When working on untrusted code or data it's impossible to predict what happens when one does a:
bundle install --path=vendor
Does this phone out your private SSH and GPG keys? Does a
try to exploit the PDF viewer? While you can run stuff in separate virtual machines this can get cumbersome. libvirt-sandbox to the rescue! It allows to sandbox applications using libvirt's virtualization drivers. It took us a couple of years (The ITP is from 2012) but we finally have it in Debian's NEW queue. When libvirt-sandbox creates a sandbox it uses your root filesystem mounted read only by default so you have access to all installed programs (this can be changed with the --root option though). It can use either libvirt's QEMU or LXC drivers. We're using the later in the examples below:
So in order to make sure the above bundler call has no access to your $HOME you can use:
sudo virt-sandbox \ -m ram:/tmp=10M \ -m ram:$HOME=10M \ -m ram:/var/run/screen=1M \ -m host-bind:/path/to/your/ruby-stuff=/path/to/your/ruby-stuff \ -c lxc:/// \ -S $USER \ -n rubydev-sandbox \ -N dhcp,source=default \ /bin/bash
This will make your $HOME unaccessible by mounting a tmpfs over it and using separate network, ipc, mount, pid and utc namespaces allowing you to invoke bundler with less worries. /path/to/your/ruby-stuff is bind mounted read-write into the sandbox so you can change files there. Bundler can fetch new gems using libvirt's default network connection.
And for the PDF case:
sudo virt-sandbox \ -m ram:$HOME=10M \ -m ram:/dev/shm=10M \ -m host-bind:$HOME/Downloads=$HOME/Downloads \ -c lxc:/// \ -S $USER \ -n evince-sandbox \ --env="DISPLAY=:0" \ --env="XAUTHORITY=$XAUTHORITY" \ /usr/bin/evince Downloads/justdownloaded.pdf
Note that the above example shares /tmp with the sandbox in order to give it access to the X11 socket. A better isolation can probably be achieved using xpra or xvnc but I haven't looked into this yet.
Besides the command line program virt-sandbox there's also the library libvirt-sandbox which makes it simpler to build new sandboxing applications. We're not yet shipping virt-sandbox-service (a tool to provision sandboxed system services) in the Debian packages since it's RPM distro specific. Help on porting this to Debian is greatly appreciated.