Sandboxing is a technique for confining an application to specific resources, protecting the operating system from vulnerabilities and threats.
- AppArmor
- Uses profiles that define what a known application needs to perform its tasks and provides only those minimum resources.
- Firejail
- An easy-to-use tool to launch an application from the terminal with a few arguments as needed.
Additionally, I covered how to use iptables to restrict applications by uid or gid to only use a VPN connection (tun0 from OpenVPN), and the tool proxychains to tunnel all traffic through a proxy server or the Tor Network.
APPARMOR
AppArmor is a kernel enhancement that sandboxes applications, giving them only the minimum resources needed to perform their tasks.
sudo apt install apparmor-profiles apparmor-utils -y sudo aa-status
To enforce all profiles or a single profile:
sudo aa-enforce /etc/apparmor.d/* sudo aa-enforce /etc/apparmor.d/usr.sbin.traceroute
FIREJAIL
Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted or vulnerable applications with low overhead.
sudo apt install firejail firejail-profiles -y firejail --help
Run any application through Firejail to apply restrictions:
firejail --net=none firefox firejail --net=tun0 firefox
Other examples:
firejail --private --dns=8.8.8.8 --hosts-file=/etc/hosts firefox firejail --net=eth0 --defaultgw=192.168.1.1 firefox firejail --cpu=2,3 firefox
Limiting bandwidth:
firejail --name=slow --private --net=eth0 firefox -no-remote firejail --bandwidth=slow set eth0 200 100
Optionally, create a bridge network (using bridge-utils and uml-utilities) attached to the VPN interface and force the desired application through it.
BONUS
Restrict an application to only run through a specific network interface, such as a VPN.
sudo iptables -A OUTPUT -m owner --uid-owner debian-transmission \! -o tun0 -j REJECT sudo -u debian-transmission transmission-gtk &
Or add rules to keep it accessible on the local network on specific ports while still restricting its internet traffic to the VPN interface.
sudo iptables -A OUTPUT -d 192.168.0.0/16 -p tcp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT sudo iptables -A OUTPUT -d 192.168.0.0/16 -p udp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o tun0 -j ACCEPT sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o lo -j ACCEPT sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -j REJECT
See also the next post with ProxyChains usage and configuration examples [Link] to learn how to restrict a specific application to the Tor Network.
Open Snitch and Little Snitch
Monitor and intercept new network connection requests, with the ability to approve or deny them before they go through.
- Open Snitch
sudo apt install opensnitch -y opensnitch-ui
- Little Snitch (originally macOS only)
Available for download at [Link].