This feature provides a new application development library (libvirt-sandbox) to facilitate the embedding of virtualization into applications. In addition there will be a command line tool 'virt-sandbox' which can be used by administrators to directly run applications inside a sandbox built with one or more of the libvirt virtualization drivers. It will allow sandboxing applications inside an LXC container, or a QEMU/KVM virtual machine. The interface and capabilities are intended to be broadly similar to the existing SELinux 'sandbox' command, simply using a different sandboxing technique.
- Name: Daniel Berrange
- Email: berrange-at-redhat-dot-com
- Targeted release: Fedora 17
- Last updated: (13-04-2012)
- Percentage of completion: 100%
Existing Fedora releases ship with the "sandbox" command line tool. This allows applications to be run, strictly confined/isolated by SELinux policy. It can optionally make use of some kernel filesystem namespace features to provide a custom view of the filesystem.
The libvirt daemon includes an LXC driver which exposes a native Linux container virtualization capability. This includes integration with nearly all Linux cgroups controllers and nearly all Linux namespace features. This can be leveraged to provide a means to sandbox individual applications inside a container. To escape the sandbox, applications would have to break out of the Linux container and the SELinux policy.
The libvirt daemon also includes QEMU driver which provides KVM accelerated full machine virtualization. This recently gained the ability to support passthrough of filesystems from the host OS. With this new capability, it becomes pratical to sandbox individual applications inside a full virtual machine, without the overhead of maintaining an additional OS installation image. To escape the sandbox, applications would have to break out of the guest Linux kernel, the host virtualization hypervisor and the host sVirt SELinux policy.
Benefit to Fedora
With the introduction of a 'virt-sandbox' command to support these two technologies, Fedora users will have a broader range of options for sandboxing applications which tradeoff system utilization overhead against layers of security, as best suits their security needs.
The virtualization sandbox will involve work in two areas
- libvirt - Add sVirt support to the LXC driver - Add support for filesystem relabelling control for filesystem passthrough - virt-sandbox - A completely new package
How To Test
Upstream has a doc describing basic cases to be tested
For testing an LXC based sandbox, no special hardware will be required. Testing KVM sandboxes will require x86 Intel or AMD CPUs with hardware virt.
The formal Fedora test cases are
- Command exit status
- Interactive shell
- Non-interactive batch commands
- Custom mount points
- Custom networking
Users interested in confining applications inside sandboxes will have new options for sandboxing applications inside LXC containers, or KVM virtual machines. In future Fedora releases, this may be extended to other hypervisors supported by libvirt (VMWare, Xen, etc)
Completion of this feature requirements work on two projects
- The libvirt project. This has monthly releases upstream and is on track to support the neccessary functionality - The virt-sandbox project. This is a new project maintained by the author of this Feature.
In the event of the virt-sandbox command not progressing to a suitable level of development, this Feature can be postponed to Fedora 18, without any existing Fedora functionality being impacted. Alternatively the declared scope of virt-sandbox can be reduced to cover fewer use cases, with broader uses cases introduced iteratively in later Fedora.
The virt-sandbox command line tool comes with a manpage:
# man virt-sandbox
This provides complete command line help and examples of usage
- The 'libvirt-sandbox' RPM introduces a new command 'virt-sandbox' for running command line applications / system services in a confined environment.
- The 'virt-sandbox' command is similar in concept to the SELinux 'sandbox' command, however, it uses LXC or KVM for confinement
- The confined environment may have a custom view of the filesystem and custom networking configuration.