Find a way to seamlessly integrate it with the system for users.
libvirt-sandbox does not appear to be packaged for Debian yet.
apt-get install cgroup-bin reboot.
Maybe include this in Whonix releases too?
We can include it as soon as instructions are somewhat complete and useful for something. At the moment we wouldn’t have much benefit?
Agreed. I sent the subgraph guys a message asking them how their sandboxing is implemented.
Docker is a container provisioning tool that can create baselined container configurations that are portable and reproducible on other systems. As of the very recent version 1.0 released a few months ago, it extends support to much more isolation systems.
It can be scripted to launch any software via libvirt. Any software that has an xml profile in libvirt-lxc libvirt-kvm etc. more operational details here:
To be transparent to the user we could embed the docker initiation commands in programs’ icons on the desktop, so it automatically opens containerized when started.
Version 1.0 is only available in sid there is a great description of what it does here:
Unfortunately non-amd64 kernels not supported at the moment
Interesting discussion and links to docker security:
http://blog.xen.org/index.php/2014/06/23/the-docker-exploit-and-the-security-of-containers/
Seems like for running applications with root rights docker does not provide very strong isolation. But for non-root applications, it could be a useful additional security layer. That would be good enough for high risk networking applications.