That’s a harmless error. userdel --remove
attempts to delete the mail spool, as well as the home folder but since we don’t setup a mail spool, there’s nothing to delete.
Yes.
That would be great.
That’s a harmless error. userdel --remove
attempts to delete the mail spool, as well as the home folder but since we don’t setup a mail spool, there’s nothing to delete.
Yes.
That would be great.
Done.
for code simplification https://forums.whonix.org/t/system-wide-sandboxing-fram…
Patrick:Should
remove
also do the following?Yes.
Currently we don’t have proper whitespace handling.
bash -c "
bwrap \
--ro-bind /bin /bin \
...
--ro-bind ${main_app_dir}/machine-id /etc/machine-id \
...
10< <(getent passwd root ${app_user} nobody) \
11< <(getent group root ${app_user} nobody) \
12< ${seccomp_filter} \
${bwrap_args} \
${wrapper_script} ${@}"
User names or folder names with white spaces wouldn’t work, but we don’t have these and check that there are no such characters.
Arguments however ${@}
would be broken. Such as
sandbox-app-launcher start vlc "my video"
would break. That would result in VLC trying to open a file my
and a file video
.
It could be made to work similar to: proper whitespace handling · Kicksecure/apparmor-profile-everything@d3eccd4 · GitHub
But since the brwap command is very lengthy, that would be rather ugly.
I guess we couldn’t even use
command+=("--ro-bind /bin /bin")
command+=("--ro-bind /usr/bin /usr/bin")
...
Because that would be interpreted as:
‘–ro-bind /bin /bin’
And not as intended as:
–ro-bind /bin /bin
However, the following would probably work
command+=("--ro-bind")
command+=("/bin")
command+=("/bin")
...
bash -c "${command[@]}"
but make code look much worse. (60 lines of bwrap command would become I guestimate 180 lines.)
The issue comes from bash subshell opening with another double quote bash -c "
:
sudo \
...
bash -c "
bwrap \
...
--seccomp 12 \
10< <(getent passwd root ${app_user} nobody) \
11< <(getent group root ${app_user} nobody) \
12< ${seccomp_filter} \
${bwrap_args} \
${wrapper_script} ${@}"
Do you think it would be a good idea to move that into its own /usr/share/sandbox-app-launcher/bwrap-wrapper
script? Then I believe whitespace handling could be easily fixed.
(No need for command+=("--ro-bind")
or "${command[@]}"
.)
Not yet.
I think it’s better to just lay a few files in the root mount namespace shared by multiple applications and guard the files with apparmor so that only applications that need the shared files can access them.
Do you think it would be a good idea to move that into its own
/usr/share/sandbox-app-launcher/bwrap-wrapper
script? Then I believe whitespace handling could be easily fixed.
How would that fix it? We’d still need the subshell for the file descriptors.
We’d still need the subshell for the file descriptors.
Yes, but that is OK…?
How would that fix it?
We’d have proper whitespace handling… The pseudo code:
sandbox-app-launcher
:
sudo \
--set-home \
--user="${app_user}" \
sandbox_app_launcher_debug="$sandbox_app_launcher_debug" \
app_path="$app_path" \
/usr/share/sandbox-app-launcher/bwrap-wrapper
bwrap-wrapper
:
bwrap \
...
--ro-bind "${main_app_dir}/machine-id /etc/machine-id" \
--ro-bind "${wrapper_script}" "${wrapper_script}" \
10< <(getent passwd root "${app_user}" nobody) \
11< <(getent group root "${app_user}" nobody) \
12< "${seccomp_filter}" \
"${bwrap_args}" \
"${wrapper_script}" "${@}"
Using "${@}"
(or "$@"
) would fix whitespace handling.
If that sounds good, I am eager to implement this.
Ah, I understand now. That would be good to implement.
It’s implemented. We have now proper whitespace support. Please have a look.
Not too beautiful code. Some imperfections.
bwrap_args
still does not have proper whitespace support but that’s not user facing since path to shared_dir
is hardcoded.sandbox-app-launcher
to brwap-wrapper
since we cannot preserve environment (sudo -E
).sandbox-app-launcher start vlc "abc cde" "file 2"
This is actually good:
[0000738ee3f89d00] filesystem stream error: cannot open file /home/sandbox-app-launcher-appdata/vlc/abc cde (No such file or directory)
[0000738ee3f8f480] filesystem stream error: cannot open file /home/sandbox-app-launcher-appdata/vlc/file 2 (No such file or directory)
Your input can’t be opened:
VLC is unable to open the MRL ‘file:///home/sandbox-app-launcher-appdata/vlc/abc%20cde’. Check the log for details.
Your input can’t be opened:
VLC is unable to open the MRL ‘file:///home/sandbox-app-launcher-appdata/vlc/file%202’. Check the log for details.
It shows proper whitespace hanlding. Previously VLC (example, any application) would have attempted to open 4 files (abc, def, file, 2) instead of 2 files (“abc def”, “file 2”).
Please have a look.
Looks good to me.
