LXC Part 2: Sandboxing

As with containerization and Docker using LXC (Linux Containers), "sandboxing" also uses this built-in utility to the Linux kernel. The difference comes in the application and what solutions it provides.

Where containerization provides abstraction of the operating system that allows setting up and tearing down architectures with ease and ensuring stable deployment of applications within, sandboxing creates an abstraction of an operating system for applications to ensure security in that they cannot compromise the host operating system or other applications/daemons it runs. It's interesting to see the sandboxed application has a PID of 1 within its operating system abstraction, rather than systemd/init. systemd/init aren't even there!

Let's face it, browsers are the scariest applications and deserve it, as they are considered the number one medium for attack vectors and used solely by humans who are the weakest link in security. The whole design of browsers needs re-engineering because it behaves more like an operating system and with too much power. More than an application should. So the best thing to do is sandbox this rascal.

At EST, we use sandboxing on Linux desktops for applications, browsers, and more to ensure they run, download, and create files in their own sandbox without effecting anything else.

Please continue to follow our blog series on LXC.