Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/darrenldl/sandboxing
Scripts, files and tools related to sandboxing
https://github.com/darrenldl/sandboxing
apparmor apparmor-profiles bubblewrap bubblewrap-scripts sandboxing
Last synced: about 1 month ago
JSON representation
Scripts, files and tools related to sandboxing
- Host: GitHub
- URL: https://github.com/darrenldl/sandboxing
- Owner: darrenldl
- License: gpl-3.0
- Created: 2020-05-31T08:08:11.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-12-03T06:28:55.000Z (almost 3 years ago)
- Last Synced: 2024-06-08T20:33:10.044Z (3 months ago)
- Topics: apparmor, apparmor-profiles, bubblewrap, bubblewrap-scripts, sandboxing
- Language: C
- Homepage:
- Size: 662 KB
- Stars: 28
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: COPYING
Awesome Lists containing this project
README
# Sandboxing
Scripts, files and tools related to sandboxing
## Description
This sandboxing suite primarily targets desktop use, but may include assets for server use
The scripts and files in this repo are designed to be readily usable on most systems
- You only have to install OCaml toolchain if you want to develop upon the generator
Basics
- Private home for programs
- Shell interpreter access is removed in the sandbox
- Access to number of binaries is minimized (via bubblewrap and AppArmor)
- Fairly strict seccomp filters are supplied to bubblewrap
- Fairly strict AppArmor profiles are generatedNote that some profiles assume usage of Wayland
## Install
Simply `git clone https://github.com/darrenldl/sandboxing.git` in home
Your system needs to have `bubblewrap`, `gcc` and `apparmor` to run the scripts
## Installation
__Important__: Please make sure the following directories are not already in use in your `$HOME`
- `sandboxing/`
- `sandboxes/`
- `sandbox-logs/`All bash scripts in `scripts/` directory should work out of the box on most Linux distros
The scripts assume they stay in their original positions in the local copy of the repository, however
One can invoke them via the full path
```
./sandboxing/scripts/firefox.sh &
```or use `add_links.sh DEST` to create symlinks to the scripts
```
./sandboxing/add_links.sh ~/.bin # say ~/.bin is in our PATH variable
sandbox-firefox-private & # all symlinks are prefixed with "sandbox-" to allow easy removal
# and avoid shadowing
```## General usage
Invoke the script directly (or via symlink),
stdout are stored as `~/sandboxing-sandbox-logs/profile/*.stdout`,
stderr are stored as `~/sandboxing-sandbox-logs/profile/*.stderr`See the following section for profile specific usage
## Profiles
Only the listed profiles are considered stable
Following serves as rough descriptions only, check the scripts directly to see if they fit your needs
#### Internet
- `firefox`
- Persistent home as `~/sandboxing-sandboxes/firefox` on host
- `firefox-tmp`
- No persistent home
- Temporary persistent `Downloads` folder in sandbox home, created as temporary directory under `/tmp` on host
- This is the only directory that host and sandbox share
- Is __NOT__ hardened against tracking/fingerprinting
- `firefox-private`
- Same as `firefox-tmp`, but uses the hardened `user.js` transparently (should work on most Linux distros)
- __Important__: Please check the `user.js` is indeed loaded correctly, see https://github.com/pyllyukko/user.js/#verifying for how to verify
- `thunderbird`
- Persistent home as `~/sandboxing-sandboxes/thunderbird` on host
- `discord`
- Persistent home as `~/sandboxing-sandboxes/discord` on host
- AppArmor profile not usable yet#### PDF reading
- `okular-ro`
- No persistent home
- Accepts exactly one argument for file to be read, e.g. `sandbox-okular-ro file.pdf`
- RO mounts only the specified PDF file in sandbox home
- No network access- `okular-rw`
- No persistent home
- Accepts exactly one argument for file to be read, e.g. `sandbox-okular-rw file.pdf`
- RW mounts only the specified PDF file in sandbox home
- No network access#### Image viewing
- `eom-ro`
- No persistent home
- Accepts exactly one argument for file to be read, e.g. `sandbox-eom-ro file.png`
- RO mounts only the specified file in sandbox home
- No network access## Development
#### TODO
- Make each sandbox use a separate user (not sure yet)
- Transition to syscall whitelist instead of blacklist
- Network namespace set up with routing and DNS
#### WIP
- Discord AppArmor profile
#### Index
- `aa-profiles/` contains the generated AppArmor profiles
- `firefox-hardening/` contains files specific to Firefox
- `gen/` contains the OCaml code responsible for generating the bubblewrap scripts and generating seccomp BPF generator C code
- `runners/` contains the generated runner C code
- `scripts/` contains the generated bubblewrap scripts
- `seccomp-bpfs/` contains the generated seccomp BPF generator C codeSee `gen/src/profiles.ml` for existing profiles
Run `make run` in `bw-script-gen/` to generate scripts after making updates to the profiles
## Acknowledgements
Some components (e.g. bubblewrap scripts, seccomp filter blacklist) are based on the following repo
- https://github.com/valoq/bwscripts
AppArmor profile generation, seccomp filter whitelist, and other design choices are based on the following repo
- https://github.com/Whonix/sandbox-app-launcher
Files in `firefox-hardening/` are from the following repo
- https://github.com/pyllyukko/user.js/