20/08/2020 wine - How to run programs in a Sandbox?

- Unix & Linux Stack Exchange

 
Unix & Linux Stack Exchange is a
question and answer site for users of
Linux, FreeBSD and other Un*x-like
operating systems. It only takes a minute
to sign up.

Sign up to join this community

Anybody can ask a question

Anybody can answer

The best answers are voted

up and rise to the top

How to run programs in a Sandbox?

Asked 7 years, 7 months ago Active 3 years, 7 months ago Viewed 8k times

I have been using PlayOnLinux to run windows programs on Linux. PlayOnLinux creates a
virtual drive for each program installed and every VD represents a different Windows XP
7 computer.

Any changes made by the program stay within its own VD only. So if I run a program with a
virus I can simply delete the program's VD and all is well.

Is there a similar program that allows Linux programs to be run in a virtual drive? i.e. I want
PlayOnLinux / Wine minus the windows emulation.

wine sandbox emulation

asked Jan 10 '13 at 7:01

Kshitiz Sharma
7,093 13 47 66

3 wine is not a sandbox; it just so happens that Windows applications don't try to break out onto the
system. – Ignacio Vazquez-Abrams Jan 10 '13 at 7:27

3 Answers Active Oldest Votes

I want
By using our site,to share
you Firejail, Sandboxie
acknowledge that you havelike software
read for Linux,
and understand ourGUI included.
Cookie Policy, Privacy Policy, and
our Terms of Service.
Take a look here: https://firejail.wordpress.com/ and download from
2
https://unix.stackexchange.com/questions/60852/how-to-run-programs-in-a-sandbox/281420 1/3
20/08/2020 wine - How to run programs in a Sandbox? - Unix & Linux Stack Exchange
p j p
2 https://sourceforge.net/projects/firejail/ or https://pkgs.org/debian-sid/debian-main-
amd64/firejail_0.9.38-1_amd64.deb.html (change to your system)

Easy to use; just run firejail on top of your command/software, in that case firejail wine
program.exe

In case you want to inspect those programs before running them, you can chain them all
together using firejail wine winedbg --gdb program.exe to run wine debugger jailed.

Maybe you're thinking of how much good it can be. Take a look on how to fully run a firejailed
wordpress installation, as example of a complex sandboxing.
https://www.digitalocean.com/community/tutorials/how-to-use-firejail-to-set-up-a-wordpress-
installation-in-a-jailed-environment

Never trust a piece of binary blob (exe).

edited Jan 3 '17 at 12:08 answered May 6 '16 at 3:28

Jeff Schaller ♦ m3nda
55.7k 12 84 190 138 7

@Jeff Schaller. I have looked for the meanin of wanna and i can't understand why you edited "I wanna"
to "want to". Thanks for the other corrections, i am not english and any kind of learning/correction is
welcomed. (Wanna definition, want to: I wanna get out of here. See more.) – m3nda Jan 4 '17 at 9:22

because it's slang for the full phrase, and I think it looks more professional and would be easier to
understand for other non-native English speakers. – Jeff Schaller ♦ Jan 4 '17 at 11:16

I am not native and i can understand it. But anyway you're right on your statement. thank you. – m3nda
Jan 4 '17 at 17:18

I cant give you a full answer since I dont know, but what I do know is that the command chroot
is designed for similar if not the exact same purpose.
1
answered Jan 10 '13 at 7:27
Karthik T
864 6 12

1 chroot is ok for basic security, but you should know that there are ways to break out of a chroot
environment. – Elias Probst Dec 17 '13 at 9:45

@EliasProbst oh? I wasnt aware, I am not too familiar with chroot actually – Karthik T Dec 17 '13 at
10:43

That @EliasProbst, plus setting up a chroot jail for non-trivial software can be a headache. It depends
on exactly what the software does and how it does it. Server software generally does better in chroot
jails than user-oriented software (running BIND in a chroot jail isn't so bad, but I wouldn't try running
LibreOffice in a chroot jail, for example...) – a CVn Dec 17 '13 at 12:50

Using systemd-nspawn or docker this can be achieved really really easy. Not chroot based, but
based on LXC instead which is even slightly more secure than a plain chroot and provides better
isolation from the host. – Elias Probst Dec 17 '13 at 14:03

Thesite,
By using our linux-vserver kernelthat
you acknowledge patch
you and
haveassociated userspace
read and understand our(see http://linux-vserver.org/
Cookie ) allow
Policy, Privacy Policy, and
our Termsyou to run. programs in their own isolated containers without requiring full virtualization of the
of Service
1 guest OS.
https://unix.stackexchange.com/questions/60852/how-to-run-programs-in-a-sandbox/281420 2/3
20/08/2020 wine - How to run programs in a Sandbox? - Unix & Linux Stack Exchange
1 guest OS.

linux-vserver containers have their own mount namespace, their own network namespace,
their own security context etc.

Note though that linux-vserver was designed mostly to run servers; while you can run desktop
applications in a linux-vserver container, you'll need to know what you're doing.

Another approach would be to use AppArmor to restrict what your program is allowed to do.

answered Feb 22 '16 at 12:00

András Korn
830 6 16

By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and
our Terms of Service.

https://unix.stackexchange.com/questions/60852/how-to-run-programs-in-a-sandbox/281420 3/3