We’re currently working on a full system apparmor policy to confine all userspace processes but this has 2 issues:
It doesn’t use more restrictive profiles for user applications. A PDF viewer shouldn’t have the same profile as init.
It can’t make use of technologies like namespaces and seccomp. Seccomp especially is vital for kernel attack surface reduction.
We should automatically sandbox user applications for better confinement with more restrictive rules.
I think we should create a “Whonix app launcher” which sets up a restrictive sandbox. It should:
Use different users for each applications. This ensures apps can’t access each other’s data.
Be confined by a far more restrictive apparmor profile.
Use namespaces and seccomp (preferably via bubblewrap).
Not break too many legitimate usecases.
I’ve created a non-working draft to do this.
Main script: https://paste.debian.net/hidden/6838a50f/
Apparmor profile: https://paste.debian.net/hidden/73be65d3/
Config file: https://paste.debian.net/hidden/f0606f29/
I’m not sure how we’re going to choose which apps to sandbox. Maybe via packages’
Mobile OSes take a similar approach which we can use for inspiration: