84

I want to run small untrusted programs, but restrict them from accessing any files outside of their folder, network access, and everything else that they don't really need. What is the simplest way to achieve this?

Braiam
  • 67,791
  • 32
  • 179
  • 269
michel
  • 1,031
  • 1
  • 8
  • 10
  • 1
    I have never used it, so I can't make a complete answer, but AFAIK, AppArmor (https://wiki.ubuntu.com/AppArmor) should be able to do this. – Javier Rivera May 09 '13 at 08:51
  • Check out Vagrant, a wrapper for VirtualBox. http://www.vagrantup.com/ and [on Wikipedia](http://en.wikipedia.org/wiki/Vagrant_(software%29) and on github – Janus Troelsen May 09 '13 at 11:41
  • @JavierRivera FWIW, SELinux as well. No idea how easy it'd be to get running on Ubuntu though. – TC1 May 09 '13 at 13:07
  • Apparmor is already installed by default in Ubuntu, so it should be easier. – Javier Rivera May 09 '13 at 15:09
  • 1
    It seems like they're are multiple possibilities: virtualisation using something like Virtualbox (like Vagrant), chroot, LXC, App Armor and SE Linux. – Flimm May 15 '13 at 13:21
  • As mentioned below, LXC is a great utility if you'll be using untrusted apps regulary as once (occasionally painfully) installed and configured a sandbox can be up and running your app with a single command. – iambryan Jun 06 '15 at 20:17
  • AppArmor and SELinux are both MAC solutions. AppArmor is already installed by default. But unless you create a profile for the app it won't protect you. Similarly w/ SELinux if you run the app in the same context as your user it won't protect you much. And if you run a GUI app in a different context there is a big chance it will break the app, so you will need to create special policies in order to use the app. It's in both solution possible but really time consuming and sometimes it is not possible to 100% sandboxed the app. – Huygens Oct 04 '15 at 12:15

8 Answers8

32

If they are really untrusted, and you want to be sure, you'd set up a separate box. Either really, or virtually.

Further, you don't want that box to be in the same network as your important stuff, if you are paranoid enough. In all solutions you'd set up a separate user with no rights, so not to open too much tools to the would-be compromiser.

  • So the safest option would be a separate box removed physically from your network.
  • You could give in a bit by adding it to the physical network, but on a different subnet: no 'real' connection inside
  • A virtual machine would be an option, but might have to give up some performance

If you are bound on running it on the same box, you have for instance, this option

  • chroot. This is a default option for doing this for lots of people, and for non-specific threats it might even work. But it is NOT a security option, and can be broken out of rather easily. I'd suggest to use this as intended, i.e. not for security.

In the end you might need to set up a specific sandboxing model without the hassle of virtualization or separate boxes, or the still-at-risk situation of chroot. I doubt this is what you meant, but look at this link for some more in-depth information.

Pablo Bianchi
  • 15,657
Nanne
  • 8,625
  • How safe would it be security wise to run an untrusted application on a virtual machine? I've heard of theoretical exploits which can access the host operating system through the hypervisor and infect it. – zuallauz May 10 '13 at 00:01
  • It could be, although I'm currently not aware of real threats like that, certainly not non-targeted ones. You should consider the attacker writing malware in a game would not go to those lengths. Now a spear-attack on you alone might ofcourse, if they know your layout, but still I don't think that's your first concern. If you are that certain they are mallicious you should really set up an isolated box anyway, network wise. – Nanne May 10 '13 at 07:06
  • It would be nice if in linux existed some GUI for all that powerful security policies. Like docker, but for X11 apps, and has GUI. – Marat Mkhitaryan Oct 16 '20 at 17:20
30

Firejail is fairly new and in constant development. Easy to use.

You can simply:

sudo apt-get install firejail
firejail app
David Foerster
  • 36,264
  • 56
  • 94
  • 147
penguinforsupper
  • 301
  • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference. – Mark Kirby Dec 11 '15 at 09:43
  • Does firejail affects the CPU time of the program? – alper Jul 11 '21 at 18:23
  • Could I run firejail along with slurm? – alper Nov 01 '21 at 18:34
  • 3
    I attempted use of firejail today only to find that it permits all file access by default and that its devs consider this to be a “design choice”, even though the rest of us would consider that a security issue. I’d exercise caution with this option. – Hakanai Nov 18 '21 at 02:15
  • firejail --private $mycmd will mount a blank namespace onto the home directory. Also see its --help... there's a whole slew of --private-* options. – ulidtko Feb 25 '24 at 12:23
13

Full virtualization/emulation (VirtualBox)

One possible solution is virtualization software such as VirtualBox which you can find in the software centre.

