Sandbox Process Isolation in Linux

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search

Terms: jail, chroot jail, sandbox,

Linux Containers: http://lxc.sourceforge.net/

Containers which offer an environment as close as possible as the one you'd get from a VM but without the overhead that comes with running a separate kernel and simulating all the hardware.

Note that LXC isn't enough for everything. For example, if the application has access to an X server, it can do pretty much everything to other applications running on the same X server.

chroot Jail

  • a chroot operation changes the apparent root directory for a running process and its children.
  • the program (process) will run with a root directory other than /.
  • the program (process) cannot see or access files outside the designated directory tree.
  • the fake root directory is known as the chroot jail
  • limitation, the chroot root user can still create device nodes and mount the file systems on them.

Set up your chroot jail... 

chroot /home/nicolep/chjail

The fake root directory for the program(s) will be /home/nicolep/chjail which will appear as the fs / root to the process. However, the chjail root is empty with no binary operating system external commands (such as those in /bin) 

mkdir /home/nicolep/chjail/bin
cp /bin/bash /home/nicolep/chjail/bin

Find dynamic links and manually copy them also. You can see dynamic links 

ldd /bin/bash

Now supply all the other bash shell commands to the chroot jail you require

Retrieved from "http://wiki.robotz.com/index.php?title=Sandbox_Process_Isolation_in_Linux&oldid=19286"