8

I have been using PlayOnLinux to run windows programs on Linux. PlayOnLinux creates a virtual drive for each program installed and every VD represents a different Windows XP computer.

Any changes made by the program stay within its own VD only. So if I run a program with a virus I can simply delete the program's VD and all is well.

Is there a similar program that allows Linux programs to be run in a virtual drive? i.e. I want PlayOnLinux/Wine minus the windows emulation.

Kshitiz Sharma
  • 8,585
  • 21
  • 59
  • 75

3 Answers3

5

I want to share Firejail, Sandboxie like software for Linux, GUI included.

Take a look here: https://firejail.wordpress.com/ and download from https://sourceforge.net/projects/firejail/ or https://pkgs.org/debian-sid/debian-main-amd64/firejail_0.9.38-1_amd64.deb.html (change to your system)

Easy to use; just run firejail on top of your command/software, in that case firejail wine program.exe

In case you want to inspect those programs before running them, you can chain them all together using firejail wine winedbg --gdb program.exe to run wine debugger jailed.

Maybe you're thinking of how much good it can be. Take a look on how to fully run a firejailed wordpress installation, as example of a complex sandboxing. https://www.digitalocean.com/community/tutorials/how-to-use-firejail-to-set-up-a-wordpress-installation-in-a-jailed-environment

Never trust a piece of binary blob (exe).

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
m3nda
  • 168
  • 1
  • 7
  • [How can firejail be used with games?](https://unix.stackexchange.com/questions/714165/is-it-possible-to-sandbox-wine-in-a-way-that-mitigates-all-security-risks-from-r) Can it be added to Lutris? How secure is it for games or should you take additional measures? – mYnDstrEAm Oct 12 '22 at 15:21
1

The linux-vserver kernel patch and associated userspace (see http://linux-vserver.org/) allow you to run programs in their own isolated containers without requiring full virtualization of the guest OS.

linux-vserver containers have their own mount namespace, their own network namespace, their own security context etc.

Note though that linux-vserver was designed mostly to run servers; while you can run desktop applications in a linux-vserver container, you'll need to know what you're doing.

Another approach would be to use AppArmor to restrict what your program is allowed to do.

András Korn
  • 951
  • 6
  • 17
1

I cant give you a full answer since I dont know, but what I do know is that the command chroot is designed for similar if not the exact same purpose.

Karthik T
  • 904
  • 6
  • 12
  • 1
    `chroot` is ok for basic security, but you should know that there are ways to break out of a `chroot` environment. – Elias Probst Dec 17 '13 at 09:45
  • @EliasProbst oh? I wasnt aware, I am not too familiar with chroot actually – Karthik T Dec 17 '13 at 10:43
  • That @EliasProbst, plus setting up a chroot jail for non-trivial software *can* be a headache. It depends on exactly what the software does and how it does it. Server software generally does better in chroot jails than user-oriented software (running BIND in a chroot jail isn't so bad, but I wouldn't try running LibreOffice in a chroot jail, for example...) – user Dec 17 '13 at 12:50
  • 1
    Using `systemd-nspawn` or `docker` this can be achieved really really easy. Not `chroot` based, but based on LXC instead which is even slightly more secure than a plain chroot and provides better isolation from the host. – Elias Probst Dec 17 '13 at 14:03