The secured Sandbox maybe? The windows sandbox is pretty awesome for day to day use imo. And no a template VM or container isnt really the same thing. The sandbox has the task of making sure that there is nothing that can break out. Afaik the sanbox has done a pretty good job so far in that aspect.
Does linux bring a comparable option to the table? Would love to find out, changig as many aspects of my life to linux is the best thing to do.
People really dislike it when you point this out, But the security model on Linux is lacking. Yes, we have things like apparmor and SELinux, but compare it to sandboxd on macOS. The windows sandbox isn’t perfect, but it’s really user-friendly, and it works in most cases. Linux doesn’t have a direct equivalent. We’ve made great strides with making immutable distros through things like flatpack, and snap, but something that they failed to do is implement a least privilege model that is as robust as sandboxd on macOS.
Flatpak and Snap are Linux packaging formats that have sandboxing implemented and it’s pretty solid. There’s also Firejail for running sketchy applications in a stronger sandbox
Reall great article. Thanks for sharing. But I dont know where you get the “literally a template” idea from. The article is explaining pretty well how its made and there isn’t one thing that leads to the assumption that this was just a template that gets booted up.
It says in the article that windows sandbox is using a “base image”. It boots up the image, you do stuff then close it, and the next time you boot it up it’s the base image again. Is that not what a template VM would do?
The primary difference between a usual VM template and this is that it’s small. “When installed the dynamic base package it occupies about 100MB disk space”. That’s because it’s essentially mounting a bunch of the system files immutably. You could theoretically do the same on Linux, but it probably wouldn’t be worth the effort.
Most of the advancements they have is under the hood stuff, like linking files instead of directly including them or managing memory. Battery state pass through and graphics OOTB is cool though, depending on your setup you might have to put in a bit of work to make that happen on Linux.
Yep thats what I meant. But also imo templated VM or Containers are not aimed to be not break-out safe. This is the case for this though, which why I think it would not be fair to it to set it side by side to a normal vm template or container. Besides that it also brings some nice added bonuses, some of which you listed.
Podman container completely closed off. ChromeOS shows that everything is possible on Linux (their Linux integration is a VM, running a container with the Distro, and the apps are displayed over wayland on the local host)
The secured Sandbox maybe? The windows sandbox is pretty awesome for day to day use imo. And no a template VM or container isnt really the same thing. The sandbox has the task of making sure that there is nothing that can break out. Afaik the sanbox has done a pretty good job so far in that aspect. Does linux bring a comparable option to the table? Would love to find out, changig as many aspects of my life to linux is the best thing to do.
People really dislike it when you point this out, But the security model on Linux is lacking. Yes, we have things like apparmor and SELinux, but compare it to sandboxd on macOS. The windows sandbox isn’t perfect, but it’s really user-friendly, and it works in most cases. Linux doesn’t have a direct equivalent. We’ve made great strides with making immutable distros through things like flatpack, and snap, but something that they failed to do is implement a least privilege model that is as robust as sandboxd on macOS.
Flatpak and Snap are Linux packaging formats that have sandboxing implemented and it’s pretty solid. There’s also Firejail for running sketchy applications in a stronger sandbox
From what I see, windows sandbox is literally a template VM.
https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849
Reall great article. Thanks for sharing. But I dont know where you get the “literally a template” idea from. The article is explaining pretty well how its made and there isn’t one thing that leads to the assumption that this was just a template that gets booted up.
It says in the article that windows sandbox is using a “base image”. It boots up the image, you do stuff then close it, and the next time you boot it up it’s the base image again. Is that not what a template VM would do?
The primary difference between a usual VM template and this is that it’s small. “When installed the dynamic base package it occupies about 100MB disk space”. That’s because it’s essentially mounting a bunch of the system files immutably. You could theoretically do the same on Linux, but it probably wouldn’t be worth the effort.
Most of the advancements they have is under the hood stuff, like linking files instead of directly including them or managing memory. Battery state pass through and graphics OOTB is cool though, depending on your setup you might have to put in a bit of work to make that happen on Linux.
Yep thats what I meant. But also imo templated VM or Containers are not aimed to be not break-out safe. This is the case for this though, which why I think it would not be fair to it to set it side by side to a normal vm template or container. Besides that it also brings some nice added bonuses, some of which you listed.
https://duckduckgo.com/?t=ffab&q=sandboxing+on+linux&ia=web
I can understand disqualifying VMs, but why wouldn’t a container be that?
I feel like android did that first, but I’m not sure.
Podman container completely closed off. ChromeOS shows that everything is possible on Linux (their Linux integration is a VM, running a container with the Distro, and the apps are displayed over wayland on the local host)
There simply is no good GUI integration