System-wide sandboxing framework - sandbox-app-launcher

Currently we don’t have proper whitespace handling.

    bash -c "
  bwrap \
  --ro-bind /bin /bin \
...
  --ro-bind ${main_app_dir}/machine-id /etc/machine-id \
...
  10< <(getent passwd root ${app_user} nobody) \
  11< <(getent group root ${app_user} nobody) \
  12< ${seccomp_filter} \
  ${bwrap_args} \
  ${wrapper_script} ${@}"

User names or folder names with white spaces wouldn’t work, but we don’t have these and check that there are no such characters.

Arguments however ${@} would be broken. Such as

sandbox-app-launcher start vlc "my video"

would break. That would result in VLC trying to open a file my and a file video.

It could be made to work similar to: proper whitespace handling · Kicksecure/apparmor-profile-everything@d3eccd4 · GitHub

But since the brwap command is very lengthy, that would be rather ugly.

I guess we couldn’t even use

command+=("--ro-bind /bin /bin")
command+=("--ro-bind /usr/bin /usr/bin")
...

Because that would be interpreted as:

‘–ro-bind /bin /bin’

And not as intended as:

–ro-bind /bin /bin

However, the following would probably work

command+=("--ro-bind")
command+=("/bin")
command+=("/bin")
...
bash -c "${command[@]}"

but make code look much worse. (60 lines of bwrap command would become I guestimate 180 lines.)

The issue comes from bash subshell opening with another double quote bash -c ":

  sudo \
...
    bash -c "
  bwrap \
...
  --seccomp 12 \
  10< <(getent passwd root ${app_user} nobody) \
  11< <(getent group root ${app_user} nobody) \
  12< ${seccomp_filter} \
  ${bwrap_args} \
  ${wrapper_script} ${@}"

Do you think it would be a good idea to move that into its own /usr/share/sandbox-app-launcher/bwrap-wrapper script? Then I believe whitespace handling could be easily fixed.

(No need for command+=("--ro-bind") or "${command[@]}".)

I think it’s better to just lay a few files in the root mount namespace shared by multiple applications and guard the files with apparmor so that only applications that need the shared files can access them.

  • /run/user-id/sway-ipc-*
  • /run/user-id/wayland-*
  • shared dbus sessions.

How would that fix it? We’d still need the subshell for the file descriptors.

1 Like

Yes, but that is OK…?

We’d have proper whitespace handling… The pseudo code:

sandbox-app-launcher:

  sudo \
    --set-home \
    --user="${app_user}" \
    sandbox_app_launcher_debug="$sandbox_app_launcher_debug" \
    app_path="$app_path" \
    /usr/share/sandbox-app-launcher/bwrap-wrapper

bwrap-wrapper:

  bwrap \
...
  --ro-bind "${main_app_dir}/machine-id /etc/machine-id" \
  --ro-bind "${wrapper_script}" "${wrapper_script}" \
  10< <(getent passwd root "${app_user}" nobody) \
  11< <(getent group root "${app_user}" nobody) \
  12< "${seccomp_filter}" \
  "${bwrap_args}" \
  "${wrapper_script}" "${@}"

Using "${@}" (or "$@") would fix whitespace handling.

If that sounds good, I am eager to implement this.

2 Likes

Ah, I understand now. That would be good to implement.

2 Likes

It’s implemented. We have now proper whitespace support. Please have a look.
Not too beautiful code. Some imperfections.

  • bwrap_args still does not have proper whitespace support but that’s not user facing since path to shared_dir is hardcoded.
  • Lots of variables have to be passed from sandbox-app-launcher to brwap-wrapper since we cannot preserve environment (sudo -E).
2 Likes
sandbox-app-launcher start vlc "abc cde" "file 2"

This is actually good:

[0000738ee3f89d00] filesystem stream error: cannot open file /home/sandbox-app-launcher-appdata/vlc/abc cde (No such file or directory)
[0000738ee3f8f480] filesystem stream error: cannot open file /home/sandbox-app-launcher-appdata/vlc/file 2 (No such file or directory)

Your input can’t be opened:
VLC is unable to open the MRL ‘file:///home/sandbox-app-launcher-appdata/vlc/abc%20cde’. Check the log for details.
Your input can’t be opened:
VLC is unable to open the MRL ‘file:///home/sandbox-app-launcher-appdata/vlc/file%202’. Check the log for details.

It shows proper whitespace hanlding. Previously VLC (example, any application) would have attempted to open 4 files (abc, def, file, 2) instead of 2 files (“abc def”, “file 2”).

1 Like

Looks good to me.

1 Like

It would be useful to have a list argument to list all the currently configured sandboxes. Could simply be:

getent passwd | grep "sal" | sed -e 's/:.*//g' | str_replace "sal-" ""

Also since replace dynamic wrapper script creation with static script · Kicksecure/sandbox-app-launcher@f939fe8 · GitHub, the AppArmor profile is now broken: sandbox-app-launcher/sandbox-app-launcher at master · Kicksecure/sandbox-app-launcher · GitHub

Profile sandbox-app-launcher applies to /var/cache/sandbox-app-launcher-autogenerated/wrappers/** and profile sandbox-app-launcher-wx applies to /var/cache/sandbox-app-launcher-autogenerated/wrappers-wx/**

Since those directories no longer exist, we will need to create 2 copies of the static wrapper script: wrapper-script and wrapper-script-wx, confined by their respective AppArmor profiles.

