λ - programming

Let's have a thread about containerization and sandboxing.

I love the idea of compartmentalizing things to increase security. A program that runs in a chroot generally wouldn't be able to see anything outside of its designated area - it's exactly like the matrix.

I'd been using a chroot to run my a web browser with flash player inside for a long time. Recently I've set up an LXC system (linux container) which is supposed to give stronger seperation than a chroot (it isolates more than just the filesystem).

I also use virtualbox for Windows XP (and Dosbox for DOS) - you can do all kinds of things like carefully select which USB devices get through to it, what internet it has. Unlinke a chroot or LXC, you are really running a sepearate OS kernel.

As with anything in security it has two sides: Feel free to discuss chroot breakout attacks, how a lxc container that has X forwarder could key log the host system and so on.