Sandboxing allows effective isolation of one or more processes with very little overhead as there is no need to emulate a complete virtual machine with an own operating system.
X programs can be also run in a sandbox which uses the Xephyr server.
Examples
Run Firefox in a sandbox with an virtual X server:
mkdir -p ~/.sandbox/home ~/.sandbox/tmp /usr/bin/sandbox -C -d 96 -M -X -H ~/.sandbox/home -T ~/.sandbox/tmp -w 1280x1024 -t sandbox_web_t /usr/bin/firefox &
This instance of Firefox has only access to files in ~/.sandbox/home, ~/.sandbox/tmp and a few other directories such as /dev. Cut & paste in an out the sandboxed Firefox is not possible
Xephyr keyboard input peculiarities
Xephyr may grab keyboard and or mouse input upon certain key combinations:
- ctrl+shift+insert appears to grab mouse input, ctrl_r+shift_r appears to release this grab
If you forget this combinations and have problems moving out of the sandbox window, following may help:
- try google search inside the sandboxed window
- try to quit the sandboxed browser (or other program), Xephyr should terminate normally
- ctrl+alt+F2 will open another console where you can login and kill the Xephyr
Keys requiering right modifier (often AltGr) will not work because of the XKEYBOARD extension malfunction, no known workaround.
Packages
Currently sandbox is available with the policycoreutils-python package.
se-sandbox-runner provides a QT GUI.