I don't hack on windows, so I don't know the model. But wouldn't this break the ability to copy and paste embedded objects from one program into a different one if the programs are in different sandboxes?
Brian, yeah, it would. However, there are two solutions to that :
1. Put programs you often use together in the same sandbox. For example I'd probably just put all the Apple shit together in one sandbox since Quicktime and iTunes and such are all evil and they like each other.
2. Specifically allow certain portals. For example, you could make the clipboard a portal if you want to. By default sandboxes should hve all portals closed, and from *inside* a sandbox you cannot open portals, but from *outside* you can open any portal. For example, you could switch a flag that says "share the clipboard with the host" , that would make clipboard objects global.
DCOM is also a pain (thought not often used), but really there are a ton of random little things you'd have to get right.
Maybe you should search for Thinstall, Softricity or MojoPac. The company I used to work for depended alot on VMware Player, which probably doesn't appeal to you.
I'm guessing you were wishing for Oodle for your computer.
Yeah it's not something I want to do, there would definitely be a ton of little pain.
I just did a simple patch / virtual file system thing for Oodle and realized how simple that part is and what you could do with it. Of course the hard part is catching every single interface to the OS and emulating them all right.
Softricity SoftGrid looks like they have most of the capability to do what I want, but have it aimed a different way (for IT management), and it seems like MS bought them recently.
I had this idea for a VM to completely sandbox individual programs. It goes like this :
Do a fresh install of Windows or whatever OS. Take a full snapshot of the disk and store it in a big file. This is now
*const* and will be shared by all sandboxes.
Every program that you want to run in isolation gets its own sandbox. Initially a sandbox just points at the const OS
snapshot which is shared. File reads fall through to that. When you run the installer on the sandbox, it will do a bunch
of file writes - those go in a journal which is unique to this sandbox that stores all the file renames, writes, deletes,
etc. That can be saved or simply thrown away after the program is done.
You can optionally browse to sandbox journals. They look just like a regular disk with files. What you're seeing is the
const OS snapshot with the changes that the individual program made on top of it. You can then copy files in and out of
the sandbox drive to get them to your real disk.
So, for example, when you download some program from the internet that you don't trust, you can just pop up a new sandbox
and run it there. This is *instant* and the program is 100% isolated from being able to do file IO to your real system.
But if it makes some files you want, you can easily grab them out.
You could also mount "portals" across the sandboxes if you want to. For example, say you don't trust shitty iTunes and
you want to run it in a sandbox so it can't mess with your registry or anything. But you want your music files to be on
your main drive and have those be accessible to iTunes. You can mount a portal like a net drive for the sandbox to be
able to "see out" to just that directory. That way you don't have to like duplicate your music files into the iTunes sandbox
or whatever.
Aside from isolating rogue programs, this fixes a lot of problems with Windows. It lets you do 100% clean uninstalls -
boom you just delete the whole sandbox and the program has no fingers left over. Every program gets its own registry and
set of DLLs and such so there can never be conflicts. You don't have that damn problem of Windows always mysteriously
going to shit after 5 years.
If you put your OS on c: and all your data on d:, you could easily just let all the sandboxes of trusted programs have portals
to d: so that you can just run Photoshop in a sandbox and browse to d: and work on images, and it feels like just run normal
programs on a normal computer.
"12-01-08 - VM with Virtual Disk"
12 Comments -
Dude, this is exactly what my last company was trying to do.
December 2, 2008 at 1:07 PM
Dude, tell them to finish it, I want that product.
December 2, 2008 at 1:21 PM
I don't hack on windows, so I don't know the model. But wouldn't this break the ability to copy and paste embedded objects from one program into a different one if the programs are in different sandboxes?
December 2, 2008 at 1:41 PM
Brian, yeah, it would. However, there are two solutions to that :
1. Put programs you often use together in the same sandbox. For example I'd probably just put all the Apple shit together in one sandbox since Quicktime and iTunes and such are all evil and they like each other.
2. Specifically allow certain portals. For example, you could make the clipboard a portal if you want to. By default sandboxes should hve all portals closed, and from *inside* a sandbox you cannot open portals, but from *outside* you can open any portal. For example, you could switch a flag that says "share the clipboard with the host" , that would make clipboard objects global.
December 2, 2008 at 1:57 PM
DCOM is also a pain (thought not often used), but really there are a ton of random little things you'd have to get right.
Maybe you should search for Thinstall, Softricity or MojoPac. The company I used to work for depended alot on VMware Player, which probably doesn't appeal to you.
I'm guessing you were wishing for Oodle for your computer.
December 2, 2008 at 8:23 PM
Yeah it's not something I want to do, there would definitely be a ton of little pain.
I just did a simple patch / virtual file system thing for Oodle and realized how simple that part is and what you could do with it. Of course the hard part is catching every single interface to the OS and emulating them all right.
Softricity SoftGrid looks like they have most of the capability to do what I want, but have it aimed a different way (for IT management), and it seems like MS bought them recently.
December 2, 2008 at 9:05 PM
Sounds like an ideal use for ZFS. ZFS is all about the copy-on-write.
December 2, 2008 at 9:56 PM
ZFS? LOL. FS.
December 2, 2008 at 10:02 PM
Have you tried virtual box? It seems to have most of the features that you want, and it's pretty easy to setup.
December 2, 2008 at 10:13 PM
http://www.vmware.com/products/thinapp/
spendy, though.
December 3, 2008 at 3:20 PM
Yeah, that used to be Thinstall.
December 3, 2008 at 4:52 PM
Google Native Client :
http://googleonlinesecurity.blogspot.com/2008/12/native-client-technology-for-running.html
December 9, 2008 at 11:31 AM