Linux / Fedora sandboxing processes and filesystem changes
Is there a Linux (close) equivalent, that runs on Fedora, to the Windows program sandboxie? It’s not perfect, but it basically creates a C:\Sandbox\\XYZ directory and any processes running in the XYZ sandbox are transparently (to the processes) locked to making changes in that folder. Sandboxie can allow processes running through it to see outside of there — basically it’s able to give a process the state of the computer, but overlaying the sandbox directory over it to give precedence.
I’d like to be able to start up a bash terminal, do some
sudo yum (or, now, its replacement
sudo dnf) installations, do whatever else, and have it all self-contained.
So, I would be able to delete one of these Linux sandboxes, and everything done inside of it (including yum or dnf installs) would just vaporize, never having affected outside the sandbox. And, hopefully, there would be a way to “bring things out” of the sandbox into the full environment.
I’m interested in light-weight solutions good for lots of sandboxes, so everything doesn’t need to be copied to a new installation for example.
I was excited about Linux containers, and maybe I tried it wrong. I tried
sudo lxc-execute -n test bash, then within the “contained” bash login, ran
touch fromLxc, which is sadly visible to other terminals not in the lxc container.
I looked at docker, but that looks like it doesn’t let things run “on top” of the o/s, but runs things in a docker installation. So, as you add things to your top-level o/s, they’d have to be re-added within the docker installation.
I don’t think
chroot works, because as the top-level o/s changes, I don’t think it will “propagate” changes into the chroot environment.
One Solution collect form web for “Linux / Fedora sandboxing processes and filesystem changes”
I think you are on the right track with Linux containers. The feature you want is a Union Mount, where processes see a layered filesystem, and write only to the top layer. Docker for example uses union mounts, but starts with a file system image as the lowest layer, not the native ‘/’ fs of the host. So I beleive what you want to do is mount ‘/’ into somewhere /var/mounts/xyzzy say, mount another filesystem on top using UnionFS, aufs or OverlayFS, then chroot the environment to /var/mounts/xyzzy so nothing escapes. This is all possible, though if you could find a way to use docker, say by building an image of with whatever files you need, you might be up and running a lot faster.