Linux / Fedora sandboxing processes and filesystem changes

Is there a Linux (close) equivalent, that runs on Fedora, to the Windows program sandboxie? It’s not perfect, but it basically creates a C:\Sandbox\\XYZ directory and any processes running in the XYZ sandbox are transparently (to the processes) locked to making changes in that folder. Sandboxie can allow processes running through it to see outside of there — basically it’s able to give a process the state of the computer, but overlaying the sandbox directory over it to give precedence.

I’d like to be able to start up a bash terminal, do some sudo yum (or, now, its replacement sudo dnf) installations, do whatever else, and have it all self-contained.

  • chrome fails with “Illegal instruction” in minimal Centos7+Xvfb
  • Building a generic Camel/Docker image and apply different Camel routes when container starts
  • Docker - Mount Directory From Container to Host
  • serverspec command returning blank strings
  • How do I start tensorflow docker jupyter notebook
  • Finding Containers Using Docker VirtualBox
  • So, I would be able to delete one of these Linux sandboxes, and everything done inside of it (including yum or dnf installs) would just vaporize, never having affected outside the sandbox. And, hopefully, there would be a way to “bring things out” of the sandbox into the full environment.

    I’m interested in light-weight solutions good for lots of sandboxes, so everything doesn’t need to be copied to a new installation for example.

    I was excited about Linux containers, and maybe I tried it wrong. I tried sudo lxc-execute -n test bash, then within the “contained” bash login, ran touch fromLxc, which is sadly visible to other terminals not in the lxc container.

    I looked at docker, but that looks like it doesn’t let things run “on top” of the o/s, but runs things in a docker installation. So, as you add things to your top-level o/s, they’d have to be re-added within the docker installation.

    I don’t think chroot works, because as the top-level o/s changes, I don’t think it will “propagate” changes into the chroot environment.

  • App within docker container cannot invoke service on same container
  • openshift v3 sed couldn't open temporary file
  • Use node-sass with docker-compose
  • docker local host url not opening
  • Dockerfile COPY: “lchown … not a directory”
  • get docker log stream in correct order
  • One Solution collect form web for “Linux / Fedora sandboxing processes and filesystem changes”

    I think you are on the right track with Linux containers. The feature you want is a Union Mount, where processes see a layered filesystem, and write only to the top layer. Docker for example uses union mounts, but starts with a file system image as the lowest layer, not the native ‘/’ fs of the host. So I beleive what you want to do is mount ‘/’ into somewhere /var/mounts/xyzzy say, mount another filesystem on top using UnionFS, aufs or OverlayFS, then chroot the environment to /var/mounts/xyzzy so nothing escapes. This is all possible, though if you could find a way to use docker, say by building an image of with whatever files you need, you might be up and running a lot faster.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.