Update on desktop application sandboxing

So on Saturday I blogged about a piece of code I wrote to easily create containers on a recent Linux desktop. I have now spent a few more hours improving the code a bit with two main new features:

  • Support for turning on/off network access
  • Support for mounting /home as aufs too

sandbox help

The on/off switch for network access is done by putting (or not) the spawned shell in another network namespace. This means that if network is disabled for the container, the software running in the container will only see a loopback device. This loopback device itself is separate from the one available outside the container, so a contained software won’t be able to access anything that listens on the loopback interface outside of the container.

I also switched to creating a “mount” directory that’s a tmpfs and which in turn contains the various mount points for the container. This workarounds the fact that you can’t mount an aufs filesystem in a sub-directory of its base filesystem (or it’d create a loop).

I updated the README in the branch accordingly and added basic getopt support for the two options.

Code can be found in a bzr branch: bzr get lp:~stgraber/+junk/sandbox
Or from: https://code.launchpad.net/~stgraber/+junk/sandbox

About Stéphane Graber

Project leader of Linux Containers, Linux hacker, Ubuntu core developer, conference organizer and speaker.
This entry was posted in Planet Revolution-Linux, Planet Ubuntu, Sandbox and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.