Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Which Sandboxing application is more secure?

Graphical Environments, Managers, Multimedia & Desktop questions.
Locked
Message
Author
hack3rcon
Posts: 746
Joined: 2015-02-16 09:54
Has thanked: 48 times

Which Sandboxing application is more secure?

#1 Post by hack3rcon »

Hello,
I want to install an application on Debian 10.6 x86_64, but I don't like this application hurt my system or steal anything from my Debian box. I found a list of Sandboxing applications and I need opinions about them:
  • 1- SELinux
    2- Mbox
    3- Firejail
    4- Flatpak
I want to run a GUI application.

Thank you.

User avatar
metreo
Posts: 20
Joined: 2020-10-08 19:15

Re: Which Sandboxing application is more secure?

#2 Post by metreo »

I would look at the bug reports or issues filed against each of these applications. Ideally there should be a balance between lots of activity and few outstanding issues. It's kind of subjective. I think that security is one of the hardest aspects of software to determine and communicate appropriately as it can be quite non-intuitive. There are good arguments for simplicity as a indirect path to security though that is hardly a rule.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Which Sandboxing application is more secure?

#3 Post by Head_on_a_Stick »

hack3rcon wrote:1- SELinux
That's not a sandbox, it's a MAC framework. It is very powerful but it's also very complicated and so easy to mis-configure & difficult to optimise.
hack3rcon wrote:2- Mbox
Not familiar with that sandboxing technique, please explain further.
hack3rcon wrote:3- Firejail
That's pretty good, probably the best in your list.
hack3rcon wrote:4- Flatpak
The "sandbox" offered by flatpak is pure marketing bullshit: https://www.flatkill.org/2020/

But the best sandbox of all would be a virtual machine. Use QEMU/KVM rather than VirtualBox though because the VB developers have a long history of ignoring and covering up security vulnerabilities, which is one of the reasons why it was removed from the stable release.
deadbang

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Which Sandboxing application is more secure?

#4 Post by LE_746F6D617A7A69 »

hack3rcon wrote:I want to install an application on Debian 10.6 x86_64, but I don't like this application hurt my system or steal anything from my Debian box.
As usual, the name of this application is a trade secret ...

If the application is potentially harmful (f.e. unsigned, closed source and/or downloaded from untrusted site), then there is no way assure safety. It's because for the application to work, You need to grant it some basic privileges, like f.e. for accessing audio, video, network interfaces, D-BUS, shared memory - or all of them at the same time.

Real-life example: Skype - sandboxing it makes no sense, because the end user is required to grant it an access to audio, video and the network - so it can be used as a perfect surveillance tool, no matter how good the sandboxing system is.

No sandboxing method can protect from user stupidity...

EDIT:
Head_on_a_Stick wrote:
hack3rcon wrote:4- Flatpak
The "sandbox" offered by flatpak is pure marketing bullshit: https://www.flatkill.org/2020/

But the best sandbox of all would be a virtual machine. (...)
In addition, Flatpak looks "flat" for the developers only - for the end-users it's a bloatpak - f.e. because it prevents reusing of shared libs, which is a solution known from Winblows9x, where applications were required to install their own versions of various runtime libs.

I agree that VM is probably the best solution, with the exception that it can't protect from externally controlled applications like Skype or Zoom.
Last edited by LE_746F6D617A7A69 on 2020-10-17 13:58, edited 1 time in total.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

User avatar
metreo
Posts: 20
Joined: 2020-10-08 19:15

Re: Which Sandboxing application is more secure?

#5 Post by metreo »

Some apps detect sandboxing and won't work unless it's disabled.

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Which Sandboxing application is more secure?

#6 Post by CwF »

Answer:
Head_on_a_Stick wrote:a virtual machine. Use QEMU/KVM
LE_746F6D617A7A69 wrote: Real-life example: Skype - sandboxing it makes no sense
Sure it does. It might as well be in a holodeck running 'beach'.
The hypervisor can reach into a vm with the hand of god. Pause it, collect malicious data, give it whatever info you want..

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Which Sandboxing application is more secure?

#7 Post by LE_746F6D617A7A69 »

CwF wrote:
LE_746F6D617A7A69 wrote: Real-life example: Skype - sandboxing it makes no sense
Sure it does. It might as well be in a holodeck running 'beach'.
The hypervisor can reach into a vm with the hand of god. Pause it, collect malicious data, give it whatever info you want..
That's not so easy - first You would need to reverse-engineer the code, to know how the data are encoded.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Which Sandboxing application is more secure?

#8 Post by CwF »

LE_746F6D617A7A69 wrote:That's not so easy - first You would need to reverse-engineer the code, to know how the data are encoded.
Not sure what you mean. We can already.

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Which Sandboxing application is more secure?

