Let’s say I run containers on unprivileged users, use hardened kernel, and I’ve performed additional hardening steps on the host like installing and configuring apparmor, nftables. Let’s add also there are no mounted file systems from the host inside these containers and system is upgraded regularly.
How difficult then will be for misbehaving application on desktop or for some script kiddie trying to exploit vulnerability in some web service escape LXC container?
In LXC you can run a variety of different Linux distros, so in theory you caln keep on the host only needed stuff and install application you trust less in LXC. Can LXC technology with proper host hardening be used to create a custom quite secure minimal favorite distro installation if all I want is just more granular control of what applications can do in my system and advanced, targeted attacks don’t belong to my threat model? Is unprivileged LXC a good choice to sandbox proprietary applications I don’t trust?
I thought about installing Qubes OS but running lots of VMs is resource consuming and Qubes OS isn’t designed (correct me if I’m wrong) to make heavy customizations. If properly configured host + LXC can give quite good security, unprivileged LXC containers could be a good compromise between convenience and security trade-offs.
Can properly configured LXC with hardened OS adequately to my threat model be in terms of security more or less equal to using something like lightweight version of Qubes but with more DIY?
Unprivileged containers are safe by design as they rely on the same security isolation as the kernel normally uses to isolate users and prevent user to root escalation.
That said, there are occasional local privilege escalation security issues in the Linux kernel and many of those can then be used to escalate from unprivileged user or root in the container to real system-wide root.
You’re going to want to really keep up with kernel updates to have any such flaw be fixed immediately and you’ll definitely want to reduce the attack surface as much as possible by keeping either the kernel build or at least the loaded module list as short as possible.
Unprivileged containers get access to things like iptables/nft, a variety of socket types, some advanced VFS and filesystem features, … and the more is available on the system, the higher the chance that a bug somewhere in there can lead to privilege escalation and a container escape.
How safe are Docker containers run by docker without --privileged flag compared to unprivileged LXC containers, managed by the Docker daemon that was enabled by sudo systemctl enable docker?
Quite a lot worse. Docker containers by default are what Incus and LXC treat as privileged containers with Docker’s --privileged mode being basically a privileged container with any semblance of safety net removed.
It’s possible to have Docker containers run with similar security to LXC and Incus’ unprivileged containers, but for that you need to specifically request the use of the user namespace and make sure that things are configured correctly.
LXC and Incus having done so out of the box for well over a decade gives them a bit of an edge on doing this correctly.
Can I run single application instead of entire system in plain LXC or Incus like I do in Docker by specifying ENTRYPOINT in Dockerfile and starting Docker container? If yes, how can I do it? Is trying to use LXC or Incus in that way discouraged by LXC community?
Second question: are LXC containers a good tool if I want to isolate proprietary applications I don’t trust from the rest of my system if my threat model is as I described above?
Incus has native OCI support, you can add an OCI registry like the DockerHub and run containers from there which will be running under an unprivileged LXC container.
LXC itself can also handle OCI containers directly through the lxc-oci template which will then use skopeo et umoci to get and unpack the OCI image.
Yeah, LXC containers work well for that, also because you get to pick the distribution and version that those applications are expecting, increasing the chance that they’ll behave while isolating them from your main system.