18

What's the best way to sandbox an X application like firefox or thunderbird in ubuntu (going into the direction of what qubes os does, but only for single applications)?

I know there are many different sandboxing technologies. For example

  • Just using a virtual-box: This seems to be very secure but a resource overkill. You would need a minimal OS in VirtualBox just to run firefox.

  • Using the SE-Linux sandbox technology. This seems to be the best option but as far as I know SElinux is available in ubuntu but not very well configured by default (in contrast for example to RedHat-linux). Furthermore the sandbox part of SELinux seems to be missing: https://unix.stackexchange.com/questions/67127/how-do-i-install-selinuxs-sandbox-utility-on-linux-mint-debian-edition?lq=1 so one would have to compile it.

  • The apparmor equivalent seems not to be production ready and is currently not shipped with ubuntu as far as I know. However I cannot estimate what's the state of development and if it would be worth to wait for the next ubuntu release where it will probably part of it.

  • The gnome desktop seems to support X-sandboxing. It is not clear to me if one can use this in a wm-independent way.

  • The lightweigt tool mbox seems to operate only on filesystem level, which would be not sufficient for X-applications.

  • The same is true for self made chroot solutions as for example the sandfox-script.

  • A more lightweigt and secure option than chroot seems to be Plash. But I am not sure how well the X protection is implemented.

  • Same Immunity and FBAC-LSM

  • There is also a program called arkose which seems to be well supported for ubuntu, but at the same time there is very little documentation of how it works and I have no idea how secure it is compared to other approaches.

  • Docker seems to be made more for server applications than for desktop ones. I don't see if it is secure for X applications. There is a newer project called kagome which seems to combine Docker with xephyr for X isolation. But the author notes that docker has some security flaws and it might be better to switch to another container solution such as systemd-nspawn, rkt or lxd.

  • Other solutions are: seccomp-nurse, Rainbow, vagrantup

  • Finally especially for firefox there is an apparmor profile for ubuntu but which is not enabled by default. This is not a sandbox but should give you some level of security when using firefox (but I don't know how it compares to the sandbox solutions above).

So there seems to be many approaches but I don't how (and why) those compare in terms of security for sandboxing X-applications like firefox or thunderbird, in terms of usability, especially in ubuntu-linux and which are production ready and well supported. Would be gread it someone could give some details about this, how to categorize them and which of them would be worth for me to have a closer look at for my purpose.

student
  • 1,433
  • 4
  • 15
  • 23
  • There doesn't appear to be an established tag for 'sandbox', so it doesn't help much to categorize this for existing users. (Tags aren't descriptions, per se, they are part of a workflow mechanism which is based on relevant descriptive characteristics.) – jgbelacqua Apr 25 '14 at 21:36
  • It's probably got a close vote because it is very broad (aka "not a good fit for the site"). Though see http://blog.stackoverflow.com/2014/04/putting-the-community-back-in-wiki/ for a strategy for this kind of thing. – jgbelacqua Apr 25 '14 at 21:39
  • @belacqua Thanks for the explanation. Yes I agree that it **seems** to be broad, but if someone really knows the tools in detail it should be possible to categorize them in a usefull way and point out which are more suited for my purpose, which not and why. Clearly this is not a answer in a few lines. But that a question is difficult in some way should not a reason to vote for closing it... – student Apr 26 '14 at 06:09
  • 1
    AppArmor is very much production ready and is shipped with Ubuntu. The article you referred to was written in 2010. Take a look at https://wiki.ubuntu.com/AppArmor – void_in Apr 26 '14 at 14:42
  • @void_in On my ubuntu 14.04 box there is no command `aa-sandbox` etc. i.e. the sandboxing part seems not to be shipped with ubuntu yet. Or do I need to install a special package (I already installed `apparmor-utils`). I know that apparmor itself as a MAC is production ready but what's about the sandbox part of it? – student Apr 26 '14 at 15:07
  • Apparmor has a profile for firefox in Ubuntu 14.04 that you need to enable. Take a look at the Apparmor profile page https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles. To enable a particular profile, follow the discussion at https://answers.launchpad.net/ubuntu/+source/firefox/+question/95804. In short search your problem on Google. It is a solved issue. – void_in Apr 26 '14 at 16:52
  • @void_in That was not my question. I already run the apparmor profile. As explained in the apparmor-wiki (http://wiki.apparmor.net/index.php/AppArmorSandboxing), sandboxing is orthogonal to normal mandatory access controll which apparmor does. – student Apr 26 '14 at 18:02

3 Answers3

7

You can use subuser to sandbox an application using Docker. Say you wanted to sandbox Firefox:

You would create a folder my-subuser-images and then create a second folder firefox in the first one:

my-subuser-images/firefox

In the firefox folder, you need to create yet another sub-folder: docker-image

Once you have done that you need to create two files:

  • permissions.json

And

  • docker-image/SubuserImagefile

Your file layout should look like the one found at the subuser-default-repository

In the permissions.json file, you tell subuser what Firefox is allowed to do:

{"description":"A popular web browser."
,"maintainer":"student"
,"executable":"/usr/bin/firefox"
,"gui":{"clipboard":true}
,"sound-card":true
,"allow-network-access":true
,"basic-common-permissions":true}

Here is an overview of the permissions that I just set:

  • "gui": Allows Firefox to display windows to X11 securely using the XPRA X11 bridge
  • "sound-card": Allows Firefox to communicate with your sound card
  • "allow-network-access": Allows Firefox to access the network
  • "basic-common-permissions": Allows Firefox to do some basic things like save settings to it's own specially contained home directory, see the LOCAL and timezone ect.

