System-wide sandboxing framework - sandbox-app-launcher

It’s not really comparable. That sandbox is designed/fine-tuned for a single application. sandbox-app-launcher is a generic, “catch-all” sandbox.

I don’t see how sandbox-app-launcher could affect fingerprinting. Websites don’t have direct access to files, syscalls, etc. They can’t detect whether the browser is sandboxed.

There are security issues of course. The main one being X11 but hopefully we can switch to Wayland.

I assume they made as much as possible read-only. This wouldn’t really make sense for sandbox-app-launcher since it isn’t Tor Browser specific unless we add exceptions but even then, I don’t see any advantage of this. Persistent malware could implant itself into the Tor Browser files but if it had that level of access, it could also implant itself into ~/.bashrc, etc.

The only place malware can persist is the home directory or shared storage (if enabled as read-write) and it can only ever be executed if W^X is disabled.

What about pulseaudio? There is yet another replacement called pipewire, Is it more security conscious?

Looks awesome now thanks for editing. https://www.whonix.org/w/index.php?title=Sandbox-app-launcher&oldid=60169&diff=cur

Access to PulseAudio from within the sandbox is completely blocked. This isn’t a good solution because:

1. It obviously breaks PulseAudio. It could break all audio but ALSA may still work. We’d need to test this.

2. It might be unnecessary since we use separate users anyway. I haven’t tested this yet either.

From what I can see, it likely is but I need to review it more.

This is an issue in a Qubes TempalteBasedVM.

sandbox-app-launcher firefox

ERROR: Must run as root.

sudo sandbox-app-launcher firefox

bwrap: Can’t find source path /home/sandbox-app-launcher-appdata/firefox: Permission denied

The issue is that after reboot the new user created by useradd is lost but the home folder might still exist.

Reasons for using adduser instead of useradd:

But got another issue now.

bwrap: Can’t find source path /home/sandbox-app-launcher-appdata/nano: Permission denied

sudo stat /home/sandbox-app-launcher-appdata/nano

File: /home/sandbox-app-launcher-appdata/nano
Access: (0700/drwx------) Uid: ( 1003/sandbox-nano) Gid: ( 1003/sandbox-nano)

stat /home/sandbox-app-launcher-appdata

File: /home/sandbox-app-launcher-appdata
Access: (0750/drwxr-x—) Uid: ( 0/ root) Gid: ( 0/ root)

This fixes it.

There is a lot stuff in /etc/X11/Xsession.d. I am looking for ways to parse all in a generic way.

find /etc/X11/Xsession.d

/etc/X11/Xsession.d/
/etc/X11/Xsession.d/50default_editor
/etc/X11/Xsession.d/50panic_on_oops
/etc/X11/Xsession.d/20uwt
/etc/X11/Xsession.d/50anon-apps-config
/etc/X11/Xsession.d/30x11-common_xresources
/etc/X11/Xsession.d/50security-misc
/etc/X11/Xsession.d/20whonix-welcome-page
/etc/X11/Xsession.d/20torbrowser
/etc/X11/Xsession.d/95dbus_update-activation-env
/etc/X11/Xsession.d/99x11-common_start
/etc/X11/Xsession.d/50tb_default_browser
/etc/X11/Xsession.d/90x11-common_ssh-agent
/etc/X11/Xsession.d/75dbus_dbus-launch
/etc/X11/Xsession.d/50x11-common_determine-startup
/etc/X11/Xsession.d/40open_link_confirmation_kde
/etc/X11/Xsession.d/20qt-gnome-desktop-session-id
/etc/X11/Xsession.d/35x11-common_xhost-local
/etc/X11/Xsession.d/40x11-common_xsessionrc
/etc/X11/Xsession.d/20qt-x11-no-mitshm
/etc/X11/Xsession.d/90gpg-agent
/etc/X11/Xsession.d/20x11-common_process-args
/etc/X11/Xsession.d/25xdg-qubes-settings
/etc/X11/Xsession.d/40open_link_confirmation
/etc/X11/Xsession.d/50torbrowser_default_browser
/etc/X11/Xsession.d/20whonix
/etc/X11/Xsession.d/90qubes-keymap

