privacyguides / privacyguides.org

Protect your data against global mass surveillance programs.
https://www.privacyguides.org
Creative Commons Attribution Share Alike 4.0 International
2.8k stars 209 forks source link

Application Sandboxing>Making your own policies/profiles: Add crabsecco #2008

Closed dngray closed 3 months ago

dngray commented 1 year ago

Discussed in https://github.com/privacyguides/privacyguides.org/discussions/1364

Originally posted by **rusty-snake** May 31, 2022 **Name**: crabsecco **Repository**: https://codeberg.org/crabjail/crabsecco **Author**: me (I also maintain the libseccomp-rs crate) **Where?**: [Application Sandboxing > Making your own policies/profiles](https://www.privacyguides.org/linux-desktop/sandboxing/#making-your-own-policiesprofiles) **Description**: crabsecco makes it easier to write and compile seccomp-bpf filters (as used by bubblewrap's `--seccomp`/`--add-seccomp-fd` arguments). It acts as a compiler which compiles seccomp-filters defined in a toml file to bpf/pfc filters which can be used with tools like bubblewrap/for debugging. This makes makes writing seccomp-bpf filters because you don't need to write (C-)code.
dngray commented 1 year ago

Initially I was thinking of doing https://github.com/privacyguides/privacyguides.org/issues/1861, however for most purposes (sandboxing user applications), I think a guide on this makes a lot more sense than creating AppArmor/SELinux policies.

Particularly with the direction of things like Flatpak, etc.

dngray commented 11 months ago

@rusty-snake would you be interested in contributing a blog article on how to use this tool.

I have not used this tool.

I think it could take the form, of an example article demonstrating usage.

rusty-snake commented 9 months ago

Hi, just going through my github todo list. I've interest but unfortunately no time.

dngray commented 9 months ago

What I might do is an article sandboxing some example application, a bit like the hello world examples that Fedora does.

dngray commented 3 months ago

Revisiting this one.

I don't think it's practical to tell people to make their own SELinux or Apparmor Policies. It's a lot of work, and requires testing and a fair bit of background knowledge to troubleshoot. I guess this is why major distributions don't ship policies for everything.

I think a far more user-friendly way of approaching this is is using the Flatpak sandbox permission and strict confinement as Firefox on Ubuntu does. It would seem that while this doesn't cover every application (that's unlikely anyway) unless someone spends a lot of time to do that. More projects now will use the above sandboxing methods. In time we may see something like ConfinedUsers, which in my opinion is a better way to contribute to this if you're interested in that.

Nothing is perfect and expecting users to make ultra tight policies by themselves simply isn't feasible.