8

I have a significant number of untrusted binary applications that need to be executed on a *nix box.

I'm hoping that there might be some simple command/script (e.g. sandbox ./app1953) that could easily be used to isolate a single application from being able to harm or access the rest of the system (I only need access to stdin/stdout).

I'd rather not use full-blown virtual machines, as the overhead resulting from running thousands of copies of an OS is considerably larger than I'd like to consider.

Stack Tracer
  • 534
  • 2
  • 5
  • 15

2 Answers2

3

There is no secure, easy-to-use command line sandbox utility. Popular utilities such as Firejail can often be a cure worse than the disease, and many sandbox bypasses and privilege escalation vulnerabilities have been found (and continue to be found) in it. Sandboxing an application usually requires using mandatory access controls, such as the popular AppArmor or SELinux framework. This will generally involve customized security policies, tailored to the specific application.

I wrote a lot about Linux sandboxing in another answer.

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
forest
  • 65,613
  • 20
  • 208
  • 262
0

firejail command line utility depending on apparmor of SeLinux

apt install firejail
firejail --whitelist=~/Chroot bash
Tinmarino
  • 117
  • 1