Here is an example wrapper script that I’ve been auto generating:
/var/cache/sandbox-app-launcher-autogenerated/wrappers-wx/torbrowser

#!/bin/sh

## Using sh because /etc/X11/Xsession is written in sh.

## Debugging.
set -x

export sandbox_app_launcher_wrapper_script=true
SYSSESSIONDIR=/etc/X11/Xsession.d
SESSIONFILES=$(run-parts --list $SYSSESSIONDIR)
if [ -n "$SESSIONFILES" ]; then
  set +e
  for SESSIONFILE in $SESSIONFILES; do
    if [ "$SESSIONFILE" = "/etc/X11/Xsession.d/99x11-common_start" ]; then
       continue
    fi
    . $SESSIONFILE
  done
  set -e
fi
"/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/start-tor-browser" "${@}"

Here is the relevant xtrace.

+ export sandbox_app_launcher_wrapper_script=true
+ SYSSESSIONDIR=/etc/X11/Xsession.d
+ run-parts --list /etc/X11/Xsession.d
+ SESSIONFILES=/etc/X11/Xsession.d/20qt-gnome-desktop-session-id
/etc/X11/Xsession.d/20qt-x11-no-mitshm
/etc/X11/Xsession.d/20torbrowser
/etc/X11/Xsession.d/20uwt
/etc/X11/Xsession.d/20whonix
/etc/X11/Xsession.d/20whonix-welcome-page
/etc/X11/Xsession.d/20x11-common_process-args
/etc/X11/Xsession.d/25xdg-qubes-settings
/etc/X11/Xsession.d/30x11-common_xresources
/etc/X11/Xsession.d/35x11-common_xhost-local
/etc/X11/Xsession.d/40open_link_confirmation
/etc/X11/Xsession.d/40open_link_confirmation_kde
/etc/X11/Xsession.d/40x11-common_xsessionrc
/etc/X11/Xsession.d/50anon-apps-config
/etc/X11/Xsession.d/50default_editor
/etc/X11/Xsession.d/50panic_on_oops
/etc/X11/Xsession.d/50security-misc
/etc/X11/Xsession.d/50tb_default_browser
/etc/X11/Xsession.d/50torbrowser_default_browser
/etc/X11/Xsession.d/50x11-common_determine-startup
/etc/X11/Xsession.d/75dbus_dbus-launch
/etc/X11/Xsession.d/90gpg-agent
/etc/X11/Xsession.d/90qubes-keymap
/etc/X11/Xsession.d/90x11-common_ssh-agent
/etc/X11/Xsession.d/95dbus_update-activation-env
/etc/X11/Xsession.d/99x11-common_start
+ [ -n /etc/X11/Xsession.d/20qt-gnome-desktop-session-id
/etc/X11/Xsession.d/20qt-x11-no-mitshm
/etc/X11/Xsession.d/20torbrowser
/etc/X11/Xsession.d/20uwt
/etc/X11/Xsession.d/20whonix
/etc/X11/Xsession.d/20whonix-welcome-page
/etc/X11/Xsession.d/20x11-common_process-args
/etc/X11/Xsession.d/25xdg-qubes-settings
/etc/X11/Xsession.d/30x11-common_xresources
/etc/X11/Xsession.d/35x11-common_xhost-local
/etc/X11/Xsession.d/40open_link_confirmation
/etc/X11/Xsession.d/40open_link_confirmation_kde
/etc/X11/Xsession.d/40x11-common_xsessionrc
/etc/X11/Xsession.d/50anon-apps-config
/etc/X11/Xsession.d/50default_editor
/etc/X11/Xsession.d/50panic_on_oops
/etc/X11/Xsession.d/50security-misc
/etc/X11/Xsession.d/50tb_default_browser
/etc/X11/Xsession.d/50torbrowser_default_browser
/etc/X11/Xsession.d/50x11-common_determine-startup
/etc/X11/Xsession.d/75dbus_dbus-launch
/etc/X11/Xsession.d/90gpg-agent
/etc/X11/Xsession.d/90qubes-keymap
/etc/X11/Xsession.d/90x11-common_ssh-agent
/etc/X11/Xsession.d/95dbus_update-activation-env
/etc/X11/Xsession.d/99x11-common_start ]
+ set +e
+ [ /etc/X11/Xsession.d/20qt-gnome-desktop-session-id = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20qt-gnome-desktop-session-id
+ [ -z  ]
+ export GNOME_DESKTOP_SESSION_ID=
+ [ /etc/X11/Xsession.d/20qt-x11-no-mitshm = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20qt-x11-no-mitshm
