[Feature] Sandboxed mode

[89luca89]

Right now the distrobox's containers are created in privileged mode and share a lot of sensitive host's folder.

This is done because the aim is tight integration with the host, not sandboxing.

---

It would be nice to have an optional (see: disabled if not specified) --unprivileged or a --sandbox flag in distrobox-create to have a more isolated container to work with.

[89luca89]

Sandboxed distrobox should not integrate with the host as tightly as the normal one

$HOME should not be bind mounted
Host's rootfs should be mounted in readonly (or ideally not mounted at all)
Sockets should not be passed to the container

Sandboxed distrobox should not use --privileged and should not use --ipc host, --pid host

Thinking of functionality:

• --sandbox seems an understandable flag to use
• --allow-path could be used to allow some path to be mounted as read-write

[89luca89]

Depends on #70

[BlauerHunger]

I think only implementing "fully sandboxed+unprivileged" and "fully integrated+privileged" modes are not the way to go, but rather adding options to configure it finer-grained like making only a specified set of devices available, only select sockets, mapping a custom selection of directories or other things possible for Flatpaks using Flatseal.

Based on that you could then add presets for integrated vs. sandboxed.

[89luca89]

Well there is a big difference between distrobox and Flatpak, distrobox is not an application distribution method.
On one hand I agree having some more fine grained support is good
On the other, it's an extreme work to add support to filter specific devices (like, usb pen1 passes, usb pen2 does not pass etc etc)

I was thinking more on the lines of

Sanbox mode:

1 - custom home
2 - you specify which path can the container access
3 - you decide if devices in /dev/ are accessible or not
4 - you decide if you share:
- network namespace
- process namespace
- ipc namespace
- mount namespace
- (others)

And on that one can do a couple of profiles (low to high sandboxing)