn't have the issue at all in Linux, since it's much lower profile.
    Still, in the event it *does* happen, I don't believe there's any way to recover from it, short of a partition wipe. Nor is there any way to even detect it.

    Correct me if I'm misunderstanding any of this.
     
  6. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi,
    hi,

    SeLinux is not a sandbox, it's an hardening patch or framework that comes integrated with some distributions and that can be configured for thoses who like Gui with tools like Segatex...
    As i've said above, i personnaly don't know a Linux sandboxie equivalent as a program.
    Of course, in linux or in Windows it's possible to harden the system deeply and then create a kind of sandboxed and restrictive environment, but it requires to be an advanced users, one or two hours and to be a keyboard friend of course...a simple example is to set up file permission on browser.
    Regarding Returnil, there is free full virtualization software that can be used to run a VM easily, and there is DeepFreeze linux and a beta free soft that i've not experimented yet.
    But creating an equivalent of Sandboxie in Linux is not as simple as a Ramones song (one-two-tree-four!).It is well circumscribed by a Google dev. Julien Tinnes in his paper where are presented an overview of linuix sandbox like those designed for Chromium:
    http://blog.cr0.org/2009/10/security-in-depth-for-linux-software.html

    As pointed out by Mrk, it is possible to launch a restrive environment with chroot (in UBUNTU for instance:https://help.ubuntu.com/community/DebootstrapChroot ), and with patience and effort, maybe a kind of solution can be used with the tandem Unionfs and chroot:
    http://www.paguilar.org/blog/?p=24

    And why not running Linux application from Windows as it is permitted by plenty free programs like Ulteo virtual desktop:
    http://www.ulteo.com/home/en/home?a=view&autolang=en

    At last, keyloogers are not difficult to defeat in Linux, just using the virtual keyboard is enough in most cases ( SSL VPN is a plus too).
    More over, if someone wants to own you, he can do it with the necessary ressources (money or/and skills): i've seen a backddor installation in Linux with a package update...


    Rgds
     
Loading...
Thread Status:
Not open for further replies.