+ export QT_X11_NO_MITSHM=1
+ [ /etc/X11/Xsession.d/20torbrowser = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20torbrowser
+ [ -x /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh ]
+ . /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh
+ export TOR_SKIP_LAUNCH=1
+ export TOR_SOCKS_IPC_PATH=/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
+ export TOR_CONTROL_IPC_PATH=/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock
+ export TOR_SKIP_CONTROLPORTTEST=1
+ export TOR_NO_DISPLAY_NETWORK_SETTINGS=1
+ [ /etc/X11/Xsession.d/20uwt = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20uwt
+ [ -x /usr/lib/uwt/uwt.sh ]
+ . /usr/lib/uwt/uwt.sh
+ export TORSOCKS_LOG_LEVEL=1
+ [ /etc/X11/Xsession.d/20whonix = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20whonix
+ [ -x /usr/lib/whonix/whonix.sh ]
+ . /usr/lib/whonix/whonix.sh
+ export WHONIX=1
+ export TOR_HIDE_BROWSER_LOGO=1
+ [ /etc/X11/Xsession.d/20whonix-welcome-page = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20whonix-welcome-page
+ [ -x /usr/lib/whonix-welcome-page/env_var.sh ]
+ . /usr/lib/whonix-welcome-page/env_var.sh
+ [  =  ]
+ TOR_DEFAULT_HOMEPAGE=/usr/share/homepage/whonix-welcome-page/whonix.html
+ export TOR_DEFAULT_HOMEPAGE
+ [ /etc/X11/Xsession.d/20x11-common_process-args = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20x11-common_process-args
+ cat 
cat: '': No such file or directory
+ OPTIONS=
+ true
+ [ /etc/X11/Xsession.d/25xdg-qubes-settings = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/25xdg-qubes-settings
+ [ -x /usr/bin/xsettingsd ]
+ [ /etc/X11/Xsession.d/30x11-common_xresources = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/30x11-common_xresources
+ [ -d  ]
+ has_option allow-user-resources
+ [  !=  ]
+ return 1
+ [ /etc/X11/Xsession.d/35x11-common_xhost-local = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/35x11-common_xhost-local
+ type xhost
+ id -un
+ xhost +si:localuser:sandbox-torbrowser
localuser:sandbox-torbrowser being added to access control list
+ [ /etc/X11/Xsession.d/40open_link_confirmation = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/40open_link_confirmation
+ [ -x /usr/lib/open-link-confirmation/open-link-confirmation.sh ]
+ . /usr/lib/open-link-confirmation/open-link-confirmation.sh
+ export BROWSER=/usr/lib/open_link_confirmation
+ [ /etc/X11/Xsession.d/40open_link_confirmation_kde = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/40open_link_confirmation_kde
+ [ -z  ]
+ XDG_CONFIG_DIRS=/etc/xdg
+ export XDG_CONFIG_DIRS=/usr/share/open-link-confirmation/:/etc/xdg
+ [ /etc/X11/Xsession.d/40x11-common_xsessionrc = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/40x11-common_xsessionrc
+ [ -r  ]
+ [ /etc/X11/Xsession.d/50anon-apps-config = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50anon-apps-config
+ [ -z /usr/share/open-link-confirmation/:/etc/xdg ]
+ export XDG_CONFIG_DIRS=/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg
+ [ -z  ]
+ XDG_DATA_DIRS=/usr/local/share/:/usr/share/
+ export XDG_DATA_DIRS=/usr/share/anon-apps-config/share/:/usr/local/share/:/usr/share/
+ [ /etc/X11/Xsession.d/50default_editor = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50default_editor
+ [ -x /usr/lib/default-editor/default_editor.sh ]
