Can containers be used to 'sandbox' suspect programs like you would do with a vm?


#1

You might say ‘just use a vm’ but I want the advantage of using the whole system’s resources while also having program isolation to test the suspect program.

In an unprivileged container is it secure (nothing is 100% but how secure compared to a vm) to run a program you think may contain a virus for example?

If you made the container without network access and unprivileged is it going to stop anything nasty getting out most likely?

I know there have been reported vulnerabilities with lxc containers but lxc containers I doubt would be the focus when injecting viruses into files since it is a very small use case. I mean when people add a malware to a file they want to target the biggest user base don’t they. So isn’t it the case that they wouldn’t spend their time focusing on breaking out of containers unless they only had that intent in mind from the get go?

I.e. wouldn’t the main threat be whether the virus intended for a linux OS in general were able to infect the host system via the container, and my question is would this be likely on an unprivileged container?

If not secure ‘out of the box’ can it be made to be pretty good with tweaks?


(Zipi Zap Zap) #2

I dont know much about container-specific security, but its truth that unknown bugs/vulnerabilities can exist in unexpected places, in all software… just look at linux kernel for example - many people have their eyes on it, and well, sometimes there is a new vulnerability found (even in the wild before being acknowledged)… Openssl also had a couple of vulnerabilities found in recent years, and its a very-high-profile project with security-conscience all around…

All this meaning, you cant know for sure what will be the next “security-problem” that will be found, so you should not assume it to be something “containable”… even hypervisors like KVM or VmWare have vuls discovered… So be extra-carefull, sound like trying to build a trap-cage for a wild-animal, without knowing its strength, if it will hold :slight_smile:

Also, what seems secure today might be discovered to be “insecure” tomorrow :slight_smile:

PS: if anyone could share some pointers or leads to containers security, that would be great. I believe at least an idea should exist about “how secure” could lxd be considered at this moment, so people can make better informed decisions about which situations are good and which are not the best fit.

Br


#3

Yes, of course, to a certain extent. I consider all programs suspect if I haven’t used them yet, because, they may mess up my system, even if they are not malware. I often try new software in a new throwaway container. I consider unprivileged LXD containers safe from root exploits, since the root user in such a container is not really the root user in the host.

A container does not sandbox:

  1. Botnets that send spam or attack other systems, unless you take special measures to limit or monitor outgoing network access.
  2. Programs that exploit timing vulnerabilities, like Spectre. When such programs run in a container they are in a good position to attack the host or other containers because they run in the same CPU. They also run in the same private network, which means they can do network attacks to other containers, bypassing any protections from such attacks that the host may have for outside threats. You can probably isolate network access from a suspect container to other containers, but this requires extra effort.