It would be useful to have a list
argument to list all the currently configured sandboxes. Could simply be:
getent passwd | grep "sal" | sed -e 's/:.*//g' | str_replace "sal-" ""
Also since replace dynamic wrapper script creation with static script · Kicksecure/sandbox-app-launcher@f939fe8 · GitHub, the AppArmor profile is now broken: sandbox-app-launcher/sandbox-app-launcher at master · Kicksecure/sandbox-app-launcher · GitHub
Profile sandbox-app-launcher
applies to /var/cache/sandbox-app-launcher-autogenerated/wrappers/**
and profile sandbox-app-launcher-wx
applies to /var/cache/sandbox-app-launcher-autogenerated/wrappers-wx/**
Since those directories no longer exist, we will need to create 2 copies of the static wrapper script: wrapper-script
and wrapper-script-wx
, confined by their respective AppArmor profiles.
Kicksecure:master
← madaidan:fix-apparmor
https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launche…
Kicksecure:master
← madaidan:list
Awesome! All merged. Left some inline comments.
sandbox-app-launcher is an application launcher that starts each app inside its own restrictive sandbox. It runs each app as its own user, in a bubblewrap sandbox and confined by AppArmor.
Still has TODO not yet written, produce errors:
root@host:~# sandbox-app-launcher setup torbrowser
ERROR: Directory '/home/sandbox-app-launcher-appdata' does not exist. This package was not installed properly.
root@host:~# apt install sandbox-app-launcher-appdata
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package sandbox-app-launcher-appdata
root@host:~#
root@host:~# sandbox-app-launcher setup torbrowser
ERROR: File '/usr/share/sandbox-app-launcher/wrapper-script-wx-wx' does not exist. This package was not installed properly.
root@host:~# DEBDEBUG=1 apt install --reinstall sandbox-app-launcher
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 37.3 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 tor+https://deb.whonix.org bullseye-testers/main amd64 sandbox-app-launcher all 0:5.3-1 [37.3 kB]
Fetched 37.3 kB in 1s (27.2 kB/s)
(Reading database ... 58705 files and directories currently installed.)
Preparing to unpack .../sandbox-app-launcher_0%3a5.3-1_all.deb ...
Unpacking sandbox-app-launcher (5.3-1) over (5.3-1) ...
++ '[' '' = true ']'
++ colors
++ '[' xterm-256color = '' ']'
++ [[ -t 2 ]]
+++ type -t errorhandlergeneral
++ '[' '' = function ']'
+++ trap -p ERR
++ '[' '' = '' ']'
++ trap error_handler_pre ERR
++ bash -n /usr/libexec/helper-scripts/pre.bsh
++ bash -n /var/lib/dpkg/info/sandbox-app-launcher.postrm
++ own_filename=sandbox-app-launcher.postrm
++ source_config_folder
++ '[' sandbox-app-launcher = '' ']'
++ pre_bsh_settings_folder=sandbox-app-launcher_maint.d
++ shopt -s nullglob
++ local i
++ true 'folder 1: /etc/sandbox-app-launcher_maint.d/*.conf'
++ true 'folder 2: /usr/local/etc/sandbox-app-launcher_maint.d/*.conf'
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ true '
#####################################################################
## INFO: BEGIN: sandbox-app-launcher postrm upgrade' '5.3-1
#####################################################################
'
+ rm -rf /var/cache/sandbox-app-launcher-autogenerated
+ getent passwd
+ grep -q sal-
+ true 'INFO: debhelper beginning here.'
+ '[' upgrade = purge ']'
+ true 'INFO: Done with debhelper.'
+ true '
#####################################################################
## INFO: END : sandbox-app-launcher postrm upgrade' '5.3-1
#####################################################################
'
+ exit 0
Setting up sandbox-app-launcher (5.3-1) ...
