home | @pkodendotcom | messages: p at this website

Sandboxing at home

I built my desktop computer enough years ago now that I cannot recall exactly when I built it. I want to say it was maybe around 2010. That seems so long ago. It seems too long ago. Yet, I think that is about right. I have upgraded it a few times over the years, including a new motherboard, new ram, and a nice nvidia 1080. I have added a couple of hard drives, and I have gone through many keyboards and mice just on this machine. I also swapped the single 1080p monitor for dual 1440p monitors. That might have been the best upgrade. However, it still runs on the same i5-2500k. That processor has been magnifique. I have definitely gotten the full value out of that piece of hardware.

Since 2001, I have been using Linux/GNU[1] to some varying degree. As of about ten years ago, it is the only kernel that I have run on a laptop, until I recently bought a MackBook Pro. I had been using Windows on my desktop as a dual boot option (really, tri-boot, but dual in practice). About five or six years ago, I could probably say that I was not really using Windows at all. I was doing all of my productive work on Linux exclusively, and I was only booting into Windows 7 to play a few games that I couldn't play on Linux. I still keep a copy of Windows 7 on my machine to dual boot into occasionally. I did last night, for example. It has been so long since I've been over there. The desktop environment was all but alien to me. Forget Windows 8 or 10. I used Windows 8 once, then never again. I have never even touched a Windows 10 machine. I used to be the one that my family would call about this or that went wrong with their computers. Now, for any of them with anything even remotely new, I have no idea anymore.

I did get my father-in-law to use a Ubuntu box with a VM Windows XP running on it. He did that for a whole year (!!), but finally got too annoyed with the Windows in VM that he swithced over to Windows full time again. Too bad. I think it was all because LibreOffice Writer didn't format the font in some .docx he'd received from a customer, and he couldn't get it to work right so that cranked him, and he went back. Something as simple as MS proprietary font that wasn't auto-replaced by a system font on Ubuntu/LO was all it took.

I've been using Gentoo Linux for about ten-ish years. I have used Slackware and Mandrake (my first ever was Mandrake), Debian, Ubuntu, Void, Arch, one that maybe used Enlightenment as its desktop environment but I can't remember which one that is, Mint, Peppermint, Puppy, Tails, and Kali. I want to like a few of them, but I kept coming back to Gentoo on my desktop. On various laptops I've had, I went with Debian usually or sometimes Ubuntu, but mostly Debian. I've done Gentoo on laptops before, but upgrading packages is not as convenient on a laptop, especially if I don't want it to just sit and compile all night every couple of weeks.

What does this all have to do with sandboxing? Not much. Sandboxing is just the latest thing I've been doing on my desktop. Well, latest; I've been doing it for a few years now.

Here's what I do: I've got the main installation, e.g., Gentoo rootfs on /dev/sda. This has only the base system plus maybe a few programs, like wget, elinks, ranger, qtfm/spacefm, and utilities like xsetwacom (Wacom tablet driver) for my drawing tablet. Et cetera. And then I have chroot systems for things like Firefox, Chromium, Steam, Gimp, and LibreOffice. Usually, each goes in its own chroot. Firefox goes in /mnt/fire. Chromium in /mnt/chromium. Steam, however, goes in /eve currently, as a relic of when I was playing a bit of EVE Online on this machine.

Creating chroots in Gentoo is really easy. It's just a few steps like you are doing a new install of Gentoo from within Gentoo. You make the target folder. Unpack a stage 3 into the folder. Edit a couple of files. Then mount the filesystems.

To take care of upgrading, I mount -Rv the portage directory from the main system to the chroot, and some packages/upgrades also require a mount -Rv of the current /usr/src/linux to the chroot /mnt/CHROOT/usr/src/linux so that the packages are compiled correctly.

Then simply chroot to the new /mnt/CHROOT, update the base system, create a user, and install Firefox or playonlinux or wine or whatever you wish.

There are a couple of nice reasons to do this. One, it provides you some protection for your base system against malicious actors. No, it's not perfect. What is? VMs take a lot of resources. Docker and Flatpacks and Snaps are pretty good, but then I'm not running native, compiled-from-source packages on my compiled-from-source machine. Another thing I like about doing it this way is that I can use my file manager from my base system to interact and directly manipulate all the files on my chroot systems. Probably the second best reason is that this is a super easy way to keep dependencies separate. The only time I ever have a problem is when Gentoo developers have masked a package required by whatever software is installed on the given chroot. Possibly the best reason is how light on resources this method is.

Currently, I have software in three different chroot environments running and the memory footprint and CPU usage is nice and light. Running three VMs would put me way over the 1.42GB of memory that I'm currently using.

To get rid of a chroot, all it takes is making sure that the file systems are unmounted, and then rm -rf /mnt/CHROOT. It's as easy as that. If you don't ensure your file systems are unmounted, then you can wreck your base installation, so be careful. I always reboot into a shell environment to make sure nothing is mounted to /mnt/CHROOT before manually removing the chroot. Otherwise, I wrote a python program to do it for me. Creating a new chroot is also done via a python program I wrote, from the first mkdir to the emerge @world update and adding a user.

Alternatively, it is easy to copy a /mnt/CHROOT to /mnt/CHROOT-2 and edit a couple of files, and voilĂ , I nearly-instantly have an exact copy of the chroot including all installed programs and other files.

I am not claiming this is the best system, but I really like it, so meh whatev.

[1] This is the only time I am going to use the Linux/GNU terminology, probably on this whole site. I agree in principle with Stallman's criticism, but I just don't think it matters that much. Sry.

~Patrick

16:51 Tuesday, 03 April 2018