Sandbox Process Isolation in Linux
Terms: jail, chroot jail, sandbox,
Linux Containers: http://lxc.sourceforge.net/
Containers which offer an environment as close as possible as the one you'd get from a VM but without the overhead that comes with running a separate kernel and simulating all the hardware.
Note that LXC isn't enough for everything. For example, if the application has access to an X server, it can do pretty much everything to other applications running on the same X server.
chroot Jail
- a chroot operation changes the apparent root directory for a running process and its children.
- the program (process) will run with a root directory other than /.
- the program (process) cannot see or access files outside the designated directory tree.
- the fake root directory is known as the chroot jail
- limitation, the chroot root user can still create device nodes and mount the file systems on them.
Set up your chroot jail...
chroot /home/nicolep/chjail
The fake root directory for the program(s) will be /home/nicolep/chjail which will appear as the fs / root to the process. However, the chjail root is empty with no binary operating system external commands (such as those in /bin)
mkdir /home/nicolep/chjail/bin cp /bin/bash /home/nicolep/chjail/bin
Find dynamic links and manually copy them also. You can see dynamic links
ldd /bin/bash
Now supply all the other bash shell commands to the chroot jail you require