Linux / Fedora sandboxing processes and filesystem changes

Is there a Linux (close) equivalent, that runs on Fedora, to the Windows program sandboxie? It’s not perfect, but it basically creates a C:\Sandbox\\XYZ directory and any processes running in the XYZ sandbox are transparently (to the processes) locked to making changes in that folder. Sandboxie can allow processes running through it to see outside of there — basically it’s able to give a process the state of the computer, but overlaying the sandbox directory over it to give precedence.

I’d like to be able to start up a bash terminal, do some sudo yum (or, now, its replacement sudo dnf) installations, do whatever else, and have it all self-contained.

  • Golang continous workflow with docker
  • Can a docker image use executable from the host?
  • Docker nginx minitet
  • Docker Strategy
  • Assign network aliases dynamically on global deployed services in a docker stack
  • Behat, MySql Connection error in Laravel5 : 'PDOException''SQLSTATE[HY000] [2005] Unknown MySQL server host 'mysql' (2)'
  • So, I would be able to delete one of these Linux sandboxes, and everything done inside of it (including yum or dnf installs) would just vaporize, never having affected outside the sandbox. And, hopefully, there would be a way to “bring things out” of the sandbox into the full environment.

    I’m interested in light-weight solutions good for lots of sandboxes, so everything doesn’t need to be copied to a new installation for example.

    I was excited about Linux containers, and maybe I tried it wrong. I tried sudo lxc-execute -n test bash, then within the “contained” bash login, ran touch fromLxc, which is sadly visible to other terminals not in the lxc container.

    I looked at docker, but that looks like it doesn’t let things run “on top” of the o/s, but runs things in a docker installation. So, as you add things to your top-level o/s, they’d have to be re-added within the docker installation.

    I don’t think chroot works, because as the top-level o/s changes, I don’t think it will “propagate” changes into the chroot environment.

  • Docker-compose is dependent on the locally installed packages outside the Docker environment
  • Packaging Docker on OpenWrt
  • ERR_TOO_MANY_REDIRECTS in backoffice when running Prestashop in Docker
  • “Remove” a VOLUME in a Dockerfile
  • docker with ansible wait for database
  • Trying to reach my container I got “This site can’t be reached”
  • One Solution collect form web for “Linux / Fedora sandboxing processes and filesystem changes”

    I think you are on the right track with Linux containers. The feature you want is a Union Mount, where processes see a layered filesystem, and write only to the top layer. Docker for example uses union mounts, but starts with a file system image as the lowest layer, not the native ‘/’ fs of the host. So I beleive what you want to do is mount ‘/’ into somewhere /var/mounts/xyzzy say, mount another filesystem on top using UnionFS, aufs or OverlayFS, then chroot the environment to /var/mounts/xyzzy so nothing escapes. This is all possible, though if you could find a way to use docker, say by building an image of with whatever files you need, you might be up and running a lot faster.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.