1
# This publication is intellectual property of Canonical Ltd. Its contents
2
# can be duplicated, either in part or in whole, provided that a copyright
3
# label is visibly located on each copy.
5
# All information found in this book has been compiled with utmost
6
# attention to detail. However, this does not guarantee complete accuracy.
7
# Neither Canonical Ltd, the authors, nor the translators shall be held
8
# liable for possible errors or the consequences thereof.
10
# Many of the software and hardware descriptions cited in this book
11
# are registered trademarks. All trade names are subject to copyright
12
# restrictions and may be registered trade marks. Canonical Ltd
13
# essentially adheres to the manufacturer's spelling.
15
# Names of products and trademarks appearing in this book (with or without
16
# specific notation) are likewise subject to trademark and trade protection
17
# laws and may thus fall under copyright restrictions.
24
aa-sandbox - AppArmor sandboxing
28
B<aa-sandbox> [option] <path to binary>
32
B<aa-sandbox> provides a mechanism for sandboxing an application using an
33
existing profile or via dynamic profile generation. Please note that while this
34
tool can help with quickly confining an application, its utility is dependent on
35
the quality of the templates, policy groups and abstractions used. Also, this
36
tool may create policy which is less restrictive than creating policy by hand or
37
with B<aa-genprof> and B<aa-logprof>.
41
B<aa-sandbox> accepts the following arguments:
45
=item -t TEMPLATE, --template=TEMPLATE
47
Specify the template used to generate a profile. May specify either a system
48
template or a filename for the template to use. If not specified, uses
49
B<sandbox> or B<sandbox-x> when B<-X> is specified. See aa-easyprof(8) for
50
details. Privileged access is required to load the dynamically generated
51
profile (B<aa-sandbox> will prompt for a password).
53
=item -p POLICYGROUPS, --policy-groups=POLICYGROUPS
55
Specify POLICYGROUPS as a comma-separated list of policy groups. See
56
aa-easyprof(8) for more information on POLICYGROUPS.
58
=item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
60
Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions.
61
AppArmor abstractions are located in /etc/apparmor.d/abstractions. See
62
apparmor.d(5) for details.
64
=item -r PATH, --read-path=PATH
66
Specify a PATH to allow reads. May be specified multiple times. If the PATH
67
ends in a '/', then PATH is treated as a directory and reads are allowed to all
68
files under this directory. Can optionally use '/*' at the end of the PATH to
69
only allow reads to files directly in PATH.
71
=item -w PATH, --write-dir=PATH
73
Like --read-path but also allow writes in addition to reads.
75
=item --profile=PROFILE
77
Instead of generating a dynamic profile, specify an existing, loaded profile.
78
This does not require privileged access.
82
Run the sandboxed application in an isolated X server.
84
=item --with-xauthority=XAUTHORITY
86
Specify an Xauthority file to use rather than a dynamically generated one. This
87
is particularly useful in combination with --profile. This option must be used
88
with care to not allow too much access to the sandboxed application. In
89
particular, the profile specified with --profile must add a rule to deny access
90
to ~/.Xauthority for X sandboxing to be effective. Eg:
94
audit deny @{HOME}/.Xauthority mrwlk,
98
=item --with-xserver=XSERVER
100
Choose the nested XSERVER to use. Supported servers are: B<xpra> (the default),
101
B<xpra3d> and B<xephyr>. xpra uses the Xvfb(1) virtual framebuffer X server
102
while xpra3d uses the Xorg(1) server with the Xdummy (dummy_drv.so) driver.
104
=item --with-clipboard
106
Allow access to the clipboard when using B<xpra> or B<xpra3d>.
108
=item --with-xephyr-geometry=GEOMETRY
110
The starting geometry for the Xephyr(1) server to use.
116
Use the existing system profile 'firefox' to sandbox /usr/bin/firefox:
120
$ aa-sandbox -X --profile=firefox /usr/bin/firefox
128
$ aa-sandbox -X /usr/bin/xeyes
136
$ aa-sandbox -X --with-xserver=xpra3d /usr/bin/glxgears
144
$ aa-sandbox --read-path="/proc/*" /usr/bin/uptime
150
B<aa-sandbox> currently relies on Xsecurity rules based on Xauthority. As such,
151
xhost access controls need to be enabled and server interpreted values for
152
localuser must be removed. One way of achieving this is adding a late running
153
Xsession(5) script of the form:
157
# Create an Xauthority file if it doesn't exist
159
[ ! -f "$HOME/.Xauthority" ] && [ -x /usr/bin/xauth ] &&
160
xauth generate :0 . trusted > /dev/null
162
# Default to the Xauthority file
164
[ -f "$HOME/.Xauthority" ] && [ -x /usr/bin/xhost ] && [ -x /usr/bin/id ] &&
165
xhost -si:localuser:`id -un` > /dev/null
169
After adding the above, it is recommended you remove the existing ~/.Xauthority
170
file, then restart your session.
172
=head1 KNOWN LIMITATIONS
174
While B<aa-sandbox> may be useful in certain situations, there are a number
175
of limitations regarding both confinement and usability:
179
As mentioned, the quality of the template or the specified profile directly
180
affects the application's confinement.
182
DBus system access is all or nothing and DBus session access is unconditionally
185
No environment filtering is performed.
187
X server usage has not been fully audited (though simple attacks are believed
188
to be protected against when the system is properly setup. See B<NOTES>,
191
Using a nested X server for each application is expensive.
193
Only the old X cursor is available with B<xpra> and B<xpra3d>.
195
The Ubuntu global menu is not currently supported. Gtk and Qt applications
196
should display the non-global menu by default, but applications like Firefox
197
and Thunderbird should be adjusted to disable the global menu.
199
Xpra does not handle screen resizing when hotplugging monitors gracefully.
200
Restarting the sandbox will resolve the issue.
206
If you find any bugs, please report them to Launchpad at
207
L<https://bugs.launchpad.net/apparmor/+filebug>.
211
apparmor(7) apparmor.d(5) aa-easyprof(8) Xorg(1) Xecurity(7) xpra(1) Xvfb(1)