GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → darrenldl → sandboxing

darrenldl / sandboxing

Licence: GPL-3.0 License
Scripts, files and tools related to sandboxing

Programming Languages

c
50402 projects - #5 most used programming language
ocaml
1615 projects
javascript
184084 projects - #8 most used programming language
shell
77523 projects
Makefile
30231 projects

Labels

sandboxingapparmorbubblewrapapparmor-profilesbubblewrap-scripts

Projects that are alternatives of or similar to sandboxing

apparmor.d
Full set of AppArmor profiles (~ 1400 profiles)
Stars: ✭ 32 (+23.08%)
Mutual labels:  apparmor, apparmor-profiles
sandboxed-fs
Sandboxed Wrapper for Node.js File System API
Stars: ✭ 41 (+57.69%)
Mutual labels:  sandboxing
Gontainer
A simple and rudimentary container for Linux
Stars: ✭ 72 (+176.92%)
Mutual labels:  sandboxing
rusty-sandbox
A sandboxing library for Rust
Stars: ✭ 59 (+126.92%)
Mutual labels:  sandboxing
CKS-Exercises-Certified-Kubernetes-Security-Specialist
A set of curated exercises to help you prepare for the CKS exam
Stars: ✭ 124 (+376.92%)
Mutual labels:  apparmor
Example
Metarhia application example for Node.js
Stars: ✭ 147 (+465.38%)
Mutual labels:  sandboxing
nix-portable
Nix - Static, Permissionless, Installation-free, Pre-configured
Stars: ✭ 356 (+1269.23%)
Mutual labels:  bubblewrap
connect-or-cut
Simple network sandbox for Unix and Windows
Stars: ✭ 19 (-26.92%)
Mutual labels:  sandboxing
carnet
A Tool for Sandboxing Cargo and Buildscripts
Stars: ✭ 78 (+200%)
Mutual labels:  sandboxing
scuba
Kubernetes Container Runtime Interface daemon for running CloudABI jobs
Stars: ✭ 18 (-30.77%)
Mutual labels:  sandboxing
minijail
sandboxing and containment tool used in ChromeOS and Android
Stars: ✭ 155 (+496.15%)
Mutual labels:  sandboxing
rlbox sandboxing api
RLBox sandboxing framework
Stars: ✭ 239 (+819.23%)
Mutual labels:  sandboxing
ego
Alter Ego: run Linux desktop applications under a different local user
Stars: ✭ 90 (+246.15%)
Mutual labels:  sandboxing
apparmor
Development repository for the apparmor cookbook
Stars: ✭ 13 (-50%)
Mutual labels:  apparmor
Docker Slim
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Stars: ✭ 11,712 (+44946.15%)
Mutual labels:  apparmor

Sandboxing

Scripts, files and tools related to sandboxing

Description

This sandboxing suite primarily targets desktop use, but may include assets for server use

The scripts and files in this repo are designed to be readily usable on most systems

  • You only have to install OCaml toolchain if you want to develop upon the generator

Basics

  • Private home for programs
  • Shell interpreter access is removed in the sandbox
  • Access to number of binaries is minimized (via bubblewrap and AppArmor)
  • Fairly strict seccomp filters are supplied to bubblewrap
  • Fairly strict AppArmor profiles are generated

Note that some profiles assume usage of Wayland

Install

Simply git clone https://github.com/darrenldl/sandboxing.git in home

Your system needs to have bubblewrap, gcc and apparmor to run the scripts

Installation

Important: Please make sure the following directories are not already in use in your $HOME

  • sandboxing/
  • sandboxes/
  • sandbox-logs/

All bash scripts in scripts/ directory should work out of the box on most Linux distros

The scripts assume they stay in their original positions in the local copy of the repository, however

One can invoke them via the full path

./sandboxing/scripts/firefox.sh &

or use add_links.sh DEST to create symlinks to the scripts

./sandboxing/add_links.sh ~/.bin # say ~/.bin is in our PATH variable
sandbox-firefox-private &        # all symlinks are prefixed with "sandbox-" to allow easy removal
                                 # and avoid shadowing

General usage

Invoke the script directly (or via symlink), stdout are stored as ~/sandboxing-sandbox-logs/profile/*.stdout, stderr are stored as ~/sandboxing-sandbox-logs/profile/*.stderr

See the following section for profile specific usage

Profiles

Only the listed profiles are considered stable

Following serves as rough descriptions only, check the scripts directly to see if they fit your needs

Internet

  • firefox
    • Persistent home as ~/sandboxing-sandboxes/firefox on host
  • firefox-tmp
    • No persistent home
    • Temporary persistent Downloads folder in sandbox home, created as temporary directory under /tmp on host
      • This is the only directory that host and sandbox share
    • Is NOT hardened against tracking/fingerprinting
  • firefox-private
    • Same as firefox-tmp, but uses the hardened user.js transparently (should work on most Linux distros)
    • Important: Please check the user.js is indeed loaded correctly, see https://github.com/pyllyukko/user.js/#verifying for how to verify
  • thunderbird
    • Persistent home as ~/sandboxing-sandboxes/thunderbird on host
  • discord
    • Persistent home as ~/sandboxing-sandboxes/discord on host
    • AppArmor profile not usable yet

PDF reading

  • okular-ro

    • No persistent home
    • Accepts exactly one argument for file to be read, e.g. sandbox-okular-ro file.pdf
    • RO mounts only the specified PDF file in sandbox home
    • No network access

  • okular-rw

    • No persistent home
    • Accepts exactly one argument for file to be read, e.g. sandbox-okular-rw file.pdf
    • RW mounts only the specified PDF file in sandbox home
    • No network access

Image viewing

  • eom-ro
    • No persistent home
    • Accepts exactly one argument for file to be read, e.g. sandbox-eom-ro file.png
    • RO mounts only the specified file in sandbox home
    • No network access

Development

TODO

  • Make each sandbox use a separate user (not sure yet)

  • Transition to syscall whitelist instead of blacklist

  • Network namespace set up with routing and DNS

WIP

  • Discord AppArmor profile

Index

  • aa-profiles/ contains the generated AppArmor profiles
  • firefox-hardening/ contains files specific to Firefox
  • gen/ contains the OCaml code responsible for generating the bubblewrap scripts and generating seccomp BPF generator C code
  • runners/ contains the generated runner C code
  • scripts/ contains the generated bubblewrap scripts
  • seccomp-bpfs/ contains the generated seccomp BPF generator C code

See gen/src/profiles.ml for existing profiles

Run make run in bw-script-gen/ to generate scripts after making updates to the profiles

Acknowledgements

Some components (e.g. bubblewrap scripts, seccomp filter blacklist) are based on the following repo

AppArmor profile generation, seccomp filter whitelist, and other design choices are based on the following repo

Files in firefox-hardening/ are from the following repo

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].