#9 Post by LE_746F6D617A7A69 »

CwF wrote:
LE_746F6D617A7A69 wrote:That's not so easy - first You would need to reverse-engineer the code, to know how the data are encoded.
Not sure what you mean. We can already.
If I understood You correctly, You said that We can pause the VM and manipulate the the data processed by the applications inside it - this is of course possible, but first, it is necessary to understand the data structures used by those applications.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Which Sandboxing application is more secure?

#10 Post by CwF »

LE_746F6D617A7A69 wrote:If I understood You correctly
Yes. I stopped at 'generally' we can. You mean 'specifically' things still need figured out. Yes. The question of effective sandboxing in my opinion is settled.

User avatar
metreo
Posts: 20
Joined: 2020-10-08 19:15

Re: Which Sandboxing application is more secure?

#11 Post by metreo »

LE_746F6D617A7A69 wrote:
hack3rcon wrote:a solution known from Winblows9x, where applications were required to install their own versions of various runtime libs.
What an absolute joke of a solution by the way :lol: :lol: :lol:

shep
Posts: 423
Joined: 2011-03-15 15:22

Re: Which Sandboxing application is more secure?

#12 Post by shep »

Chromium and Webkit2gtk browsers come with their own sandbox built in.

Webkit2gtk uses bubblewrap which can be extended to other applications. See this Arch Linux wiki

https://wiki.archlinux.org/index.php/Bubblewrap

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Which Sandboxing application is more secure?

#13 Post by bester69 »

hack3rcon wrote:Hello,
I want to install an application on Debian 10.6 x86_64, but I don't like this application hurt my system or steal anything from my Debian box. I found a list of Sandboxing applications and I need opinions about them:
  • 1- SELinux
    2- Mbox
    3- Firejail
    4- Flatpak
I want to run a GUI application.

Thank you.
snaps or flatpaks seems the easy and secure way to go... firejail doesnt seem to me a final user software, some apps must work well other give you troubles... I dont see it, i dont like that software..., I would just use flatpaks...its all automatic and workable... snaps, think use apparmor isolation, i have it disable in grub.
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

hack3rcon
Posts: 746
Joined: 2015-02-16 09:54
Has thanked: 48 times

Re: Which Sandboxing application is more secure?

#14 Post by hack3rcon »

Head_on_a_Stick wrote:
hack3rcon wrote:1- SELinux
That's not a sandbox, it's a MAC framework. It is very powerful but it's also very complicated and so easy to mis-configure & difficult to optimise.
hack3rcon wrote:2- Mbox
Not familiar with that sandboxing technique, please explain further.
hack3rcon wrote:3- Firejail
That's pretty good, probably the best in your list.
hack3rcon wrote:4- Flatpak
The "sandbox" offered by flatpak is pure marketing bullshit: https://www.flatkill.org/2020/

But the best sandbox of all would be a virtual machine. Use QEMU/KVM rather than VirtualBox though because the VB developers have a long history of ignoring and covering up security vulnerabilities, which is one of the reasons why it was removed from the stable release.
You can use SELinux as a sandboxing too.
Mbox ==> https://pdos.csail.mit.edu/archive/mbox/
I want to run Telegram in a Sandboxing program.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Which Sandboxing application is more secure?

#15 Post by Head_on_a_Stick »

bester69 wrote:snaps or flatpaks seems the easy and secure way to go
Please read the article to which I linked in my last post — the "sandboxing" offered by flatpak is utter rubbish: almost all applications allow complete access to the files in your home directory so https://xkcd.com/1200/ applies. Snaps are even worse because Comical's Snap Store isn't vetted at all: https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware
hack3rcon wrote:You can use SELinux as a sandboxing too
SELinux can be used to restrict permissions but that's not the same as a sandbox.
That seems to use Seccomp BPF for isolation so it works in the same way as firejail.
hack3rcon wrote:I want to run Telegram in a Sandboxing program
If you're paranoid use a VM but Telegram is available as a (reproducible) Debian package so firejail is probably good enough (IMO).
deadbang

hack3rcon
Posts: 746
Joined: 2015-02-16 09:54
Has thanked: 48 times

Re: Which Sandboxing application is more secure?

#16 Post by hack3rcon »

Head_on_a_Stick wrote:
bester69 wrote:snaps or flatpaks seems the easy and secure way to go
Please read the article to which I linked in my last post — the "sandboxing" offered by flatpak is utter rubbish: almost all applications allow complete access to the files in your home directory so https://xkcd.com/1200/ applies. Snaps are even worse because Comical's Snap Store isn't vetted at all: https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware
hack3rcon wrote:You can use SELinux as a sandboxing too
SELinux can be used to restrict permissions but that's not the same as a sandbox.
That seems to use Seccomp BPF for isolation so it works in the same way as firejail.
hack3rcon wrote:I want to run Telegram in a Sandboxing program
If you're paranoid use a VM but Telegram is available as a (reproducible) Debian package so firejail is probably good enough (IMO).
Is Mbox lighter than firejail and offer same features?

Locked