Le linuxien prudent n’aime pas les surprises. Pour limiter les surprises que peut faire une application, il faut tout simplement l’isoler.
Sans aller jusqu’à Bash (ahem…), ne pas vouloir que Skype, Chrome, Steam, Minecraft, … et même Firefox voient le reste du système est plus que légitime.
La solution la plus traditionnelle est le classique chroot, facile à mettre en place, mais à la réputation controversée (surtout par les gens utilisant les jails de BSD).
Apparmor propose aussi sa solution, mais sans faire rêver plus que ça.
Niveau buzzword, ces technologies sont quand même à la ramasse, pourquoi ne pas utiliser tout bêtement Docker?
Docker est tout simplement un outil conçu pour lancer une application dans un contexte (RAM, CPU, disque, réseau), de manière simple et économe. Personne ne vous oblige a y accoler le mot Cloud, que vous avez déjà tant de mal à expliquer.
Isoler une application consiste à ne lui donner accès qu’aux services dont elle a besoin, et de manière explicite.
Mbox is a lightweight sandboxing mechanism that any user can use without special privileges in commodity operating systems.
TL;DR
$ mbox -- wget google.com
...
Network Summary:
[11279] -> 173.194.43.51:80
[11279] Create socket(PF_INET,...)
[11279] -> a00::2607:f8b0:4006:803:0
...
Sandbox Root:
/tmp/sandbox-11275
N:/tmp/index.html
[c]ommit, [i]gnore, [d]iff, [l]ist, [s]hell, [q]uit ?>
Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. Debian, Ubuntu, Mint, OpenSUSE, and Fedora packages are provided. An Arch Linux package is maintained in AUR.
It's with great pleasure that the LXC team is announcing the release of LXC 1.0!
This release is a significant milestone for us as it marks the first release we consider to be production ready. It features a wide variety of improvements to container security, a consistent set of tools, updated documentation and an API with multiple bindings.
Linux containers (LXC) is a lightweight virtualization technology built into Linux kernel. In my previous article, Debian Virtualization: LXC Application Containers, I have detailed the steps to configure and run a simple application container using LXC. LXC application containers are very lean and consume strictly the resources the application requires. This is in sharp contrast with other virtualization technologies which are running a full Linux distribution in VM.