Sandboxing

From FedoraProject

Jump to: navigation, search

Sandboxing allows effective isolation of one or more processes with very little overhead as there is no need to emulate a complete virtual machine with an own operating system.

X programs can be also run in a sandbox which uses the Xephyr server.

Examples

Run Firefox in a sandbox with an virtual X server:

mkdir -p ~/.sandbox/home ~/.sandbox/tmp
/usr/bin/sandbox -C -d 96 -M -X -H  ~/.sandbox/home -T ~/.sandbox/tmp -w 1280x1024 -t sandbox_web_t /usr/bin/firefox   &

This instance of Firefox has only access to files in ~/.sandbox/home, ~/.sandbox/tmp and a few other directories such as /dev. Cut & paste in an out the sandboxed Firefox is not possible

Xephyr keyboard input peculiarities

Xephyr may grab keyboard and or mouse input upon certain key combinations:

  • ctrl+shift+insert appears to grab mouse input, ctrl_r+shift_r appears to release this grab

If you forget this combinations and have problems moving out of the sandbox window, following may help:

  • try google search inside the sandboxed window
  • try to quit the sandboxed browser (or other program), Xephyr should terminate normally
  • ctrl+alt+F2 will open another console where you can login and kill the Xephyr

Keys requiering right modifier (often AltGr) will not work because of the XKEYBOARD extension malfunction, no known workaround.

Packages

Currently sandbox is available with the policycoreutils-python package.

se-sandbox-runner provides a QT GUI.