Security practices when running suspicious programs in containers


#1

Hi,

I would like to have thoughts and views for the use case below:

Use containers to run un-trusted and highly suspicious software/malware, similar to sandbox. For example run browser in container and access the suspicious sites in browser and then blow up the container on user exit. So kind of new browser in container for each session.

What additional security practices recommend.

Google has a project (https://github.com/google/gvisor).

Similarly, I have seen few posts here and there regarding hardened Kernal when running containers.

Wondering, about security of Lxc/d in above use case and is there any best practices, hardened kernal or other options advised and available.

Thanks


#2

If you plan to run GUI apps in the container, the you need to use a separate X server. Like Xephyr. Because if you share the X server of your host, then you get issues inherent to the architecture of X11. A malware can take advantage of that, if it is designed to do so.