Sandboxing is a technique for confining an application to access specific resources and protect the operating system from vulnerabilities and threats.
- AppArmor
- Used profiles that define what known applications need to perform their tasks and provide those minimum resources.
- Firejail
- An incredibly easy-to-use way to simply spin up an application from the terminal with a few arguments as needed.
Additionally, I also mentioned how to use the iptables to restrict applications by uid or gid to only use a VPN connection (tun0 from OpenVPN) and the application called proychains that tunnel all traffic over a Proxy server or even use the Tor Network.
APPARMOR
AppArmor is a Kernel Enhancement that allows for sandboxing applications, giving it only the minimum amount of resources that it needs to perform its tasks, but nothing else.
sudo apt install apparmor-profiles apparmor-utils -y sudo aa-status
To enforce all profiles or a single profile, use the following syntax:
sudo aa-enforce /etc/apparmor.d/* sudo aa-enforce /etc/apparmor.d/usr.sbin.traceroute
FIREJAIL
Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted or vulnerable applications with low overhead.
sudo apt install firejail firejail-profiles -y firejail --help
Execute any application with Firejail to apply restrictions or limitations:
firejail --net=none firefox firejail --net=tun0 firefox
Other examples:
firejail --private --dns=8.8.8.8 --hosts-file=/etc/hosts firefox firejail --net=eth0 --defaultgw=192.168.1.1 firefox firejail --cpu=2,3 firefox
Limiting bandwidth:
firejail --name=slow --private --net=eth0 firefox -no-remote firejail --bandwidth=slow set eth0 200 100
Optionally create a Bridge Network (using bridge-utils and uml-utilities) attached to the VPN interface and force the desired application over the Bridge Interface.
BONUS
Restrict the desired application to only run through the desired network interface, such as a VPN, for example.
sudo iptables -A OUTPUT -m owner --uid-owner debian-transmission \! -o tun0 -j REJECT sudo -u debian-transmission transmission-gtk &
Or create additional rules to guarantee it is still accessible from the local network on specific ports while restricted to using the VPN interface to reach the Internet.
sudo iptables -A OUTPUT -d 192.168.0.0/16 -p tcp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT sudo iptables -A OUTPUT -d 192.168.0.0/16 -p udp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o tun0 -j ACCEPT sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o lo -j ACCEPT sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -j REJECT
See also the next post with examples of usage and configuration for ProxyChains [Link] to learn how to restrict a specific application to strictly use the Tor Network.
Open Snitch and Little Snitch
Monitor and intercept requests to start a new network connection, allowing one to approve or deny before it happens.
- Open Snitch
sudo apt install opensnitch -y opensnitch-ui
- Little Snitch (originally for MacOS only)
Available for Downloads at [Link].