Sandboxing is a technique for confining an application to specific resources, protecting the operating system from vulnerabilities and threats.

  1. AppArmor
    1. Uses profiles that define what a known application needs to perform its tasks and provides only those minimum resources.
  2. Firejail
    1. An easy-to-use tool to launch an application from the terminal with a few arguments as needed.

Additionally, I covered how to use iptables to restrict applications by uid or gid to only use a VPN connection (tun0 from OpenVPN), and the tool proxychains to tunnel all traffic through a proxy server or the Tor Network.


APPARMOR

AppArmor is a kernel enhancement that sandboxes applications, giving them only the minimum resources needed to perform their tasks.

sudo apt install apparmor-profiles apparmor-utils -y
sudo aa-status

To enforce all profiles or a single profile:

sudo aa-enforce /etc/apparmor.d/*
sudo aa-enforce /etc/apparmor.d/usr.sbin.traceroute

FIREJAIL

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted or vulnerable applications with low overhead.

sudo apt install firejail firejail-profiles -y
firejail --help

Run any application through Firejail to apply restrictions:

firejail --net=none firefox
firejail --net=tun0 firefox

Other examples:

firejail --private --dns=8.8.8.8 --hosts-file=/etc/hosts firefox
firejail --net=eth0 --defaultgw=192.168.1.1 firefox
firejail --cpu=2,3 firefox

Limiting bandwidth:

firejail --name=slow --private --net=eth0 firefox -no-remote
firejail --bandwidth=slow set eth0 200 100

Optionally, create a bridge network (using bridge-utils and uml-utilities) attached to the VPN interface and force the desired application through it.


BONUS

Restrict an application to only run through a specific network interface, such as a VPN.

sudo iptables -A OUTPUT -m owner --uid-owner debian-transmission \! -o tun0 -j REJECT
sudo -u debian-transmission transmission-gtk &

Or add rules to keep it accessible on the local network on specific ports while still restricting its internet traffic to the VPN interface.

sudo iptables -A OUTPUT -d 192.168.0.0/16 -p tcp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -p udp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT
sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o tun0 -j ACCEPT
sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o lo -j ACCEPT
sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -j REJECT

See also the next post with ProxyChains usage and configuration examples [Link] to learn how to restrict a specific application to the Tor Network.

Open Snitch and Little Snitch

Monitor and intercept new network connection requests, with the ability to approve or deny them before they go through.

  • Open Snitch
sudo apt install opensnitch -y
opensnitch-ui
  • Little Snitch (originally macOS only)

Available for download at [Link].