+ . /usr/lib/default-editor/default_editor.sh
+ [  =  ]
+ command -v mousepad
+ VISUAL=mousepad
+ export VISUAL
+ [ /etc/X11/Xsession.d/50panic_on_oops = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50panic_on_oops
+ [ -x /usr/lib/security-misc/panic-on-oops ]
+ sudo --non-interactive /usr/lib/security-misc/panic-on-oops
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
+ [ /etc/X11/Xsession.d/50security-misc = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50security-misc
+ [ -z /usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg ]
+ export XDG_CONFIG_DIRS=/usr/share/security-misc/:/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg
+ [ /etc/X11/Xsession.d/50tb_default_browser = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50tb_default_browser
+ [ -x /usr/lib/tb-default-browser/tb_default_browser.sh ]
+ . /usr/lib/tb-default-browser/tb_default_browser.sh
+ export BROWSER=/usr/bin/x-www-browser
+ [ /etc/X11/Xsession.d/50torbrowser_default_browser = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50torbrowser_default_browser
+ [ -z /usr/share/security-misc/:/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg ]
+ export XDG_CONFIG_DIRS=/usr/share/torbrowser-default-browser/:/usr/share/security-misc/:/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg
+ [ /etc/X11/Xsession.d/50x11-common_determine-startup = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50x11-common_determine-startup
+ [ -z  ]
+ has_option allow-user-xsession
+ [  !=  ]
+ return 1
+ [ -z  ]
+ [ -x /usr/bin/x-session-manager ]
+ [ -x /usr/bin/x-window-manager ]
+ [ -x /usr/bin/x-terminal-emulator ]
+ STARTUP=x-terminal-emulator
+ [ -z x-terminal-emulator ]
+ [ /etc/X11/Xsession.d/75dbus_dbus-launch = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/75dbus_dbus-launch
+ STARTDBUS=
+ DBUSLAUNCH=/usr/bin/dbus-launch
+ has_option use-session-dbus
+ [  !=  ]
+ return 1
+ [ -n  ]
+ [ /etc/X11/Xsession.d/90gpg-agent = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/90gpg-agent
+ gpgconf --list-dirs agent-socket
+ agent_sock=/home/sandbox-app-launcher-appdata/torbrowser/.gnupg/S.gpg-agent
+ export GPG_AGENT_INFO=/home/sandbox-app-launcher-appdata/torbrowser/.gnupg/S.gpg-agent:0:1
+ gpgconf --list-options gpg-agent
+ awk -F: /^enable-ssh-support:/{ print $10 }
+ [ -n  ]
+ [ /etc/X11/Xsession.d/90qubes-keymap = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/90qubes-keymap
+ /usr/bin/qubesdb-read /qubes-keyboard
Failed connect to local daemon
+ QUBES_KEYMAP=
+ /bin/echo -e
+ QUBES_KEYMAP=
+ cat /home/sandbox-app-launcher-appdata/torbrowser/.config/qubes-keyboard-layout.rc
+ QUBES_USER_KEYMAP=
+ [ -n  ]
+ [ -n  ]
+ [ /etc/X11/Xsession.d/90x11-common_ssh-agent = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/90x11-common_ssh-agent
+ STARTSSH=
+ SSHAGENT=/usr/bin/ssh-agent
+ SSHAGENTARGS=
+ has_option use-ssh-agent
+ [  !=  ]
+ return 1
+ [ -n  ]
+ [ /etc/X11/Xsession.d/95dbus_update-activation-env = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/95dbus_update-activation-env
+ [ -n  ]
+ [ /etc/X11/Xsession.d/99x11-common_start = /etc/X11/Xsession.d/99x11-common_start ]
+ continue
+ set -e
+ /home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/start-tor-browser

