I have an application that I would like to start in a "visualized environment". I don't want this application to be able to write/read any files on my local file system. A bonus would be to be able to monitor everything this application does.
The application is graphical if that matters.
Can I do this with existing linux tools? Can I emulate this behaviour with chroot?
I don't want to run a fully virtualbox just for 1 application, this seems like an over kill.
Thank you, Maxim.
SELinux will allow you to start the application in a restricted domain, and the audit subsystem will let you watch what it does.
check lxc, Linux Containers. It's a 'better chroot than chroot', like Solaris containers or BSD jails, also comparable to OpenVZ or VServer. The base concept is to isolate some views of the system from a process.
For example, if you isolate the PID tree, the process starts a new tree: sees itself as PID #1, and subprocesses see only that subtree. Other processes see 'normal' PIDs as part of the whole tree.
Similarly, you isolate files by a more powerful chroot, choose how much memory and CPU those processes can get, which network interface(s) they see (which can be 'virtual' interfaces, optionally routed or bridged to the real ones)
if you wish, the base process in the container can be
init, creating a new virtual system; or it can be a specific application, letting you limit it while still working without any measurable overhead.