Category Archives: Sandbox

Desktop application sandboxing for Linux

Test drive the whole Ubuntu archive with WebLive

In my last blog post about WebLive I announced the availability on WebLive of the top-50 apps from the new Ratings & Review service.

Today I’m happy to announce that this feature is no longer necessary as you can now test drive anything that’s available in the Ubuntu archive.

Sylpheed installing on WebLive

At the moment that’s over 1300 desktop application that you can test this way.
That’s basically any GUI app that requires less than 150MB of space to install and that’s not in one of my blacklists (video editing, 3D, VOIP, VMs, …).

As a reminder, all that you need is an up to date Ubuntu 11.04 system and the qtnx package installed (default in Edubuntu).
Full desktop sessions are still available at:

This feature uses another of my pet projects Arkose to dynamically create containers (see LXC) whenever someone logs in. Each user is allocated up to 500MB for the test drive feature. On login, the system will check if it already has the requested app in the default system and if not, will download and install it when you connect.

Enjoy !

NOTE: The current blacklist isn’t perfect, so if you notice any package that has a Test drive button in the Software Center and doesn’t work, please file a bug here:

Posted in Arkose, Canonical voices, Edubuntu, LXC, Planet Ubuntu, Sandbox, WebLive | 9 Comments

Sandbox changes name to become Arkose

Sandbox started as a quick hack I wrote at the Ubuntu Developer Summit in Orlando, FL back in October.

Since then it evolved quite a bit, getting a decent user interface and even a nautilus plugin.

Only thing that really was missing before making it an “official” project is a “real” name.
After thinking about it for a while (trust me, I’m really bad at finding names), I finally ended up browsing sand-related pages on Wikipedia and chose to go ahead with “Arkose”.

Arkose (pronounced /ˈɑrkoʊz/) is a detrital sedimentary rock, specifically a type of sandstone containing at least 25% feldspar.


I really liked “sandbox” as a name though, but it was a bit of a pain to Google for, apt-cache was returning multiple results too and finding relevant dent/tweet was a really difficult. So instead, I’ll mostly be using “Arkose – desktop sandboxing”. The name itself being a lot less common and “desktop sandboxing” is already giving very good Google results.

I finally created a Launchpad project and moved the branch to it. I’m expecting packages to hit the archive over the next few days.

PPA is available at:

Posted in Arkose, LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | 3 Comments

Having fun with containers

Not really having anything specific to do yesterday, I chose to have a bit of fun with sandbox.

I ended up installing a completely clean Ubuntu 10.10 in a VM with just an ssh server running.
I then installed sanbox from my PPA and appended the following line to my /etc/ssh/sshd_config:

ForceCommand sudo /usr/bin/sandbox -c "$SSH_ORIGINAL_COMMAND"

And this one to /etc/sudoers:

ALL ALL=NOPASSWD: /usr/bin/sandbox

Then restarted sshd.

The result is that any incoming ssh connection will be sent to its own sandbox with no direct access to the disk, no network available and won’t be able to see other user’s processes.
Connecting twice over SSH will give you two shells which won’t be able to see each other.

Posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | 3 Comments

sandbox 0.2 released and packaged !

Yesterday, while enjoying the snow falling outside (finally!) I went through my TODO list for sandbox and implemented most of what was on it.

Ext4 support for the copy-on-write partition

You can now have the copy-on-write stored on disk instead of RAM memory (tmpfs).
The tmpfs support is still available as an option for these who have plenty of RAM or don’t have a separate /home (due to the aufs limitation).

Nautilus extension

sandbox now has a nautilus extension which lets you start any executable binary/script directly in a sandbox.
sandbox nautilus integration

Updated GUI

The GUI is no longer showing any option by default and just “does the right thing” (in most cases).
sandbox new gui

All the options being hidden behind “Show sandbox options”.
sandbox new gui advanced

Released and packaged it

Finally, I released sandbox 0.2 (0.1 wasn’t in a packagable state) and packaged it for Ubuntu Natty Narwhal.
It’s made of 3 different packages:

  • sandbox: The command line utility and the C part.
  • sandbox-gui: The python GUI and .desktop file (Applications -> System Tools -> sandbox)
  • sandbox-nautilus: The nautilus extension, you need to restart nautilus to have it to load

The packages (for natty) can be found in my experimental PPA:
and code is still available at:

sandbox running software

For now, everything is called “sandbox” which is more of a concept than an actual project name. As it’s becoming more and more of an actual project and I’m quite bad at finding good names, I’m open for suggestions of a better name for that thing.

Update: Release 0.2.1 which auto-detect separate /home partition and fall-back to tmpfs when necessary. Packages are available for Natty (Ubuntu 11.04) and Maverick (Ubuntu 10.10).

Posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged , | Leave a comment

Sandbox gets a GUI

Last Friday at work enjoying the fact that most of the US weren’t working, I spent a few hours working on my current pet project, sandbox.

Most of the code has now been moved from the C code to a shell script, keeping only what’s really needed in C.
I also added the possibility of directly starting a command in a container (once the command ends, the container is destroyed).

On top of that, I played a bit with Glade and pygtk to implement a basic GUI on top of Sandbox as shown below:
Sandbox GUI screenshot

This is still very basic but should be a lot more user friendly than having to start the tool from the command line.

Next on the TODO list is support for saving/restoring containers and some kind of nautilus integration (Right-Click => “Run in a container” would be sweet).

As always, the code can be found in a bzr branch:
bzr get lp:~stgraber/+junk/sandbox
Or from:

Posted in Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged , | Leave a comment