System-wide sandboxing framework - sandbox-app-launcher

madaidan · June 3, 2021, 10:01pm

It would be useful to have a list argument to list all the currently configured sandboxes. Could simply be:

getent passwd | grep "sal" | sed -e 's/:.*//g' | str_replace "sal-" ""

Also since replace dynamic wrapper script creation with static script · Kicksecure/sandbox-app-launcher@f939fe8 · GitHub, the AppArmor profile is now broken: sandbox-app-launcher/sandbox-app-launcher at master · Kicksecure/sandbox-app-launcher · GitHub

Profile sandbox-app-launcher applies to /var/cache/sandbox-app-launcher-autogenerated/wrappers/** and profile sandbox-app-launcher-wx applies to /var/cache/sandbox-app-launcher-autogenerated/wrappers-wx/**

Since those directories no longer exist, we will need to create 2 copies of the static wrapper script: wrapper-script and wrapper-script-wx, confined by their respective AppArmor profiles.

madaidan · June 4, 2021, 7:24pm

madaidan · June 4, 2021, 7:29pm

Patrick · June 8, 2021, 6:11am

Awesome! All merged. Left some inline comments.

nurmagoz · July 23, 2022, 10:12pm

Still has TODO not yet written, produce errors:

root@host:~# sandbox-app-launcher setup torbrowser
ERROR: Directory '/home/sandbox-app-launcher-appdata' does not exist. This package was not installed properly.
root@host:~# apt install sandbox-app-launcher-appdata
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package sandbox-app-launcher-appdata
root@host:~#

root@host:~# sandbox-app-launcher setup torbrowser
ERROR: File '/usr/share/sandbox-app-launcher/wrapper-script-wx-wx' does not exist. This package was not installed properly.

root@host:~# DEBDEBUG=1 apt install --reinstall sandbox-app-launcher
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 37.3 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 tor+https://deb.whonix.org bullseye-testers/main amd64 sandbox-app-launcher all 0:5.3-1 [37.3 kB]
Fetched 37.3 kB in 1s (27.2 kB/s)         
(Reading database ... 58705 files and directories currently installed.)
Preparing to unpack .../sandbox-app-launcher_0%3a5.3-1_all.deb ...
Unpacking sandbox-app-launcher (5.3-1) over (5.3-1) ...
++ '[' '' = true ']'
++ colors
++ '[' xterm-256color = '' ']'
++ [[ -t 2 ]]
+++ type -t errorhandlergeneral
++ '[' '' = function ']'
+++ trap -p ERR
++ '[' '' = '' ']'
++ trap error_handler_pre ERR
++ bash -n /usr/libexec/helper-scripts/pre.bsh
++ bash -n /var/lib/dpkg/info/sandbox-app-launcher.postrm
++ own_filename=sandbox-app-launcher.postrm
++ source_config_folder
++ '[' sandbox-app-launcher = '' ']'
++ pre_bsh_settings_folder=sandbox-app-launcher_maint.d
++ shopt -s nullglob
++ local i
++ true 'folder 1: /etc/sandbox-app-launcher_maint.d/*.conf'
++ true 'folder 2: /usr/local/etc/sandbox-app-launcher_maint.d/*.conf'
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ true '
#####################################################################
## INFO: BEGIN: sandbox-app-launcher postrm upgrade' '5.3-1
#####################################################################
'
+ rm -rf /var/cache/sandbox-app-launcher-autogenerated
+ getent passwd
+ grep -q sal-
+ true 'INFO: debhelper beginning here.'
+ '[' upgrade = purge ']'
+ true 'INFO: Done with debhelper.'
+ true '
#####################################################################
## INFO: END  : sandbox-app-launcher postrm upgrade' '5.3-1
#####################################################################
'
+ exit 0
Setting up sandbox-app-launcher (5.3-1) ...
++ '[' '' = true ']'
++ colors
++ '[' xterm-256color = '' ']'
++ [[ -t 2 ]]
+++ type -t errorhandlergeneral
++ '[' '' = function ']'
+++ trap -p ERR
++ '[' '' = '' ']'
++ trap error_handler_pre ERR
++ bash -n /usr/libexec/helper-scripts/pre.bsh
++ bash -n /var/lib/dpkg/info/sandbox-app-launcher.postinst
++ own_filename=sandbox-app-launcher.postinst
++ source_config_folder
++ '[' sandbox-app-launcher = '' ']'
++ pre_bsh_settings_folder=sandbox-app-launcher_maint.d
++ shopt -s nullglob
++ local i
++ true 'folder 1: /etc/sandbox-app-launcher_maint.d/*.conf'
++ true 'folder 2: /usr/local/etc/sandbox-app-launcher_maint.d/*.conf'
++ shopt -u nullglob
++ check_scripts_to_skip
++ local skip_script
+ set -e
+ true '
#####################################################################
## INFO: BEGIN: sandbox-app-launcher postinst configure' '5.3-1
#####################################################################
'
+ main_app_dir=/usr/share/sandbox-app-launcher
+ auto_dir=/var/cache/sandbox-app-launcher-autogenerated
+ appdata_dir=/home/sandbox-app-launcher-appdata
+ shared_dir=/home/sandbox-app-launcher-appdata/shared
+ wrapper_script=/usr/share/sandbox-app-launcher/wrapper-script
+ for dir in "${main_app_dir}" "${auto_dir}" "${appdata_dir}"
+ '[' -d /usr/share/sandbox-app-launcher ']'
+ for dir in "${main_app_dir}" "${auto_dir}" "${appdata_dir}"
+ '[' -d /var/cache/sandbox-app-launcher-autogenerated ']'
+ mkdir -m 755 /var/cache/sandbox-app-launcher-autogenerated
+ for dir in "${main_app_dir}" "${auto_dir}" "${appdata_dir}"
+ '[' -d /home/sandbox-app-launcher-appdata ']'
+ mkdir -m 755 /home/sandbox-app-launcher-appdata
+ '[' -d /home/sandbox-app-launcher-appdata/shared ']'
+ mkdir -m 1777 /home/sandbox-app-launcher-appdata/shared
+ cp /usr/share/sandbox-app-launcher/wrapper-script /usr/share/sandbox-app-launc
her/wrapper-script-wx
+ compiler_flags='-lseccomp -ldl -D_GNU_SOURCE -Wdate-time -D_FORTIFY_SOURCE=2 -
g -O2 -fstack-protector-all -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z
,now'
+ /usr/share/sandbox-app-launcher/autogen-seccomp /usr/share/sandbox-app-launche
r/seccomp-whitelist
+ /usr/share/sandbox-app-launcher/autogen-seccomp /usr/share/sandbox-app-launche
r/seccomp-whitelist-wx
+ LANG=C
+ str_replace seccomp-filter.bpf seccomp-filter-wx.bpf /var/cache/sandbox-app-la
uncher-autogenerated/seccomp-wx.c
+ gcc /var/cache/sandbox-app-launcher-autogenerated/seccomp.c -o /var/cache/sand
box-app-launcher-autogenerated/seccomp -lseccomp -ldl -D_GNU_SOURCE -Wdate-time 
-D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-all -Wformat -Werror=format-securit
y -Wl,-z,relro -Wl,-z,now
+ gcc /var/cache/sandbox-app-launcher-autogenerated/seccomp-wx.c -o /var/cache/s
andbox-app-launcher-autogenerated/seccomp-wx -lseccomp -ldl -D_GNU_SOURCE -Wdate
-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-all -Wformat -Werror=format-s
ecurity -Wl,-z,relro -Wl,-z,now
+ chmod 700 /var/cache/sandbox-app-launcher-autogenerated/seccomp /var/cache/san
dbox-app-launcher-autogenerated/seccomp-wx
+ /var/cache/sandbox-app-launcher-autogenerated/seccomp
+ /var/cache/sandbox-app-launcher-autogenerated/seccomp-wx
+ true 'INFO: debhelper beginning here.'
+ '[' configure = configure ']'
+ APP_PROFILE=/etc/apparmor.d/sandbox-app-launcher
+ '[' -f /etc/apparmor.d/sandbox-app-launcher ']'
+ LOCAL_APP_PROFILE=/etc/apparmor.d/local/sandbox-app-launcher
+ test -e /etc/apparmor.d/local/sandbox-app-launcher
+ aa-enabled --quiet
+ apparmor_parser -r -T -W /etc/apparmor.d/sandbox-app-launcher
+ true 'INFO: Done with debhelper.'
+ true '
#####################################################################
## INFO: END  : sandbox-app-launcher postinst configure' '5.3-1
#####################################################################
'
+ exit 0
Processing triggers for man-db (2.9.4-2) ...