1 Like
1 Like
2 Likes

Awesome! All merged. Left some inline comments.

1 Like

Still has TODO not yet written, produce errors:

root@host:~# sandbox-app-launcher setup torbrowser
ERROR: Directory '/home/sandbox-app-launcher-appdata' does not exist. This package was not installed properly.
root@host:~# apt install sandbox-app-launcher-appdata
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package sandbox-app-launcher-appdata
root@host:~#
root@host:~# sandbox-app-launcher setup torbrowser
ERROR: File '/usr/share/sandbox-app-launcher/wrapper-script-wx-wx' does not exist. This package was not installed properly.
root@host:~# DEBDEBUG=1 apt install --reinstall sandbox-app-launcher
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 37.3 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 tor+https://deb.whonix.org bullseye-testers/main amd64 sandbox-app-launcher all 0:5.3-1 [37.3 kB]
Fetched 37.3 kB in 1s (27.2 kB/s)         
(Reading database ... 58705 files and directories currently installed.)
Preparing to unpack .../sandbox-app-launcher_0%3a5.3-1_all.deb ...
Unpacking sandbox-app-launcher (5.3-1) over (5.3-1) ...
++ '[' '' = true ']'
++ colors
++ '[' xterm-256color = '' ']'
++ [[ -t 2 ]]
+++ type -t errorhandlergeneral
++ '[' '' = function ']'
+++ trap -p ERR
++ '[' '' = '' ']'
++ trap error_handler_pre ERR
++ bash -n /usr/libexec/helper-scripts/pre.bsh
++ bash -n /var/lib/dpkg/info/sandbox-app-launcher.postrm
++ own_filename=sandbox-app-launcher.postrm
++ source_config_folder
++ '[' sandbox-app-launcher = '' ']'
++ pre_bsh_settings_folder=sandbox-app-launcher_maint.d
++ shopt -s nullglob
++ local i
++ true 'folder 1: /etc/sandbox-app-launcher_maint.d/*.conf'
++ true 'folder 2: /usr/local/etc/sandbox-app-launcher_maint.d/*.conf'
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ true '
#####################################################################
## INFO: BEGIN: sandbox-app-launcher postrm upgrade' '5.3-1
#####################################################################
'
+ rm -rf /var/cache/sandbox-app-launcher-autogenerated
+ getent passwd
+ grep -q sal-
+ true 'INFO: debhelper beginning here.'
+ '[' upgrade = purge ']'
+ true 'INFO: Done with debhelper.'
+ true '
#####################################################################
## INFO: END  : sandbox-app-launcher postrm upgrade' '5.3-1
#####################################################################
'
+ exit 0
Setting up sandbox-app-launcher (5.3-1) ...
++ '[' '' = true ']'
++ colors
++ '[' xterm-256color = '' ']'
++ [[ -t 2 ]]
+++ type -t errorhandlergeneral
++ '[' '' = function ']'
+++ trap -p ERR
++ '[' '' = '' ']'
++ trap error_handler_pre ERR
++ bash -n /usr/libexec/helper-scripts/pre.bsh
++ bash -n /var/lib/dpkg/info/sandbox-app-launcher.postinst
++ own_filename=sandbox-app-launcher.postinst
++ source_config_folder
++ '[' sandbox-app-launcher = '' ']'
++ pre_bsh_settings_folder=sandbox-app-launcher_maint.d
++ shopt -s nullglob
++ local i
++ true 'folder 1: /etc/sandbox-app-launcher_maint.d/*.conf'
++ true 'folder 2: /usr/local/etc/sandbox-app-launcher_maint.d/*.conf'
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ true '
#####################################################################
## INFO: BEGIN: sandbox-app-launcher postinst configure' '5.3-1
#####################################################################
'
+ main_app_dir=/usr/share/sandbox-app-launcher
+ auto_dir=/var/cache/sandbox-app-launcher-autogenerated
+ appdata_dir=/home/sandbox-app-launcher-appdata
+ shared_dir=/home/sandbox-app-launcher-appdata/shared
+ wrapper_script=/usr/share/sandbox-app-launcher/wrapper-script
+ for dir in "${main_app_dir}" "${auto_dir}" "${appdata_dir}"
+ '[' -d /usr/share/sandbox-app-launcher ']'
+ for dir in "${main_app_dir}" "${auto_dir}" "${appdata_dir}"
+ '[' -d /var/cache/sandbox-app-launcher-autogenerated ']'
+ mkdir -m 755 /var/cache/sandbox-app-launcher-autogenerated
+ for dir in "${main_app_dir}" "${auto_dir}" "${appdata_dir}"
+ '[' -d /home/sandbox-app-launcher-appdata ']'
+ mkdir -m 755 /home/sandbox-app-launcher-appdata
+ '[' -d /home/sandbox-app-launcher-appdata/shared ']'
+ mkdir -m 1777 /home/sandbox-app-launcher-appdata/shared
+ cp /usr/share/sandbox-app-launcher/wrapper-script /usr/share/sandbox-app-launc
her/wrapper-script-wx
+ compiler_flags='-lseccomp -ldl -D_GNU_SOURCE -Wdate-time -D_FORTIFY_SOURCE=2 -
g -O2 -fstack-protector-all -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z
,now'
+ /usr/share/sandbox-app-launcher/autogen-seccomp /usr/share/sandbox-app-launche
r/seccomp-whitelist
+ /usr/share/sandbox-app-launcher/autogen-seccomp /usr/share/sandbox-app-launche
r/seccomp-whitelist-wx
+ LANG=C
+ str_replace seccomp-filter.bpf seccomp-filter-wx.bpf /var/cache/sandbox-app-la
uncher-autogenerated/seccomp-wx.c
+ gcc /var/cache/sandbox-app-launcher-autogenerated/seccomp.c -o /var/cache/sand
box-app-launcher-autogenerated/seccomp -lseccomp -ldl -D_GNU_SOURCE -Wdate-time 
-D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-all -Wformat -Werror=format-securit
y -Wl,-z,relro -Wl,-z,now
+ gcc /var/cache/sandbox-app-launcher-autogenerated/seccomp-wx.c -o /var/cache/s
andbox-app-launcher-autogenerated/seccomp-wx -lseccomp -ldl -D_GNU_SOURCE -Wdate
-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-all -Wformat -Werror=format-s
ecurity -Wl,-z,relro -Wl,-z,now
+ chmod 700 /var/cache/sandbox-app-launcher-autogenerated/seccomp /var/cache/san
dbox-app-launcher-autogenerated/seccomp-wx
+ /var/cache/sandbox-app-launcher-autogenerated/seccomp
+ /var/cache/sandbox-app-launcher-autogenerated/seccomp-wx
+ true 'INFO: debhelper beginning here.'
+ '[' configure = configure ']'
+ APP_PROFILE=/etc/apparmor.d/sandbox-app-launcher
+ '[' -f /etc/apparmor.d/sandbox-app-launcher ']'
+ LOCAL_APP_PROFILE=/etc/apparmor.d/local/sandbox-app-launcher
+ test -e /etc/apparmor.d/local/sandbox-app-launcher
+ aa-enabled --quiet
+ apparmor_parser -r -T -W /etc/apparmor.d/sandbox-app-launcher
+ true 'INFO: Done with debhelper.'
+ true '
#####################################################################
## INFO: END  : sandbox-app-launcher postinst configure' '5.3-1
#####################################################################
'
+ exit 0
Processing triggers for man-db (2.9.4-2) ...
1 Like

Does folder /home exist in that VM? To check:

ls -la /home

Its whonix qubes default no changes:

user@host:~$ ls -la /home
total 12
drwxr-xr-x  3 root root 4096 Sep 15  2021 .
drwxr-xr-x 20 root root 4096 Jul 14 14:10 ..
drwx------ 20 user user 4096 Jul  9 09:40 user
user@host:~$

Patrick via Whonix Forum:

1 Like
  10< <(getent passwd root ${app_user} nobody) \
  11< <(getent group root ${app_user} nobody) \

Due to Delete/Disable nobody user from whonix passwd I’ll remove nobody.

I will add:
--ro-bind-try /usr/libexec /usr/libexec

Otherwise /etc/X11/Xsession.d/20torbrowser cannot see /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh which then breaks Tor Browser.

1 Like

Better but still lots of things broken.

sandbox-app-launcher start env

/etc/X11/Xsession.d/20torbrowser: line 19: /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh: Permission denied
/etc/X11/Xsession.d/20uwt: line 14: /usr/libexec/uwt/uwt.sh: Permission denied
/etc/X11/Xsession.d/20whonix: line 7: /usr/libexec/whonix-base-files/whonix.sh: Permission denied
/etc/X11/Xsession.d/20whonix-welcome-page: line 7: /usr/libexec/whonix-welcome-page/env_var.sh: Permission denied
/etc/X11/Xsession.d/50default_editor: line 7: /usr/libexec/default-editor/default_editor.sh: Permission denied
/etc/X11/Xsession.d/50tb_default_browser: line 7: /usr/libexec/tb-default-browser/tb_default_browser.sh: Permission denied

I don’t think I’ll be working on sandbox-app-launcher soon. Help welcome!

1 Like

Hello.
I can’t start applications via “sandbox-app-launcher start”. The terminal gives the following output: “bwrap: Can’t find source path /sys/devices: Permission denied”.
And it works with any application. Previously used the command “sudo sandbox-app-launcher setup”, which completed successfully.

Similar project:

2 Likes