privacyguides.org icon indicating copy to clipboard operation
privacyguides.org copied to clipboard

Published 20 hours ago verified publisher icon privacyguides

Application Sandboxing>Making your own policies/profiles: Add crabsecco

Open dngray opened this issue 2 years ago • 4 comments
trafficstars

Discussed in https://github.com/privacyguides/privacyguides.org/discussions/1364

Originally posted by rusty-snake May 31, 2022 Name: crabsecco Repository: https://codeberg.org/crabjail/crabsecco Author: me (I also maintain the libseccomp-rs crate) Where?: Application Sandboxing > Making your own policies/profiles Description: crabsecco makes it easier to write and compile seccomp-bpf filters (as used by bubblewrap's --seccomp/--add-seccomp-fd arguments). It acts as a compiler which compiles seccomp-filters defined in a toml file to bpf/pfc filters which can be used with tools like bubblewrap/for debugging. This makes makes writing seccomp-bpf filters because you don't need to write (C-)code.

dngray avatar Feb 18 '23 06:02 dngray

Initially I was thinking of doing https://github.com/privacyguides/privacyguides.org/issues/1861, however for most purposes (sandboxing user applications), I think a guide on this makes a lot more sense than creating AppArmor/SELinux policies.

Particularly with the direction of things like Flatpak, etc.

dngray avatar Feb 18 '23 06:02 dngray

@rusty-snake would you be interested in contributing a blog article on how to use this tool.

I have not used this tool.

I think it could take the form, of an example article demonstrating usage.

dngray avatar Dec 16 '23 06:12 dngray

Hi, just going through my github todo list. I've interest but unfortunately no time.

rusty-snake avatar Jan 26 '24 22:01 rusty-snake

What I might do is an article sandboxing some example application, a bit like the hello world examples that Fedora does.

dngray avatar Jan 28 '24 10:01 dngray

Revisiting this one.

I don't think it's practical to tell people to make their own SELinux or Apparmor Policies. It's a lot of work, and requires testing and a fair bit of background knowledge to troubleshoot. I guess this is why major distributions don't ship policies for everything.

I think a far more user-friendly way of approaching this is is using the Flatpak sandbox permission and strict confinement as Firefox on Ubuntu does. It would seem that while this doesn't cover every application (that's unlikely anyway) unless someone spends a lot of time to do that. More projects now will use the above sandboxing methods. In time we may see something like ConfinedUsers, which in my opinion is a better way to contribute to this if you're interested in that.

Nothing is perfect and expecting users to make ultra tight policies by themselves simply isn't feasible.

dngray avatar Aug 03 '24 03:08 dngray