Linux – LXC containers as a sandbox environment

containerlxcsandboxSecurityselinux

I am currently starting a project evaluating untrusted programs (student assignments) in a secure sandbox environment. Main idea is to create a web app for GlassFish and Java wrapper around lxc-utils to manage LXC containers. It'll have a queue of waiting programs and a Java wrapper will maintain a fixed number (pool) of LXC containers, assigning each program one (unused) container.

Each container should be secured with SELinux to protect the host system.

My question is: Is it a good idea to create such a mechanism for a sandbox environment, or are there any better fitting solution to this problem? It should be light and secure against student creativity.

Best Answer

You didn't write why you choose LXC as it's not the most secure virtualization solution. I'm heavy user of KVM/XEN and also LXC and I can say this one thing that when it comes to security I never go with Linux containers (no matter if LXC / OpenVZ / VServer). It's just easier (and more reliable) with KVM/XEN.

If it's about performance or hardware requirements then ok - you can try with LXC, but there are some rules You should follow:

libvirt ensures strict confinement of containers when using SELinux (thanks to LXC_driver) - not sure though if it's only RHEL/Centos/Fedora case (I don't use Ubuntu/Debian that much) https://www.redhat.com/archives/libvir-list/2012-January/msg01006.html - so going with SELinux is a good idea (in my opinion it's "must have" in such circumstances)
Set strict cgroups rules so Your guests doesn't make Your host freeze or affect other containers
I'd rather go with LVM based containers - it's always one more layer of "security"
Think about network solution and architecture. Do those containers have to communicate with each other?

Start with reading this - it's quite old, but still - there's much knowledge there. And also - meet user namespaces

And after all of that think again - do you really have that much time to play with LXC security? KVM is just so much simpler...

Related Solutions

Linux – Cannot attach to auto-started LXC containers in (Fedora) SELinux

I looks like at the time of this event that your /bin/dash was associate with either an invalid or no selinux context at all.

Here lxc-attach complains that it failed to execute a shell:

lxc-attach: attach.c: lxc_attach_run_shell: 1325 Permission denied - failed to exec shell

The SELinux avc denial seems to confirm the above:

type=AVC msg=audit(1484836169.882:2969): avc:  denied  { entrypoint } for  pid=7867 comm="lxc-attach" path="/bin/dash" dev="sda3" ino=10289 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=0

A few this to note in the event above:

The target file (path="/bin/dash") ended up with a special context (tcontext=unconfined_u:object_r:unlabeled_t:s0) used by SELinux for failover scenarios. At the event either /bin/dash located at inode 10289 on device sda3 was either associated with an invalid context, or no context at all.

Try to restorecon -RvF the context of /bin/dash at inode 10289 on device sda3. After you've done that see if the context is reset to something other than unconfined_u:object_r:unlabeled_t:s0 with ls -alZ

Best Answer

Related Solutions

Linux – Cannot attach to auto-started LXC containers in (Fedora) SELinux

Related Question