Linux / Fedora sandboxing processes and filesystem changes

Is there a Linux (close) equivalent, that runs on Fedora, to the Windows program sandboxie? It’s not perfect, but it basically creates a C:\Sandbox\\XYZ directory and any processes running in the XYZ sandbox are transparently (to the processes) locked to making changes in that folder. Sandboxie can allow processes running through it to see outside of there — basically it’s able to give a process the state of the computer, but overlaying the sandbox directory over it to give precedence.

I’d like to be able to start up a bash terminal, do some sudo yum (or, now, its replacement sudo dnf) installations, do whatever else, and have it all self-contained.

  • Network unreachable inside docker container without --net=host parameter
  • How to set specs file for gcc in Docker container
  • starting docker container from python messes up terminal settings
  • Changing interface settings in Docker
  • How to write commands with multiple lines in Dockerfile while preserving the new lines?
  • docker-compose v3: sharing bind-mounted volume between multiple containers with top-level volumes syntax
  • So, I would be able to delete one of these Linux sandboxes, and everything done inside of it (including yum or dnf installs) would just vaporize, never having affected outside the sandbox. And, hopefully, there would be a way to “bring things out” of the sandbox into the full environment.

    I’m interested in light-weight solutions good for lots of sandboxes, so everything doesn’t need to be copied to a new installation for example.

    I was excited about Linux containers, and maybe I tried it wrong. I tried sudo lxc-execute -n test bash, then within the “contained” bash login, ran touch fromLxc, which is sadly visible to other terminals not in the lxc container.

    I looked at docker, but that looks like it doesn’t let things run “on top” of the o/s, but runs things in a docker installation. So, as you add things to your top-level o/s, they’d have to be re-added within the docker installation.

    I don’t think chroot works, because as the top-level o/s changes, I don’t think it will “propagate” changes into the chroot environment.

  • Failed to connect to port 443: Connection refused, Failed to Bootstrap, Discourse Docker
  • Running multiple applications in one docker container
  • Getting Docker Container Id in Makefile to use in another command
  • Access filesystem from Node app in Docker
  • Installing specific version of docker
  • Docker compose up not showing console output for link
  • One Solution collect form web for “Linux / Fedora sandboxing processes and filesystem changes”

    I think you are on the right track with Linux containers. The feature you want is a Union Mount, where processes see a layered filesystem, and write only to the top layer. Docker for example uses union mounts, but starts with a file system image as the lowest layer, not the native ‘/’ fs of the host. So I beleive what you want to do is mount ‘/’ into somewhere /var/mounts/xyzzy say, mount another filesystem on top using UnionFS, aufs or OverlayFS, then chroot the environment to /var/mounts/xyzzy so nothing escapes. This is all possible, though if you could find a way to use docker, say by building an image of with whatever files you need, you might be up and running a lot faster.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.