It does NOT however, allow Firefox to access any files outside of it's own subuser. You could add a user-dirs permission to allow it to access the Downloads directory, for example, if you wished.

Once you have created a permissions.json file, you can go on to create a SubuserImagefile.

The docker-image/SubuserImagefile should look just like a Dockerfile:

FROM ubuntu
RUN apt-get update && apt-get upgrade -y && apt-get install -yq firefox

Now you are done setting up your subuser image.

You can create a firefox subuser by running:

$ subuser subuser add firefox firefox@/home/student/my-subuser-images

You can run the firefox subuser by running:

$ subuser run firefox

You can create more than one firefox subuser. This is useful, if you want to have more than one Facebook account or Google account and not have to log out/in all the time. It is also usefull if you want to reduce the risk of cross-site scripting when you do internet banking.

subuser subuser add internet-banking firefox@/home/student/my-subuser-images

You can run your internet-banking subuser with the command

subuser run internet-banking

You can access a subuser's home directory by visiting ~/.subuser/homes.

Here is a screen shot of Firefox running on my system with the demonstrated configuration:

enter image description here

Note how despite the fact that I am running Debian, it is the Ubuntu version of Firefox that is installed!

You can share your subuser images with others, to reduce the burden of sandboxing applications for everybody. If you want to share your Firefox image, you can cd to my-subuser-images and turn that folder into a git repository:

$ cd ~/my-subuser-images
$ git init
$ git add .
$ git commit -m "Add Firefox image"

If you then push this git repo somewhere, then others can install your Firefox image easilly with the command:

$ subuser subuser add firefox firefox@http://example.com/student/my-subuser-images.git

They would run that subuser in the same way as if they had done the setup locally.

timthelion
  • 226
  • 2
  • 2
4

The Ubuntu documentation has a sandbox command for X applications that uses SELinux:

http://manpages.ubuntu.com/manpages/precise/man8/sandbox.8.html

SELinux is a nice route in that there's many web pages, books, tools, etc on using it. It integrates with the OS very nicely which is one of the reasons it's complex. Tresys sells nice tools that make it easy to configure these.

Things like SELinux descend from Orange Book era Compartmented Mode Workstations that tried to add security to vanilla OS's. The last surviving (and maintained) product I know of is Argus Pitbull line. It was only Solaris, but now is RHEL. They're much more comprehensive than SELinux, although you'll pay for that. There's also General Dynamics High Assurance Platform that combines VMWare & Linux.

The VM approach is easier to use, but more resource intensive & more features in trusted computing base. Best thing to do there is to use a very lightweight distro (CrunchBang comes to mind), add just what you need, and trim out what you don't. VM's can be restricted to individual folders via SELinux or SMACK mandatory controls if you want to allow folder sharing for moving files between host and guest.

There's also the QubesOS project that aims to make VM option more secure. It's in pretty good shape right now and easy to use.

The overall problem with your question is that neither X nor Ubuntu are designed for secure separation of mutually distrusting apps. Decades of research went into doing that for UNIX and X with plenty of prototypes/products. Having seen them & seen Ubuntu, I guarantee you they aren't doing that stuff. The SELinux stuff only does a little for that & virtual machine approaches still have plenty of attack surface (VMM, Dom0's, etc). Genode, QubesOS, Europe's Perseus Security Architecture, the OKL4/OKLinux suite, and TU Dresden's Nizza architecture are only open methods I know addressing this with Linux compatibility. Their features & completeness varies considerably.

If it's running mainstream Linux, there's 0-days waiting to be found I guarantee you. I just keep my old solution of having separate PC's, with one not online, and a KVM switch. And use of read-only media (eg CD-R's), one-way cables, or guards for moving data. And backups onto read-only media. And loading from read-only media where possible. Whole setup costs under $1,000 if one gets components cheap & accepts moderate performance. $2,000-$3,000 for high performance.

Nick P
  • 667
  • 4
  • 4
  • Does the selinux sandboxing work without enabling selinux for the whole system? – student May 28 '14 at 12:47
  • It's been a while since I used SELinux but I do recall it supported selective use of enforcement: use it on system, use it on just these apps/services, don't use it, etc. It's flexible like that. I'd recommend Googling online guides and tutorials on it. (Watch the date, though, as some will be outdated.) – Nick P May 28 '14 at 17:02
  • Watch out, CD-Rs have a limited life span... Especially if they are left out in the sun. – timthelion Aug 17 '15 at 22:03
  • Good point. I rarely run into that problem as I keep creating new ones. However, it was true for many of my old ones. This is why I tell people to use clustered filesystems with offsite backups for data retention. RAID was my old suggestion until I lost three disks before I could replace the first to go down (rolls eyes). Clustered FS w/ cheap, RAID nodes Works so long as you have a service constantly going through the files to find problems. I compared hashes for simplicity. The modern CFS's might make this unnecessary. – Nick P Aug 19 '15 at 17:17
  • I'm pretty sure the SELinux X11 Sandbox breaks hardware acceleration. – forest Dec 28 '18 at 05:18
1

I would like to add this project to the excellent list of projects above. It can sandbox any type of processes: servers, graphical applications, and even user login sessions.

https://l3net.wordpress.com/projects/firejail/

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

bensonw
  • 19
  • 1
  • 3
    sounds like a plug, tell us how the resource works to solve the issue... – Matthew Peters Jan 23 '15 at 15:33
  • Unless something changed recently, firejail cannot sandbox X applications (or at least, not sandbox their interactions over X11). Furthermore, firejail itself is a cure that can easily be worse than the disease. Being setuid makes it a far bigger target for privilege escalation, as we've seen so many times on oss-sec. So many trivial privesc bugs were found that the guy disclosing it just gave up. – forest Dec 21 '17 at 10:04