Simple application sandboxing using AppArmor and Firejail
Share on:Security is one of the most important and overlooked aspects of modern computing. We tend to let the default security configurations do the work, or on Windows, we simply install some anti-virus and be done with it. However, applications are increasingly privileged and we find ourselves running programs that could represent a security vulnerability to our systems and, more importantly, to our information.
Sandboxing allows us to limit what each application can see and what it can access, as well as what it can do in your system. Clearly not all applications need sandboxing, for example, your text editor probably isn’t a security vulnerability. Regardless, applications like browsers are the source of many security vulnerabilities, even though they already do some sandboxing themselves.
In this post, we will use a very simple sandboxing method using Firejail and AppArmor on Linux.
AppArmor
AppArmor comes enabled in several Linux distributions. To check whether it’s running, type in:
$ aa-enabled
If you get a message telling you that it’s enabled, then AppArmor is up and running and you can skip to the next section.
If you get a message that says aa-enabled: command not found
then you need to
install AppArmor. To do so, simply install the package apparmor
from your
distribution’s repositories. For example, on Debian you would run:
$ sudo apt install apparmor apparmor-utils
To make sure it runs on boot, add the following kernel parameters:
apparmor=1 lsm=lockdown,yama,apparmor
If you’re using GRUB2, this is as simple as editing the following line in
/etc/default/grub
:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1 lsm=lockdown,yama,apparmor"
If the setting GRUB_CMDLINE_LINUX_DEFAULT
is already assigned to something,
add the new kernel parameters at the beginning of the quoted string. Reboot and
run aa-enabled
to verify that AppArmor is up and running.
Firejail
Installing Firejail is as simple as installing the following packages under Debian:
$ sudo apt install firejail firejail-profiles
Running applications under Firejail
To run something with Firejail sandboxing, it’s as simple as adding firejail
before the name of the application you want to run (in a terminal, that is). For
example:
$ firejail firefox
$ firejail chromium
$ firejail emacs
Hundreds of applications have Firejail profiles predefined already for them. For example, when running Firefox, you will see a line like this:
Reading profile /etc/firejail/firefox.profile
This indicates a profile tailored specifically for the application you’re running is available. We will use Firefox for the remaining examples.
Seccomp (Secure Computing Mode) blocks applications from making system calls outside of a few select ones and limits what the application can access. To enable this, as well as disabling new privileges during execution, run:
$ firejail --seccomp firefox
Note: A few applications, Chromium for example, will not run with the
--seccomp
option enabled since they need to acquire new privileges in order to
run their internal sandboxing processes.
Firejail + AppArmor
To enable the default AppArmor profile for Firejail, run:
$ sudo aa-enforce firejail-default
Now, to run an application with AppArmor enabled, simply run:
$ firejail --apparmor --seccomp firefox
Using a private home directory
You might not want a process to be able to access the rest of your files in your home directory. In order to do this, you might run a virtual home directory for the process you’re running. Create a new directory, for example:
$ mkdir ~/firefox
You can also use an existing directory and you can reuse this directory if you want. To set this as the home directory for the application, run:
$ firejail --apparmor --seccomp --private=/home/user/firefox firefox
The contents in that directory will be persistent even after you close the application. You can move files to and from the directory at any time. If you prefer a one-time temporary directory, deleted upon closing the application, run:
$ firejail --apparmor --seccomp --private firefox
This will store everything in memory and will discard it once the process is finished. If for some reason you wish to transfer files to or from this sandbox, you will need to locate the PID for the sandbox first by running:
$ firejail --list
Alternatively, you can assign a name to the sandbox on launch:
$ firejail -name=mysandbox firefox
We will assume the sandbox is named mysandbox
, but if it’s not, you will
simply need to replace the name with the PID. To list the contents in some
directory, run:
$ firejail --ls=mysandbox ~/
This will list everything in the private home directory of the sandbox. In order
to get a file named file.txt
from the sandbox and put it in the current
directory, run:
$ firejail --get=mysandbox ~/file.txt
To send a file named file.txt
and put it in the Downloads folder, you simply
run:
$ firejail --put=mysandbox file.txt ~/Downloads/file.txt
Use a sandboxed X server
For certain applications, you might want to run them on a separate X server. This will prevent the application from logging keystrokes outside of itself, as well as recording the screen or screenshooting it. We will use Xephyr in this example, though there are a few other options available. Make sure Xephyr is installed:
$ sudo apt install xserver-xephyr
To run the application under a separate X server, run:
$ firejail --apparmor --seccomp --x11=xephyr firefox
This will run in a normal window, though the window will not be resizeable. If
you wish to change the resolution from the default (800x600), add the
--xephyr-screen=WIDTHxHEIGHT
option. If you wish to set a different default
resolution, edit the xephyr-screen
parameter in /etc/firejail/firejail.conf
.
You can play around and mix the options as you desire. None of the ones showed
here depend on one another (except for --xephyr-screen
), so adjust them to
your needs. This is a very simple and quick way to use Firejail for
sandboxing. For further information and customization, check the Firejail usage
page, as well as
the manpages (run man firejail
).