Which Sandboxing application is more secure?

Everything about X, Gnome, KDE, ... and everything running on it

Which Sandboxing application is more secure?

Postby hack3rcon » 2020-10-17 11:38

Hello,
I want to install an application on Debian 10.6 x86_64, but I don't like this application hurt my system or steal anything from my Debian box. I found a list of Sandboxing applications and I need opinions about them:
    1- SELinux
    2- Mbox
    3- Firejail
    4- Flatpak
I want to run a GUI application.

Thank you.
hack3rcon
 
Posts: 447
Joined: 2015-02-16 09:54

Re: Which Sandboxing application is more secure?

Postby metreo » 2020-10-17 13:12

I would look at the bug reports or issues filed against each of these applications. Ideally there should be a balance between lots of activity and few outstanding issues. It's kind of subjective. I think that security is one of the hardest aspects of software to determine and communicate appropriately as it can be quite non-intuitive. There are good arguments for simplicity as a indirect path to security though that is hardly a rule.
User avatar
metreo
 
Posts: 20
Joined: 2020-10-08 19:15

Re: Which Sandboxing application is more secure?

Postby Head_on_a_Stick » 2020-10-17 13:23

hack3rcon wrote:1- SELinux

That's not a sandbox, it's a MAC framework. It is very powerful but it's also very complicated and so easy to mis-configure & difficult to optimise.

hack3rcon wrote:2- Mbox

Not familiar with that sandboxing technique, please explain further.

hack3rcon wrote:3- Firejail

That's pretty good, probably the best in your list.

hack3rcon wrote:4- Flatpak

The "sandbox" offered by flatpak is pure marketing bullshit: https://www.flatkill.org/2020/

But the best sandbox of all would be a virtual machine. Use QEMU/KVM rather than VirtualBox though because the VB developers have a long history of ignoring and covering up security vulnerabilities, which is one of the reasons why it was removed from the stable release.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12650
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Which Sandboxing application is more secure?

Postby LE_746F6D617A7A69 » 2020-10-17 13:37

hack3rcon wrote:I want to install an application on Debian 10.6 x86_64, but I don't like this application hurt my system or steal anything from my Debian box.
As usual, the name of this application is a trade secret ...

If the application is potentially harmful (f.e. unsigned, closed source and/or downloaded from untrusted site), then there is no way assure safety. It's because for the application to work, You need to grant it some basic privileges, like f.e. for accessing audio, video, network interfaces, D-BUS, shared memory - or all of them at the same time.

Real-life example: Skype - sandboxing it makes no sense, because the end user is required to grant it an access to audio, video and the network - so it can be used as a perfect surveillance tool, no matter how good the sandboxing system is.

No sandboxing method can protect from user stupidity...

EDIT:
Head_on_a_Stick wrote:
hack3rcon wrote:4- Flatpak

The "sandbox" offered by flatpak is pure marketing bullshit: https://www.flatkill.org/2020/

But the best sandbox of all would be a virtual machine. (...)

In addition, Flatpak looks "flat" for the developers only - for the end-users it's a bloatpak - f.e. because it prevents reusing of shared libs, which is a solution known from Winblows9x, where applications were required to install their own versions of various runtime libs.

I agree that VM is probably the best solution, with the exception that it can't protect from externally controlled applications like Skype or Zoom.
Last edited by LE_746F6D617A7A69 on 2020-10-17 13:58, edited 1 time in total.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 395
Joined: 2020-05-03 14:16

Re: Which Sandboxing application is more secure?

Postby metreo » 2020-10-17 13:52

Some apps detect sandboxing and won't work unless it's disabled.
User avatar
metreo
 
Posts: 20
Joined: 2020-10-08 19:15

Re: Which Sandboxing application is more secure?

Postby CwF » 2020-10-17 13:58

Answer:
Head_on_a_Stick wrote:a virtual machine. Use QEMU/KVM

LE_746F6D617A7A69 wrote:Real-life example: Skype - sandboxing it makes no sense

Sure it does. It might as well be in a holodeck running 'beach'.
The hypervisor can reach into a vm with the hand of god. Pause it, collect malicious data, give it whatever info you want..
CwF
 
Posts: 790
Joined: 2018-06-20 15:16

Re: Which Sandboxing application is more secure?

Postby LE_746F6D617A7A69 » 2020-10-17 14:02

CwF wrote:
LE_746F6D617A7A69 wrote:Real-life example: Skype - sandboxing it makes no sense

Sure it does. It might as well be in a holodeck running 'beach'.
The hypervisor can reach into a vm with the hand of god. Pause it, collect malicious data, give it whatever info you want..

That's not so easy - first You would need to reverse-engineer the code, to know how the data are encoded.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 395
Joined: 2020-05-03 14:16

Re: Which Sandboxing application is more secure?

