On his blog, Daniel P. Berrangé writes about a new application sandbox tool
that uses libvirt, LXC (Linux Containers)
, and KVM. It is based on some of the ideas behind the SELinux sandbox but uses KVM or LXC to isolate the application from the rest of the OS. "People also generally assume that running a KVM guest, means having a guest operating system install. This is absolutely something that is not acceptable for application sandboxing, and indeed not actually necessary. In a nutshell, libvirt-sandbox creates a new initrd image containing a custom init binary. This init binary simply loads the virtio-9p kernel module and then mounts the host OS' root filesystem as the guest's root filesystem, readonly of course. It then hands off to a second boot strap process which runs the desired application binary and forwards I/O back to the host OS, until the sandboxed application exits. Finally the init process powers off the virtual machine. To get an idea of the overhead, the /bin/false binary can be executed inside a KVM sandbox with an overall execution time of 4 seconds.
to post comments)