Quoting pablo platt (pablo.pl...@gmail.com): > Hi, > > Is there an example for a config file needed to create a sandbox? > I'm using ubuntu 12.04 (can use any other version if required). > I need to execute untrusted code inside a sandbox with lxc-execute. > > libvirt-sandbox seems to be what I need but it's not available in ubuntu > and doesn't support limiting ram and cpu. > https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ > > Is there an equivalent in lxc tools? > Is there a plan for something like a lxc-sandbox command? > > Basically I want to disable everything and allow only the minimum to > compile and execute simple scripts. > > I've started with the following config file but I don't know what else need > to be prevented or changed to protect the host. > Does anyone have a config file he can share? > > Thanks > > lxc.network.type = empty > lxc.cgroup.cpu.shares = 1234 > lxc.cgroup.memory.limit_in_bytes = 10M > lxc.cgroup.memory.memsw.limit_in_bytes = 20M > lxc.cgroup.devices.deny = a > lxc.cap.drop = audit_control audit_write chown dac_override > dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable > mac_admin mac_override mknod net_admin net_bind_service net_broadcast > net_raw setgid setfcap setpcap setuid sys_boot sys_chroot sys_module > sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config > #lxc.cap.drop = sys_admin syslog
You could also use a custom aa_profile and (if you move from precise to quantal) add a tight seccomp profile. There is no lxc-sandbox tool right now (at least in the main source, or elsewhere that I know of). arkose might do what you want, not sure. But if you're willing to write it, an lxc-sandbox command would be a nice addition to lxc-execute IMO. -serge ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
