{{Header}}
{{title|title=
sandbox-app-launcher - Sandboxed Application Launcher
}}
{{#seo:
|description=sandbox-app-launcher is an application launcher that starts each app inside its own restrictive sandbox. It runs each app as its own user, in a bubblewrap sandbox and confined by AppArmor.
|image=Sandboxing123123.png
}}
{{intro|
sandbox-app-launcher is an application launcher that starts each app inside its own restrictive sandbox. It runs each app as its own user, in a bubblewrap sandbox and confined by AppArmor.
}}
[[image:Sandboxing123123.png|thumb]]
{{Developers-only}}
= Introduction =

<code>sandbox-app-launcher</code> is an application launcher that can start each application inside its own restrictive sandbox. It runs each application as its own user, within a bubblewrap sandbox and confined by AppArmor.

This launcher is geared towards end-user applications, not any system software. The directory <code>/shared</code> is shared across all application sandboxes to transfer files across.

This implements a permissions system to configure what applications can access. There are currently five available permissions:

* network access;
* webcam access;
* microphone access;
* shared storage access (read-only or read-write); and
* dynamic native code execution.

All user-installed applications will be automatically configured to run in the sandbox and a prompt will ask which permissions should be granted to the application (not implemented yet).

The launcher is currently a work-in-progress and is not yet ready for actual use. To learn more, see:

* https://github.com/{{project_name_short}}/sandbox-app-launcher
* https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008

= Design =

Bubblewrap allows developers to make use of [https://en.wikipedia.org/wiki/Linux_namespaces namespaces] and [https://en.wikipedia.org/wiki/Seccomp seccomp]. All applications are run in mount, PID, cgroup and UTS namespaces; IPC namespaces are planned but are not currently implemented due to limitations in Xorg. Fine-grained filesystem restrictions are implemented via mount namespaces and [[AppArmor]]. Seccomp blocks certain syscalls which can greatly reduce kernel attack surface among other things.

All applications by default use a seccomp whitelist to block dangerous and unused [https://man7.org/linux/man-pages/man2/syscalls.2.html syscalls]. In addition, the arguments of some syscalls are filtered to:

* Block unused [https://man7.org/linux/man-pages/man7/address_families.7.html socket address families].
* Block any dangerous or unused [https://man7.org/linux/man-pages/man2/ioctl.2.html ioctls] such as TIOCSTI (can be used in sandbox escapes), TIOCSETD (can increase kernel attack surface by loading vulnerable line disciplines), SIOCGIFHWADDR (can retrieve the user’s MAC address), etc.
* Implement [https://en.wikipedia.org/wiki/W%5EX W^X] (explained in detail further below).

Apparmor also gives fine-grained controls over IPC signals, D-Bus, UNIX sockets, ptrace and more.

= Sandbox Escape Mitigation =

'''Table:''' ''Sandboxed Application Launcher Mitigations''

{| class="wikitable"
|-
! scope="col"| '''Sandbox Escape Vector'''
! scope="col"| '''Mitigation'''
|-
! scope="row"| D-Bus
| [https://en.wikipedia.org/wiki/D-Bus D-Bus] is common avenue for sandbox escapes. <ref>One such example is: https://github.com/netblue30/firejail/issues/796</ref> This attack vector is mitigated by denying access to the system bus and only allowing access to the session bus. This is safe since each application runs as their own user with their own session bus, ensuring no [https://man7.org/linux/man-pages/man2/ipc.2.html IPC] between sandboxes.
|-
! scope="row"| Dynamic Native Code Execution
| Dynamic native code execution is generally a security issue since it allows an attacker to execute new arbitrary code. This is prevented by the following mechanisms:
* Enforcing strict W^X in both memory and the filesystem.
* Seccomp is used to prevent creation of memory mappings that are both writable and executable and transitioning a writable memory mapping to executable.
* AppArmor is used to prevent execution of programs from writable directories.
These mechanisms force attackers to utilize the already existing code (e.g. [https://en.wikipedia.org/wiki/Return-oriented_programming Return-oriented programming (ROP)] / [https://security.stackexchange.com/questions/201196/concept-of-jump-oriented-programming-jop Jump-Oriented-Programming (JOP)]) which is much more limited and difficult. The main things that legitimately require this are JIT engines in browsers.
|-
! scope="row"| Malware Persistence
| The only places malware can persist inside the sandbox are the home directory or shared storage (if enabled as read-write) and it can only ever be executed if W^X is disabled. Everything else is mounted read-only or as a [https://www.kernel.org/doc/html/latest/filesystems/tmpfs.html tmpfs] (a file system which keeps all files in virtual memory).
|-
! scope="row"| PulseAudio
| [https://en.wikipedia.org/wiki/PulseAudio PulseAudio] was also not written with isolation in mind <ref>https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/Developer/AccessControl/</ref> so access to it is blacklisted from within the sandbox. By default this will break a lot of things so a more robust solution like [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire] may be used in the future.
|-
! scope="row"| Separate User per Sandboxed Application
| This approach provides a higher security threshold: <ref>https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008/265</ref>
<blockquote>Sandboxing programs running as the same user has historically, never seriously worked well. It’s been the cause of many issues with e.g. Flatpak. It’s why Android/iOS have always used separate users.</blockquote>
|-
! scope="row"| X11
| [https://en.wikipedia.org/wiki/X_Window_System X11] does not have GUI isolation <ref>
https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
</ref> so it is trivial to escape sandboxes with it. There is no protection against this vector at present, but the plan is to either switch to Wayland <ref>https://forums.whonix.org/t/use-xfce-with-wayland/9063</ref> or use a nested X11 server like Xpra.
|-
|}

= Installation =
{{Install_Package|package=
sandbox-app-launcher
}}

= Usage =
== Setup ==
For example, to setup a sandbox for firefox, run.

{{CodeSelect|code=
sudo sandbox-app-launcher setup firefox
}}

== Use ==
For example, to start firefox using sandbox-app-launcher, run.

{{CodeSelect|code=
sandbox-app-launcher start firefox
}}

To show all sand boxes.

{{CodeSelect|code=
sandbox-app-launcher list
}}

To delete user data.

{{CodeSelect|code=
sudo sandbox-app-launcher remove firefox
}}

= Development Discussion =
https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008

= References =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]