Postby CwF » 2020-10-17 14:20

LE_746F6D617A7A69 wrote:That's not so easy - first You would need to reverse-engineer the code, to know how the data are encoded.

Not sure what you mean. We can already.
CwF
 
Posts: 790
Joined: 2018-06-20 15:16

Re: Which Sandboxing application is more secure?

Postby LE_746F6D617A7A69 » 2020-10-17 14:46

CwF wrote:
LE_746F6D617A7A69 wrote:That's not so easy - first You would need to reverse-engineer the code, to know how the data are encoded.

Not sure what you mean. We can already.

If I understood You correctly, You said that We can pause the VM and manipulate the the data processed by the applications inside it - this is of course possible, but first, it is necessary to understand the data structures used by those applications.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 395
Joined: 2020-05-03 14:16

Re: Which Sandboxing application is more secure?

Postby CwF » 2020-10-17 14:58

LE_746F6D617A7A69 wrote:If I understood You correctly

Yes. I stopped at 'generally' we can. You mean 'specifically' things still need figured out. Yes. The question of effective sandboxing in my opinion is settled.
CwF
 
Posts: 790
Joined: 2018-06-20 15:16

Re: Which Sandboxing application is more secure?

Postby metreo » 2020-10-17 18:01

LE_746F6D617A7A69 wrote:
hack3rcon wrote:a solution known from Winblows9x, where applications were required to install their own versions of various runtime libs.


What an absolute joke of a solution by the way :lol: :lol: :lol:
User avatar
metreo
 
Posts: 20
Joined: 2020-10-08 19:15

Re: Which Sandboxing application is more secure?

Postby shep » 2020-10-17 22:16

Chromium and Webkit2gtk browsers come with their own sandbox built in.

Webkit2gtk uses bubblewrap which can be extended to other applications. See this Arch Linux wiki

https://wiki.archlinux.org/index.php/Bubblewrap
shep
 
Posts: 400
Joined: 2011-03-15 15:22

Re: Which Sandboxing application is more secure?

Postby bester69 » 2020-10-18 03:49

hack3rcon wrote:Hello,
I want to install an application on Debian 10.6 x86_64, but I don't like this application hurt my system or steal anything from my Debian box. I found a list of Sandboxing applications and I need opinions about them:
    1- SELinux
    2- Mbox
    3- Firejail
    4- Flatpak
I want to run a GUI application.

Thank you.

snaps or flatpaks seems the easy and secure way to go... firejail doesnt seem to me a final user software, some apps must work well other give you troubles... I dont see it, i dont like that software..., I would just use flatpaks...its all automatic and workable... snaps, think use apparmor isolation, i have it disable in grub.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1747
Joined: 2015-04-02 13:15

Re: Which Sandboxing application is more secure?

Postby hack3rcon » 2020-10-18 04:13

Head_on_a_Stick wrote:
hack3rcon wrote:1- SELinux

That's not a sandbox, it's a MAC framework. It is very powerful but it's also very complicated and so easy to mis-configure & difficult to optimise.

hack3rcon wrote:2- Mbox

Not familiar with that sandboxing technique, please explain further.

hack3rcon wrote:3- Firejail

That's pretty good, probably the best in your list.

hack3rcon wrote:4- Flatpak

The "sandbox" offered by flatpak is pure marketing bullshit: https://www.flatkill.org/2020/

But the best sandbox of all would be a virtual machine. Use QEMU/KVM rather than VirtualBox though because the VB developers have a long history of ignoring and covering up security vulnerabilities, which is one of the reasons why it was removed from the stable release.

You can use SELinux as a sandboxing too.
Mbox ==> https://pdos.csail.mit.edu/archive/mbox/
I want to run Telegram in a Sandboxing program.
hack3rcon
 
Posts: 447
Joined: 2015-02-16 09:54

Re: Which Sandboxing application is more secure?

Postby Head_on_a_Stick » 2020-10-18 08:50

bester69 wrote:snaps or flatpaks seems the easy and secure way to go

Please read the article to which I linked in my last post — the "sandboxing" offered by flatpak is utter rubbish: almost all applications allow complete access to the files in your home directory so https://xkcd.com/1200/ applies. Snaps are even worse because Comical's Snap Store isn't vetted at all: https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware

hack3rcon wrote:You can use SELinux as a sandboxing too

SELinux can be used to restrict permissions but that's not the same as a sandbox.


That seems to use Seccomp BPF for isolation so it works in the same way as firejail.

hack3rcon wrote:I want to run Telegram in a Sandboxing program

If you're paranoid use a VM but Telegram is available as a (reproducible) Debian package so firejail is probably good enough (IMO).
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12650
Joined: 2014-06-01 17:46
Location: /dev/chair

Next

Return to Desktop & Multimedia

Who is online

Users browsing this forum: No registered users and 15 guests

fashionable