https://github.com/kkernick/antimony
Sandbox Applications
https://github.com/kkernick/antimony
bubblewrap linux sandbox seccomp security
Last synced: 2 days ago
JSON representation
Sandbox Applications
- Host: GitHub
- URL: https://github.com/kkernick/antimony
- Owner: kkernick
- License: unlicense
- Created: 2025-07-24T02:54:40.000Z (12 months ago)
- Default Branch: main
- Last Pushed: 2026-07-01T04:14:38.000Z (3 days ago)
- Last Synced: 2026-07-01T06:21:54.350Z (3 days ago)
- Topics: bubblewrap, linux, sandbox, seccomp, security
- Language: Rust
- Homepage:
- Size: 6.09 MB
- Stars: 3
- Watchers: 0
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Antimony
```
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣦
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠟⠹⣧⡀
⠀⠀⠀⠀⠀⠀⠀⠀⣷⣦⣄⣠⣿⠃⢠⣄⠈⢻⣆⣠⣴⡞⡆
⠀⠀⠀⠀⠀⢀⣀⣀⣿⠀⠈⢻⣇⢀⣾⢟⡄⣸⡿⠋⠀⡇⣇⣀⣀
⠀⣤⣤⣤⣀⣱⢻⠚⠻⣧⣀⠀⢹⡿⠃⠈⢻⣟⠀⢀⣤⠧⠓⣹⣟⣀⣤⣤⣤⡀
⠀⠈⠻⣧⠉⠛⣽⠀⠀⠀⠙⣷⡿⠁⠀⠀⠀⢻⣶⠛⠁⠀⠀⡟⠟⠉⣵⡟⠁
⠀⠀⠀⠹⣧⡀⠏⡇⠀⠀⠀⣿⠁⠀⠀⠀⠀⠀⣿⡄⠀⠀⢠⢷⠀⣼⡟
⠀⠀⠀⠀⠙⣟⢼⡹⡄⠀⠀⣿⡄⠀⠀⠀⠀⢀⣿⡇⠀⢀⣞⣦⢾⠟
⠀⠠⢶⣿⣛⠛⢒⣭⢻⣶⣤⣹⣿⣤⣀⣀⣠⣾⣟⣠⣔⡛⢫⣐⠛⢛⣻⣶⠆
⠀⠀⠀⠉⣻⡽⠛⠉⠁⠀⠉⢙⣿⠖⠒⠛⠻⣿⡋⠉⠁⠈⠉⠙⢿⣿⠉
⠀⠀⠀⠸⠿⠷⠒⣦⣤⣴⣶⢿⣿⡀⠀⠀⠀⣽⡿⢷⣦⠤⢤⡖⠶⠿⠧
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠛⢿⣦⣴⡾⠟⠁
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠟
```
***
Antimony is a [fast](./md/Speed.md), [powerful](./md/Profiles.md), [customizable](./md/Configurations.md), and [secure](./md/SECCOMP.md) sandboxing application. Its dynamic dependency resolution and extendable design makes it trivial to sandbox applications and seamlessly integrate in the shell and desktop environment.
## Installation
Antimony is available for:
* Debian-Based Distributions (Ubuntu)
* Arch-Based Distributions
Releases provides packages for both distribution types, which can be installed with your package manager of choice.
Antimony relies on the following runtime-dependencies:
* `glibc`
* `bubblewrap`
* `xdg-dbus-proxy`
* `sqlite3`
* `libseccomp`
* `libdbus`
### Compiling
> [!tip]
> If you’re using Arch, Antimony is available in the [AUR](https://aur.archlinux.org/packages/antimony-sandbox)
To compile Antimony, you will need:
* Rust and Cargo, supporting the 2024 Edition.
* `gcc`
* `libseccomp` (`libseccomp-dev` for Debian)
* `sqlite` (`libsqlite3-dev` for Debian)
* `pkgconf` (`pkg-config` for Debian)
* `libdbus` (`libdbus-1-dev` for Debian)
To build, simply execute `cargo build --release` to generate the required binaries in `target/release`. If you want shell completions, execute `cargo build --release --workspace`, then run the `target/release/antimony_completions`. The completions files will be available in the `completions` folder.
### Packaging
If you want to install Antimony without the help of a package manager, just run the `cargo-deploy` script. Otherwise, you can use `fpm` to build a package for your distribution. Simply execute `fpm -t package_type` to output the package.
You’ll need the following dependencies to run the package script:
* `fpm` (Recommended through `gem install fpm`)
* `libarchive` (`libarchive-tools` for Debian)
If you want to install Antimony manually, there are some considerations you take into account:
1. Antimony expects to be run as SetUID underneath its own dedicated system account. You can create one using `useradd -r antimony`. This account should only have access to `/usr/share/antimony`, alongside ownership of the `antimony` binary. You can set the correct permissions on the binary via:
```bash
sudo chown antimony:antimony /usr/bin/antimony
sudo chmod ug+s /usr/bin/antimony
```
>[!note]
>Antimony does not *require* SetUID to function, all that is required is that the `AT_HOME` environment variable points to somewhere it has write access. Note, however, that provided a globally accessible home for Antimony can allowed for trivial sandbox compromise by writing to the sandboxes SOF folder. It also allows erroneous modifications to be made to Profiles and Features without Antimony being able to mediate it.
>[!note]
>If you intend to use the Lockdown functionality, you will additonally need to create a new `antimony-lockdown` user and create a dedicated directory for it in `$AT_HOME`
2. Antimony creates hard-links from the system library folder (`/usr/lib` and `/usr/lib64`). Some distributions and hardened kernels enforce the `fs.protected_hardlinks` sysctl, which denies this.
>[!warning]
>If Antimony cannot create hard links, it will default to copies. This has a drastic toll on performance.
3. You should create a folder for Antimony to store configurations and caches. It defaults to `/usr/share/antimony`.