When it comes to computers, phones, the internet and so on, security is sometimes confused with privacy ( although sometimes they overlap ) and more often than not overlooked.
FSM EXCLUSIVE DEAL
However, today there’s an app for everything, and these applications are increasingly privileged. Which means that if we’re not careful some applications might represent a security threat to your systems and implicitly your information.
Sandboxing allows us to limit what each application can see, access and do on your system.
WHAT IS SANDBOXING
In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.
A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.
NOTE: don’t be paranoid. Not all applications need to be sandboxed. Use your common sense. A simple, reputable text editor ( especially an open source one, or one from your distro’s official repo ) probably doesen’t need to be sandboxed, but a web browser does. Even though modern web browser perfrom sanboxing of their own, they’re still a big source of vulnerabilities.
Also, macOS users shouldn’t rely on what Apple tells them about sanboxing. Yes, it’s true, Apple does a great job sandboxing applications. BUT, only the ones that come preinstalled on your Mac and the ones downloaded from the Mac App Store. If you use 3rd party apps, those are not sandboxed.
But today we’re talking about Linux kernel security and specifically about AppArmor and Firejail.
APPARMOR
The Linux Kernel Security Modules ( LSM ), implement all the tools necessary to provide mandatory access control ( MAC ). Two major tools that implement and adopt this method of access control are AppArmor and SELinux.
SELinux was originally created by the NSA and Red Hat. Fedora being one of its early adopters. You can read about SELinux in the previous link, but this tool is another thing you should take into consideration when choosing your Linux distro.
AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing both known and unknown application flaws from being exploited.
AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).
Some Linux distros ship with AppArmor ( for example Ubuntu ). To check if your distro already has AppArmor integrated you can run aa-status. If it does, it should return apparmor module is loaded.
If aa-status returns command not found this means you need to install AppArmor, which is easy to do as it’s available in your distro’s official repos. So, for example:
- On Debian/Ubuntu ( and derivates ) you can install it with
sudo apt install apparmor apparmor-utils -y. - On Arch ( and derivates ) you can install it with
sudo pacman -S apparmor
Installing extra AppArmor profiles:
- On Debian/Ubuntu ( and derivates ) you can install it with
sudo apt install apparmor-profiles apparmor-profiles-extra -y. - On Arch ( and derivates ) you can install it with
sudo pacman -S apparmor-profiles
AppArmor profiles define what each application is allowed to do. If you want to edit profiles, you can find them in /etc/apparmor.d/
Run sudo aa-status to check how many profiles are loaded, enforced, if there’s any profiles in complain mode and so on.
To make sure AppArmor runs on every boot, you will need to add some kernel paramters. You can do this by editing /etc/default/grub and add GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1 lsm=lockdown,yama,apparmor"
You can also install grub-customzier( should be available in your distro’s official repos ) and adding the kernel parameters with it.
NOTE: if you already have any other kernel parameters set ( example quite splash ), make sure you add the AppArmor parameters at the begining of the string.
To learn more about AppArmor check out the official Wiki and also the ArchWiki page.
FIREJAIL
Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc.
Installing Firejail
Firejail is available in your distro’s official repos. So, for example:
- On Debian/Ubuntu ( and derivates ) you can install it with
sudo apt install firejail firejail-profiles firetools -y. - On Arch ( and derivates ) you can install it with
sudo pacman -S firejail firetools
NOTE: Firetools is a GUI frontend for Firejail. Installing Firetools is optional.
Once installed, sandboxing an application with Firejail is as easy as running firejail application_name
Obviously this is not all there is to Firejail. Running the command above, it’s the most basic way to use Firejail.
If you run firejail --help you will see that you can use firejail with firejail [options] [program and arguments] , you will see all the available [options] and it will give you a few examples on how to use Firejail.
Just like AppArmor, Firejail uses application profiles that define what each application is allowed to do. If you want to edit profiles, you can find them in /etc/firejail/
At the time of writing, Firejail comes with over 900 applications profile. I say “over 900” because on my Pop!_OS isntance it has 912 profiles ( as you can see in the screenshot below ) and on my Manjaro instance it comes with 1063 profiles. To be honest, I have no idea why the difference between the two instances.
Now let’s dive a bit deeper into Firejail. First of all, let’s get this one option out of the way, as I don’t see it fit for most users. Firejail comes with a desktop configuration utility that allows the user to sandbox applications automatically, just by clicking on a regular desktop menus and icons.
So if you want Firejail to automatically enable all application profiles and sandbox every app that has a profile for, run sudo firecfg.
I don’t think this is the best options for most users, but just in case you want to set Firejail to auto sandbox applications, first run firecfg --help
Right, so with the auto sandboxing out of the way let’s move on. And now let’s enable the default AppArmor profile for Firejail. To do that, just run sudo aa-enforce firejail-default
Now, to sandbox an application with AppArmor enabled you can run firejail --apparmor application_name
Now let’s talk about seccomp ( Secure Computing Mode ) filters. Most userspace processes need to interact with the kernel. Userspace programs use kernel facilities through system calls. And there are over 300 syscalls in Linux that can be used to try to exploid kernel bugs and escalate privilages.
To make this easier, let’s say you have a text editor, or an image viewer. (Some do but usually… ) why would a text editor need access to your network for example? We can control that by passing the --seccomp argument to Firejail. Example: firejail --seccomp application_name. You can also add the apparmor argument and your command will be firejail --apparmor --seccomp application_name
NOTE: --seccompshould be enabled by default
Hiding your home directory from an application. To hide your home directory from let’s say Firefox, you can pass the --private argument to Firejail. Example: firejail --private firefox.
As you can see in the screenshot below, on the left Firefox ( no firejail ) can see the contents of my home folder. On the right Firefox, ran through Firejail with the --private argument, can’t see it because Firejail created a temporary home directory for the sandbox.
When hiding your home directory from Firefox, everything will be stored in memory and discarded once you close the process. If you need files from this sandbox you have two options:
1. Use a specified folder as your home directory. Create in your home directory a folder called firefox ( or whatever you want ). Now set it as your home directory with firejail --private=/home/user_name/firefox firefox
2. Use --ls, --get, --put. To illustrate this process, I will name my sandboxed container download by passing the argument --name=download, will download a file called ff.png which I will then copy to my Downloads folder.
- firejail –name=download –private firefox
- firejail –ls=download ~/Downloads ( this will list everything in the private Downloads folder of the sandbox )
- firejail –get=download ~/Downloads/ff.png ( this will copy the file from the sandbox )
- firejail –put=download ff.png ~/Downloads/ff.png ( this will place the copied file from the sandbox into the specified folder )
NOTE: if you don’t want to name your sandbox container, first run firejail list to list all the sandboxed applications, and use Firefox’s PID number instead of the sandbox name
Other useful Firejail arguments:
--nonewprivs– allows you to restrict processes from gaining new privilages inside the sandbox--private-dev– creates a new, temporary /dev directory that’s isolated from your own /dev directory which usually contains sensitive device files--private-tmp– creates a new, temporary and isolated /tmp directory. The /tmp directory on your system usually contains temporary files created by running applications, which can be sensitive--net=none– deny network access to the sandbox application--x11– prevents screenshot and keylogger applications to start inside the sandbox from accessing clients running outside the sandbox. NOTE: Xephyr needs to be installed on your system
As you can see, Firejail is pretty powerful and complex. This article is barely scratching the surface of what you can do with Firejail. To learn more about what Firejail can do you can always firejail --help , man firejail and the official firejail documentation.
TIP: you don’t always have to type these long string of commands. Just create aliases.