  • Install Virtual box
  • Create a virtual machine with networking enabled
  • Install Ubuntu or perhaps a lighter desktop such as Lubuntu
  • Fully update the installed OS (inside Virtual box)
  • Disable Networking on the virtual machine
  • Take a snapshot

You can now install the software you don't trust to see what it does. It can't upset the outside world or you host OS as it does not have access.

It may trash your virtual machine however but if it does you can just restore from your snapshot.

There may be other methods to limit the destructive power of untrusted software but this is the most robust method I can think of.

Container-based virtualization (Docker/LXC)

Another option may be LXC more information here

LXC is the userspace control package for Linux Containers, a lightweight virtual system mechanism sometimes described as “chroot on steroids”.

LXC builds up from chroot to implement complete virtual systems, adding resource management and isolation mechanisms to Linux’s existing process management infrastructure.

It's available in the software centre. I have no experience with however.

Pablo Bianchi
  • 15,657
Warren Hill
  • 22,112
  • 28
  • 68
  • 88
  • 1
    That's just inconvenient. Create an entire virtual machine just to run games!!? that's not a very good solution. Don't you think setting the process's GID and UID would be WAY easier than this? – Jack Mayerz May 09 '13 at 08:58
  • Actually I think setting up a virtual box is sufficiently easy that I probably would not bother with taking a snapshot. If it trashes my virtual machine, I can discard it. – emory May 09 '13 at 14:18
  • Downvote: Factual incorrect reasoning even if the solution is rigth. Programs don't need to have the same privileges as the user running them. Linux and Ubuntu has supported MAC since years. Ubuntu uses AppArmos for this, and you can contain a program to a directory easily. – Javier Rivera May 09 '13 at 15:11
  • @JavierRivera "easily" is not the correct word, or a AppArmor profile and a SELinux policy for Firefox would be shipped by default with every distro and that is not the case. Ubuntu ships such profile but it is not active by default as it breaks a few "popular" Firefox features. There aren't much SELinux policies either for most GUI apps, such apps require too many permissions to be still called sandboxed. If you disagree, please post here links to sandbox Firefox safely using either AppArmor or SELinux! If you can I would be really happy :-) – Huygens Oct 04 '15 at 12:27
  • You should probably define "safe" for a meaningful answer but the default Firefox policy in Ubuntu is quite reasonable to me. Of course it breaks thing as is not as user-friendly as using nothing, but it's still much more user-friendly than a full virtual machine to me (that also breaks popular firefox features). – Javier Rivera Oct 06 '15 at 06:52
13

Docker will help you to set up containers that you can run off of your current kernel, yet keep contained away from the rest of your system. It seems pretty cutting edge but there's an Ubuntu focus an good documentation.

Pablo Bianchi
  • 15,657
N. Thomas Kor
  • 151
  • 5
    I think this is a good option for most cases. However, the "untrusted" part of the original question, would concern me a bit. There are demonstrated hacks available that can allow an application to "break" out of it's container. And given that docker containers run at root access, this could be dangerous, if your goal was to sandbox the applications from each other. – Cris Holdorph Aug 22 '14 at 22:37
  • @CrisHoldorph correct although Docker is getting better and I even think it is nowadays possible to run a docker unprivileged (not as root). This is certainly true now for LXC and LXD (the sometimes so called LXC daemon) can simplify greatly the creation of such containers. So modern unprivileged containers can be considered as an improvement in terms of security over chroot. But they are not an impenetrable barrier! – Huygens Oct 04 '15 at 12:21
  • Docker is not a security tool! – Federico Apr 06 '18 at 14:44
9

mbox

Mbox is a lightweight sandboxing mechanism that any user can use without special privileges in commodity operating systems.

I've used it for a couple of things reliably.

Pablo Bianchi
  • 15,657
0x78
  • 101
  • 1
  • 3
5

subuser

You can use subuser to sandbox your applications with Docker. This allows you do things like sandbox GUI apps, which isn't easy to do with Docker directly.

sudo apt install subuser
Pablo Bianchi
  • 15,657
timthelion
  • 151
1

I think, a possible solution is to create a separate user for testing purposes, and limit his privileges. This way you won't lose in performance, what would definitely happen in virtual machine, but I think this is less safe, if not set up very properly, which I can't advice on how to do.

Phlya
  • 391
  • 3
  • 15
  • 2
    This doesn't protect the system from malicious software that may still get installed or run - it also is not sandboxing in the manner that this question means – Thomas Ward Dec 10 '15 at 17:13
1

DoSH - Docker SHell

In case that you simply want to sandbox the activity of the users, you can use "DoSH"

DoSH (which stands for Docker SHell) is a development to create Docker containers when users log in the Linux system and run a shell into them, instead of symply creating the shell.

Pablo Bianchi
  • 15,657
ubuser
  • 11