Run programs in a sandbox environment without writting to rootfs.
# sbox bash
Create new container "default" with snapshot at /tmp/sbox/default/snapshot
assigned ip 192.168.50.2 for sandbox
Enter container "default":
# pwd
/root
# ls
# mkdir xxxx # create directory in sandbox
# cd xxxx/
# touch TEST # create file in sandbox
#
# exit
exit
dirty
└── root
├── .bash_history
└── xxxx
└── TEST
2 directories, 2 files
36K data generated.
> Commit changes to snapshot? [Y/n] y
commited to /tmp/sbox/default/snapshot
Snapshot size 36K (1 files, 1 directories).
> Merge snapshot with local filesystem? [N/y] n
Abort.
#
# pwd
/root
# ls # nothing gets written to our rootfsPrograms run in sBox still have access to your rootfs except all modifications to file system will be cached. You may chose to merge these changes on exit.
In addition, sBox is capable of doing the following:
- Namespaces
- Internet Access
- Mount Points
- PID (process view)
- IPC (shared memory between processes)
- UTS (hostname)
- CGroup
- CGroup Integration (cgroup controllers on sandbox main process)
- Seccomp(syscall) Blacklist
- Capability Blacklist
- AppArmor Integration (profile per sandbox)
The default sercurity profile of sBox can be a bit aggressive, you may want to tone it down if your program fails to run.
# dependencies, make adjustments for package managers other than apt
apt-get install iproute2 net-tools iptables bash grep diffutils findutils sudo ipcalc pcregrep tree attr libseccomp2 libseccomp-dev apparmor-utils cgroup-tools libapparmor-dev
make install # copy executeables to /usr/bin