Patrick · July 24, 2022, 5:00pm

Does folder /home exist in that VM? To check:

ls -la /home

nurmagoz · July 24, 2022, 5:15pm

Its whonix qubes default no changes:

user@host:~$ ls -la /home
total 12
drwxr-xr-x  3 root root 4096 Sep 15  2021 .
drwxr-xr-x 20 root root 4096 Jul 14 14:10 ..
drwx------ 20 user user 4096 Jul  9 09:40 user
user@host:~$

Patrick via Whonix Forum:

Patrick · July 24, 2022, 6:05pm

  10< <(getent passwd root ${app_user} nobody) \
  11< <(getent group root ${app_user} nobody) \

Due to Delete/Disable nobody user from whonix passwd I’ll remove nobody.

Patrick · July 24, 2022, 9:26pm

I will add:
--ro-bind-try /usr/libexec /usr/libexec

Otherwise /etc/X11/Xsession.d/20torbrowser cannot see /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh which then breaks Tor Browser.

Patrick · July 24, 2022, 9:30pm

Better but still lots of things broken.

sandbox-app-launcher start env

/etc/X11/Xsession.d/20torbrowser: line 19: /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh: Permission denied
/etc/X11/Xsession.d/20uwt: line 14: /usr/libexec/uwt/uwt.sh: Permission denied
/etc/X11/Xsession.d/20whonix: line 7: /usr/libexec/whonix-base-files/whonix.sh: Permission denied
/etc/X11/Xsession.d/20whonix-welcome-page: line 7: /usr/libexec/whonix-welcome-page/env_var.sh: Permission denied
/etc/X11/Xsession.d/50default_editor: line 7: /usr/libexec/default-editor/default_editor.sh: Permission denied
/etc/X11/Xsession.d/50tb_default_browser: line 7: /usr/libexec/tb-default-browser/tb_default_browser.sh: Permission denied

I don’t think I’ll be working on sandbox-app-launcher soon. Help welcome!

fusion82409475 · September 2, 2022, 8:38pm

Hello.
I can’t start applications via “sandbox-app-launcher start”. The terminal gives the following output: “bwrap: Can’t find source path /sys/devices: Permission denied”.
And it works with any application. Previously used the command “sudo sandbox-app-launcher setup”, which completed successfully.

Patrick · January 3, 2023, 8:38pm

Similar project: