What is the easiest way to sandbox an application in a *NIX environment?

Question

I have a significant number of untrusted binary applications that need to be executed on a *nix box.

I'm hoping that there might be some simple command/script (e.g. sandbox ./app1953) that could easily be used to isolate a single application from being able to harm or access the rest of the system (I only need access to stdin/stdout).

I'd rather not use full-blown virtual machines, as the overhead resulting from running thousands of copies of an OS is considerably larger than I'd like to consider.

score 3 · Answer 1 · edited Aug 02 '21 at 10:49

3

There is no secure, easy-to-use command line sandbox utility. Popular utilities such as Firejail can often be a cure worse than the disease, and many sandbox bypasses and privilege escalation vulnerabilities have been found (and continue to be found) in it. Sandboxing an application usually requires using mandatory access controls, such as the popular AppArmor or SELinux framework. This will generally involve customized security policies, tailored to the specific application.

I wrote a lot about Linux sandboxing in another answer.

edited Aug 02 '21 at 10:49

Glorfindel

2,235
6
18
30

answered May 03 '18 at 01:00

forest

64,616
20
206
257

Has the situation improved with bubblewrap? I'm quite happy with it. – Michaël Cadilhac Apr 09 '20 at 17:07

score 0 · Answer 2 · answered Oct 21 '20 at 19:10

0

firejail command line utility depending on apparmor of SeLinux

apt install firejail
firejail --whitelist=~/Chroot bash

answered Oct 21 '20 at 19:10

Tinmarino

117
1

2

Did you even read @forest answer before posting your answer? Cause if you did why did you not expend it with addressing his comments about Firejail specifically... – LvB Oct 21 '20 at 22:16
To make it fast – Tinmarino Oct 22 '20 at 03:45

What is the easiest way to sandbox an application in a *NIX environment?

2 Answers2