Is it possible to execute a binary (without dependencies) in some more lightweight sandbox than a virtual machine, despite the fact that I don’t trust the binary?

It is desirable that it would be possible to limit the resources available to the process (disk, memory, CPU, etc.).

Digging in the direction of the LXC, but, as I understand it, it does not give any guarantees of security.

  • Docker more fashionable now. - don Rumata
  • Yes, but Docker is a wrapper over LXC - Egor
  • And the OS is a wrapper over i / o and tcp / ip, which are wrappers for clock cycles in the CPU, which is a wrapper on the implementation of the laws of physics. To play Zuma Deluxe you don't count on an abacus? - don Rumata
  • It does not give any guarantees of security - yes, paper with the official stamp in this case should not be expected. - aleksandr barakin
  • and what is meant by security? - etki

1 answer 1

I do not understand something, are you talking about Linux, or about Windows?! Get a user named test, copy a suspicious ELF into his home directory and set limits for this user on disk and CPU. Everything...

  1. deny access to the memory of other processes. And what - is there a way to access the memory of an OTHER process ?! Well, except for the mutual agreement on shm ...

  2. disable disk access. More than the established quota, he will not perish. It will not get into other people's home folders. The file / etc / shadow will not read :-) What are you afraid of?

  3. deny access to the network. Before running ELF, tell sudo ifconfig eth0 down . Everything ... No network!

  4. deny access to devices If you do not give the test user root rights, they will not be available.

  • and what other processes on a host without a network will do? - etki
  • And wait 10 seconds they can not? Or should your suspicious ELF work for hours? I realized that you just want to check that he will not drop the system ... - Sergey
  • I'm not the author, but I could start a virtual machine for a one-time check, I think. - etki
  • one
    The binary will exploit a hole in the kernel and get root :) - andreymal
  • start the virtual machine for a one-time check - it seems to me that the problem is completely contrived. Linux is not a Windows installation and it is not even easy to “put” it. This ELF will not do anything "so"! Something I have not heard about successful hacking of linux-systems without the participation of the "human factor" ... - Sergey