IgnorantGuru's Blog

Linux software, news, and tips

Sandfox: A Poor Man’s Sandbox

Sandfox is available for testing and use. This new program, written entirely in bash and using only core Linux commands like mount and chroot, creates filesystem sandboxes and runs apps in them. Very easy to use, it is also quite configurable. It includes a profile for running Firefox sandboxed, a valuable ability in order to give Java, Flash, and plugins only limited access to your system. I’ve been using it for a few days with great results.

I believe sandboxing is ‘the next big thing’, and I didn’t find any easy to setup and use tools for this. Hence, Sandfox.

February 2, 2010 - Posted by | Scripts

6 Comments

  1. Great work, was wondering if you might take up the challenge to do same for Skype.

    Comment by Ed | February 10, 2010

    • I might take a look at Skype. Also keep in mind that Sandfox can sandbox any app. For example, create a new file /etc/sandfox/skype.profile then add some binds to it. Initially, you could just give it your whole home folder and some other folders to get it running, then trim it back. You might start with these binds in skype.profile:
      bind=/dev
      bind=/proc
      bind=/home/$user

      Then start skype with:
      sudo sandfox ––verbose ––make skype

      If that runs, then I would suggest binding less of /home and less of /dev, giving it only the folders and files it requires. This takes a little trial and error. Also check out Getting Programs To Run Well In A Sandbox.

      It looks like Skype requires a minimum of these binds in /home:
      bindro=/home/$user/.ICEauthority
      bindro=/home/$user/.Xauthority
      bindro=/home/$user/.config
      bindro=/home/$user/.kde/share/config/kioslaverc
      bind=/home/$user/.Skype

      Comment by igurublog | February 10, 2010

  2. Yep, your guidance is spot on – I’ve not yet stolen time to have a crack at this but in between then and now here’s my apparmor skype.real profile (btw we have the /usr/bin/skype and /usr/bin/skype.real fun to consider also) which is not the best of best but also another starting point for the bind list you might be interested to take a peek at:

    #include

    /usr/bin/skype.real {
    #include
    #include
    #include
    #include
    #include

    deny /etc/passwd r,
    deny /home/ed/documents/* r,
    deny /home/ed/scripts/* r,
    deny /home/ed/contacts/* r,
    deny /home/ed/settings/* r,
    deny owner /home/*/.mozilla/ r,
    deny owner /home/*/.kde/share/* r,

    /dev/ r,
    /dev/* rw,
    /dev/shm/pulse* mr,
    /dev/snd/pcm* mr,
    /etc/fonts/** r,
    /etc/group mr,
    owner /home/* r,
    owner /home/*/.Skype/ rw,
    owner /home/*/.Skype/** rwk,
    owner /home/*/.Xauthority r,
    owner /home/*/.config/Trolltech.conf r,
    owner /home/*/.fontconfig/* mr,
    owner /home/*/.fonts* r,
    owner /home/*/.kde/share/config/* r,
    owner /home/*/.kde/share/config/kdeglobals rk,
    owner /home/*/.mozilla/**/ r,
    /proc/*/net/route r,
    /proc/sys/kernel/os* r,
    /sys/devices/pci0000:00/0000:00:1a.7/usb1/1-2/1-2:1.0/modalias r,
    /sys/devices/pci0000:00/0000:00:1a.7/usb1/1-2/1-2:1.0/video4linux/video0/dev r,
    /sys/devices/system/cpu r,
    /sys/devices/system/cpu/ r,
    /sys/devices/virtual/dmi/id/board_name r,
    /sys/devices/virtual/dmi/id/board_vendor r,
    /sys/devices/virtual/dmi/id/product_version r,
    /usr/lib{,32,64}/** mr,
    /usr/lib/firefox*/firefox.sh ix,
    /usr/local/share/fonts/** r,
    /usr/share/fonts/** mr,
    /usr/share/icons/** r,
    /usr/share/locale-langpack/** mr,
    /usr/share/skype/** mr,
    /usr/share/skype/sounds/* rk,
    /var/lib/defoma/** r,

    }

    Comment by Ed | February 11, 2010

  3. I also have freeze if /dev/urandom remounted

    Comment by Anonymous | April 6, 2010

    • Thanks for letting me know. I haven’t seen /dev/urandom do this, but I will look at making the next update treat /dev/urandom like v0.9.6 treats /dev/random (IOW no remount).

      Comment by igurublog | April 6, 2010

    • As of version 1.0.0, Sandfox will treat /dev/urandom like /dev/random and will not use a remount, so this should correct your problem.

      Comment by igurublog | April 22, 2010


Sorry, the comment form is closed at this time.