7

I like lowering my access privilege mid-program (e.g. restrict my program to the current directory and files, disable networking). I imagine this is a pretty common wish.

I would like to be able to do this as a normal user, without the involvement of configuration files, nor root access to enable said configuration, nor tagging files. I'd like to specify my security profile at runtime. In the best of world, I wouldn't need any special kernel config or parameters either.

Currently, I use apparmor, but it involves:

1) Enabling apparmor.

This is a problem since kernel support is required. I may need to be recompiled as is the case with arch-linux-arm. In a work setting running Red Hat Linux, they don't typically have apparmor because it's a selinux world.

2) Writing a simple profile (let's call it my_profile.armor):

profile restricted_books {
  deny network,
  /home/flux/_/dev/localhost.books/ r,
  /home/flux/_/dev/localhost.books/** r,
  /home/flux/_/dev/localhost.books/progress/ rw,
  /home/flux/_/dev/localhost.books/progress/** rw,
  /home/flux/_/dev/localhost.books/tmp/ rw,
  /home/flux/_/dev/localhost.books/tmp/** rw,
  /usr/bin/ebook-convert Ux,
}

2) registering the profile (requires root)

sudo apparmor_parser my_profile.armor

Alternatively, you'd move my_profile.armor in /etc/apparmor.d/ and reboot.

3) opt-in the profile programmatically

#include <sys/apparmor.h>
aa_change_profile("restricted_books");
booyah();

Instead of all that, I'd love to just do:

sandbox_my_app_please_and_Im_normal_user("""
  deny network,
  /home/flux/_/dev/localhost.books/ r,
  /home/flux/_/dev/localhost.books/** r,
  /home/flux/_/dev/localhost.books/progress/ rw,
  /home/flux/_/dev/localhost.books/progress/** rw,
  /home/flux/_/dev/localhost.books/tmp/ rw,
  /home/flux/_/dev/localhost.books/tmp/** rw,
  /usr/bin/ebook-convert Ux,
""")
booyah()

Is there something like that out there? selinux has setcon() which looks similar to what I do with apparmor, but it involves a lot of config too (which I'm sure needs root too). And the built-in seccomp() function looks really complicated so I'm not sure it can even do the simple file/directory, no network scenario.

fluxrider
  • 171
  • 2

2 Answers2

1

Not really what you want, but more closer variant is:

normal@user:$ aa-exec -p restricted_books booyah

In this scenrio you still need:

  1. Enabling AppArmor
  2. Writing a profile
  3. Registering profile

But after that you can confine any application with any profile as normal user by aa-exec (confine a program with the specified AppArmor profile). More detail in man aa-exec

canondmajor
  • 86
  • 1
  • 3
0

You might consider Firejail https://firejail.wordpress.com/

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

It has a large number of additional profiles for common applications out of the box, and the configuration syntax is straight-forward. The command-line also allows you to issue ad-hoc control to a new environment. In this example I grant full access to OP's root directory ("for clarity"), but I could actually enforce the ro/rw distinction from the cli with a combination of read-write and read-only options...

firejail --net=none --whitelist=/home/flux/_/dev/localhost.books/ /usr/bin/ebook-convert

Here is another article P. Vera 2020 that delves into cli usage to sandbox a process. More detail in the man page for firejail (which you may need to build from scratch) https://firejail.wordpress.com/features-3/man-firejail/:

AppArmor support is disabled by default at compile time.

brynk
  • 832
  • 2
  • 13