{"id":13576380,"url":"https://github.com/darrenldl/sandboxing","last_synced_at":"2025-05-16T04:15:45.312Z","repository":{"id":97068462,"uuid":"268236053","full_name":"darrenldl/sandboxing","owner":"darrenldl","description":"Scripts, files and tools related to sandboxing","archived":false,"fork":false,"pushed_at":"2021-12-03T06:28:55.000Z","size":678,"stargazers_count":31,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-05T05:33:26.302Z","etag":null,"topics":["apparmor","apparmor-profiles","bubblewrap","bubblewrap-scripts","sandboxing"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/darrenldl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-05-31T08:08:11.000Z","updated_at":"2025-02-23T07:38:07.000Z","dependencies_parsed_at":"2023-03-25T16:07:37.346Z","dependency_job_id":null,"html_url":"https://github.com/darrenldl/sandboxing","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darrenldl%2Fsandboxing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darrenldl%2Fsandboxing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darrenldl%2Fsandboxing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darrenldl%2Fsandboxing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/darrenldl","download_url":"https://codeload.github.com/darrenldl/sandboxing/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254464873,"owners_count":22075572,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apparmor","apparmor-profiles","bubblewrap","bubblewrap-scripts","sandboxing"],"created_at":"2024-08-01T15:01:09.745Z","updated_at":"2025-05-16T04:15:45.286Z","avatar_url":"https://github.com/darrenldl.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"# Sandboxing\n\nScripts, files and tools related to sandboxing\n\n## Description\n\nThis sandboxing suite primarily targets desktop use, but may include assets for server use\n\nThe scripts and files in this repo are designed to be readily usable on most systems\n\n- You only have to install OCaml toolchain if you want to develop upon the generator\n\nBasics\n\n- Private home for programs\n- Shell interpreter access is removed in the sandbox\n- Access to number of binaries is minimized (via bubblewrap and AppArmor)\n- Fairly strict seccomp filters are supplied to bubblewrap\n- Fairly strict AppArmor profiles are generated\n\nNote that some profiles assume usage of Wayland\n\n## Install\n\nSimply `git clone https://github.com/darrenldl/sandboxing.git` in home\n\nYour system needs to have `bubblewrap`, `gcc` and `apparmor` to run the scripts\n\n## Installation\n\n__Important__: Please make sure the following directories are not already in use in your `$HOME`\n\n- `sandboxing/`\n- `sandboxes/`\n- `sandbox-logs/`\n\nAll bash scripts in `scripts/` directory should work out of the box on most Linux distros\n\nThe scripts assume they stay in their original positions in the local copy of the repository, however\n\nOne can invoke them via the full path\n\n```\n./sandboxing/scripts/firefox.sh \u0026\n```\n\nor use `add_links.sh DEST` to create symlinks to the scripts\n\n```\n./sandboxing/add_links.sh ~/.bin # say ~/.bin is in our PATH variable\nsandbox-firefox-private \u0026        # all symlinks are prefixed with \"sandbox-\" to allow easy removal\n                                 # and avoid shadowing\n```\n\n## General usage\n\nInvoke the script directly (or via symlink),\nstdout are stored as `~/sandboxing-sandbox-logs/profile/*.stdout`,\nstderr are stored as `~/sandboxing-sandbox-logs/profile/*.stderr`\n\nSee the following section for profile specific usage\n\n## Profiles\n\nOnly the listed profiles are considered stable\n\nFollowing serves as rough descriptions only, check the scripts directly to see if they fit your needs\n\n#### Internet\n\n- `firefox`\n  - Persistent home as `~/sandboxing-sandboxes/firefox` on host\n- `firefox-tmp`\n  - No persistent home\n  - Temporary persistent `Downloads` folder in sandbox home, created as temporary directory under `/tmp` on host\n    - This is the only directory that host and sandbox share\n  - Is __NOT__ hardened against tracking/fingerprinting\n- `firefox-private`\n  - Same as `firefox-tmp`, but uses the hardened `user.js` transparently (should work on most Linux distros)\n  - __Important__: Please check the `user.js` is indeed loaded correctly, see https://github.com/pyllyukko/user.js/#verifying for how to verify\n- `thunderbird`\n  - Persistent home as `~/sandboxing-sandboxes/thunderbird` on host\n- `discord`\n  - Persistent home as `~/sandboxing-sandboxes/discord` on host\n  - AppArmor profile not usable yet\n\n#### PDF reading\n\n- `okular-ro`\n  - No persistent home\n  - Accepts exactly one argument for file to be read, e.g. `sandbox-okular-ro file.pdf`\n  - RO mounts only the specified PDF file in sandbox home\n  - No network access\n\n- `okular-rw`\n  - No persistent home\n  - Accepts exactly one argument for file to be read, e.g. `sandbox-okular-rw file.pdf`\n  - RW mounts only the specified PDF file in sandbox home\n  - No network access\n\n#### Image viewing\n\n- `eom-ro`\n  - No persistent home\n  - Accepts exactly one argument for file to be read, e.g. `sandbox-eom-ro file.png`\n  - RO mounts only the specified file in sandbox home\n  - No network access\n\n## Development\n\n#### TODO\n\n- Make each sandbox use a separate user (not sure yet)\n\n- Transition to syscall whitelist instead of blacklist\n\n- Network namespace set up with routing and DNS\n\n#### WIP\n\n- Discord AppArmor profile\n\n#### Index\n\n- `aa-profiles/` contains the generated AppArmor profiles\n- `firefox-hardening/` contains files specific to Firefox\n- `gen/` contains the OCaml code responsible for generating the bubblewrap scripts and generating seccomp BPF generator C code\n- `runners/` contains the generated runner C code\n- `scripts/` contains the generated bubblewrap scripts\n- `seccomp-bpfs/` contains the generated seccomp BPF generator C code\n\nSee `gen/src/profiles.ml` for existing profiles\n\nRun `make run` in `bw-script-gen/` to generate scripts after making updates to the profiles\n\n## Acknowledgements\n\nSome components (e.g. bubblewrap scripts, seccomp filter blacklist) are based on the following repo\n\n- https://github.com/valoq/bwscripts\n\nAppArmor profile generation, seccomp filter whitelist, and other design choices are based on the following repo\n\n- https://github.com/Whonix/sandbox-app-launcher\n\nFiles in `firefox-hardening/` are from the following repo\n\n- https://github.com/pyllyukko/user.js/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarrenldl%2Fsandboxing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdarrenldl%2Fsandboxing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarrenldl%2Fsandboxing/lists"}