In this paper we introduced a method, how to use
UIDs, GIDs, and user NS to create a sandbox for
Linux desktops. The proposed sandbox is designed to
meet requirements that we consider to be important
for wide spread adoption. We implemented a proto-
type and performed a usability survey. The results
indicate that an easy to use, transparent sandbox will
likely be adopted, provided users understand the ben-
efits of using the software. Furthermore provided an
analysis of how the sandbox addresses each of the re-
quirements mentioned above, and analyzed its secu-
rity impact on the overall system.
Our research indicates several areas that future re-
search should address. First of all a long term evalu-
ation should be conducted to obtain results about the
applications stability. As mentioned above, the cur-
rent prototype does not support access control for the
D-Bus session bus. A solution to restrict this access,
is a necessary in our opinion. Another challenge for
future work is that Xorg does not separate the graph-
ical user interfaces of the applications. Therefore,
either a multi instance display server like Xpra or a
Wayland-based solution should be added. Third, cur-
rently network access is unrestricted. Isolating net-
work access through network namespaces should be
considered. The challenge here is to strike a balance
between full and no access – many applications use
localhost communication extensively.