++ '[' '' = true ']'
++ colors
++ '[' xterm-256color = '' ']'
++ [[ -t 2 ]]
+++ type -t errorhandlergeneral
++ '[' '' = function ']'
+++ trap -p ERR
++ '[' '' = '' ']'
++ trap error_handler_pre ERR
++ bash -n /usr/libexec/helper-scripts/pre.bsh
++ bash -n /var/lib/dpkg/info/sandbox-app-launcher.postinst
++ own_filename=sandbox-app-launcher.postinst
++ source_config_folder
++ '[' sandbox-app-launcher = '' ']'
++ pre_bsh_settings_folder=sandbox-app-launcher_maint.d
++ shopt -s nullglob
++ local i
++ true 'folder 1: /etc/sandbox-app-launcher_maint.d/*.conf'
++ true 'folder 2: /usr/local/etc/sandbox-app-launcher_maint.d/*.conf'
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ true '
#####################################################################
## INFO: BEGIN: sandbox-app-launcher postinst configure' '5.3-1
#####################################################################
'
+ main_app_dir=/usr/share/sandbox-app-launcher
+ auto_dir=/var/cache/sandbox-app-launcher-autogenerated
+ appdata_dir=/home/sandbox-app-launcher-appdata
+ shared_dir=/home/sandbox-app-launcher-appdata/shared
+ wrapper_script=/usr/share/sandbox-app-launcher/wrapper-script
+ for dir in "${main_app_dir}" "${auto_dir}" "${appdata_dir}"
+ '[' -d /usr/share/sandbox-app-launcher ']'
+ for dir in "${main_app_dir}" "${auto_dir}" "${appdata_dir}"
+ '[' -d /var/cache/sandbox-app-launcher-autogenerated ']'
+ mkdir -m 755 /var/cache/sandbox-app-launcher-autogenerated
+ for dir in "${main_app_dir}" "${auto_dir}" "${appdata_dir}"
+ '[' -d /home/sandbox-app-launcher-appdata ']'
+ mkdir -m 755 /home/sandbox-app-launcher-appdata
+ '[' -d /home/sandbox-app-launcher-appdata/shared ']'
+ mkdir -m 1777 /home/sandbox-app-launcher-appdata/shared
+ cp /usr/share/sandbox-app-launcher/wrapper-script /usr/share/sandbox-app-launc
her/wrapper-script-wx
+ compiler_flags='-lseccomp -ldl -D_GNU_SOURCE -Wdate-time -D_FORTIFY_SOURCE=2 -
g -O2 -fstack-protector-all -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z
,now'
+ /usr/share/sandbox-app-launcher/autogen-seccomp /usr/share/sandbox-app-launche
r/seccomp-whitelist
+ /usr/share/sandbox-app-launcher/autogen-seccomp /usr/share/sandbox-app-launche
r/seccomp-whitelist-wx
+ LANG=C
+ str_replace seccomp-filter.bpf seccomp-filter-wx.bpf /var/cache/sandbox-app-la
uncher-autogenerated/seccomp-wx.c
+ gcc /var/cache/sandbox-app-launcher-autogenerated/seccomp.c -o /var/cache/sand
box-app-launcher-autogenerated/seccomp -lseccomp -ldl -D_GNU_SOURCE -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-all -Wformat -Werror=format-securit
y -Wl,-z,relro -Wl,-z,now
+ gcc /var/cache/sandbox-app-launcher-autogenerated/seccomp-wx.c -o /var/cache/s
andbox-app-launcher-autogenerated/seccomp-wx -lseccomp -ldl -D_GNU_SOURCE -Wdate
-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-all -Wformat -Werror=format-s
ecurity -Wl,-z,relro -Wl,-z,now
+ chmod 700 /var/cache/sandbox-app-launcher-autogenerated/seccomp /var/cache/san
dbox-app-launcher-autogenerated/seccomp-wx
+ /var/cache/sandbox-app-launcher-autogenerated/seccomp
+ /var/cache/sandbox-app-launcher-autogenerated/seccomp-wx
+ true 'INFO: debhelper beginning here.'
+ '[' configure = configure ']'
+ APP_PROFILE=/etc/apparmor.d/sandbox-app-launcher
+ '[' -f /etc/apparmor.d/sandbox-app-launcher ']'
+ LOCAL_APP_PROFILE=/etc/apparmor.d/local/sandbox-app-launcher
+ test -e /etc/apparmor.d/local/sandbox-app-launcher
+ aa-enabled --quiet
+ apparmor_parser -r -T -W /etc/apparmor.d/sandbox-app-launcher
+ true 'INFO: Done with debhelper.'
+ true '
#####################################################################
## INFO: END : sandbox-app-launcher postinst configure' '5.3-1
#####################################################################
'
+ exit 0
Processing triggers for man-db (2.9.4-2) ...
Does folder /home
exist in that VM? To check:
ls -la /home
Its whonix qubes default no changes:
user@host:~$ ls -la /home
total 12
drwxr-xr-x 3 root root 4096 Sep 15 2021 .
drwxr-xr-x 20 root root 4096 Jul 14 14:10 ..
drwx------ 20 user user 4096 Jul 9 09:40 user
user@host:~$
Patrick via Whonix Forum:
10< <(getent passwd root ${app_user} nobody) \
11< <(getent group root ${app_user} nobody) \
Due to Delete/Disable nobody user from whonix passwd I’ll remove nobody
.
I will add:
--ro-bind-try /usr/libexec /usr/libexec
Otherwise /etc/X11/Xsession.d/20torbrowser
cannot see /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh
which then breaks Tor Browser.
Better but still lots of things broken.
sandbox-app-launcher start env
/etc/X11/Xsession.d/20torbrowser: line 19: /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh: Permission denied
/etc/X11/Xsession.d/20uwt: line 14: /usr/libexec/uwt/uwt.sh: Permission denied
/etc/X11/Xsession.d/20whonix: line 7: /usr/libexec/whonix-base-files/whonix.sh: Permission denied
/etc/X11/Xsession.d/20whonix-welcome-page: line 7: /usr/libexec/whonix-welcome-page/env_var.sh: Permission denied
/etc/X11/Xsession.d/50default_editor: line 7: /usr/libexec/default-editor/default_editor.sh: Permission denied
/etc/X11/Xsession.d/50tb_default_browser: line 7: /usr/libexec/tb-default-browser/tb_default_browser.sh: Permission denied
I don’t think I’ll be working on sandbox-app-launcher soon. Help welcome!