Some stuff broken. Did not investigate this one yet:

This one we might not want?

Trivial issue, easy to fix / skip:

This would could probably fix/patch to be skipped upstream:

Maybe useful:

Useful stuff:

(Not only useful for torbrowser. Any application.)
(Generic parsing of /etc/X11/Xsession.d also results in dbus-launch which is run by /etc/X11/Xsession.d/75dbus_dbus-launch.)

Created a branch xsession-parsing.

GitHub - Kicksecure/sandbox-app-launcher at xsession-parsing

The only commit so far:

Is generic parsing of /etc/X11/Xsession.d worth going for? Or do you see risks with that?
Could there be even security features implemented in /etc/X11/Xsession.d which would be missed if we don’t do this?

Or better just manually hard code, i.e. add more lines similar to this:

if [ -x /etc/X11/Xsession.d/20torbrowser ]; then
  source /etc/X11/Xsession.d/20torbrowser
fi

I don’t think executing a whole load of files we don’t strictly need is a good idea. This would probably only cause more issues. Do you have any examples of files we actually need other than the Tor Browser one?

I doubt it.

Could you check please if it’s better to use /etc/X11/Xsession.d/75dbus_dbus-launch than running dbus-launch manually?

From usability perspective it seems a bit weird that one has to run:

sudo sandbox-app-launcher program [OPTIONS]

I.e. weird that user has to use sudo.

I however understand that from a technical perspective, sandbox-app-launcher needs to run

sudo -H -u "${app_user}" bash -c "
  bwrap

which requires sudo.

Could we somehow simplify things for the user so the user could just run

sandbox-app-launcher program [OPTIONS]

instead of

sudo sandbox-app-launcher program [OPTIONS]

?

This seems specifically useful since sandbox-app-launcher cannot support running applications as root anyhow. Running sudo sandbox-app-launcher program [OPTIONS] implies that the application runs as root which it doesn’t.

From a usability perspective, running sudo sandbox-app-launcher should actually tell:

ERROR: Running applications as root with sandbox-app-launcher is unsupported.

Could we add a sudo wrapper for sandbox-app-launcher? Here is the idea:

• rename /usr/bin/sandbox-app-launcher to /usr/lib/sandbox-app-launcher
• introduce /usr/bin/sandbox-app-launcher with contents

#!/bin/bash
sudo /usr/lib/sandbox-app-launcher ${@}

• introduce /etc/sudoers.d/sandbox-app-launcher with contents

## All sudoers to run without a password.
%sudo ALL=NOPASSWD: /usr/bin/sandbox-app-launcher *

Or even…

## All users in group 'user' to run sandbox-app-launcher without a password.
%user ALL=NOPASSWD: /usr/bin/sandbox-app-launcher *

But now we need to think about the security issues of that. The asterisk (“*”) in /usr/bin/sandbox-app-launcher * could be an issue? Attack surface?

• A compromised user account could run each and every application under sandbox-app-launcher and thereby generate a lot useless app_user sandbox-${app_name} linux user accounts. This could be ignored for now since there are probably many opportunities for denial of service attacks from a locally compromised user account.
• Do you see any other issues? Would this give access to things which would otherwise not be accessible without sudo access?

This is important in context of PERSISTENT mode USER…

…which will be a boot mode where there is no sudo/root access for the user. In such a boot mode, sandbox-app-launcher would also be most useful.

What kind of security issues I am having in mind…

Currently we use:

if [ -f "/etc/sandbox-app-launcher/${app_name}.conf" ]; then
  . "/etc/sandbox-app-launcher/${app_name}.conf"
fi

Which seems fine.

However, if we had source /home/user/.sandbox-app-launcher/config that would be really bad, because then user user without access to sudo / root would get the ability the execute commands as root.

Also if we didn’t use quotes for "/etc/sandbox-app-launcher/${app_name}.conf" there might be a possibility to specifically craft variable app_name (using ../ or similar) to make it source a file writeable in user home folder too. However, we already sanitize variable app_name so we wouldn’t have this issue either.

Also putting a fake (attacker) binary into ~/bin for purpose of getting a malicious variable app_name is not possible either since sudo sanitizes environment variables among PATH (which of course removes user’s ~/bin from PATH).

Similar threat model as restricted APT, rapt.

That kind of security issues I am having in mind. Do you see any of these?