-
Jamie Strandboge authored
= How it works = There are basically two modes: 1. using an existing profile with --profile 2. dynamically generating a profile For '1', aa-sandbox is just a wrapper around aa-exec. For '2', aa-sandbox leverages easyprof and allows you to specify policy in a limited way on the command line. It then loads the policy into the kernel as a profile (ie, 'profile <foo> { ... }') so it doesn't get in the way of existing profiles. It currently calls apparmor_parser via sudo or pkexec. Once the profile is loaded, aa-exec the application under the profile. When -X is specified, the application is launched inside its own X server using either xpra (the default, which uses Xvfb), xephyr and xpra3d (xpra, but using Xorg with the xdummy[1] driver for now[2]. xpra3d doesn't currently perform well, but works ok with newer Gnome applications that now require GLX). When using '-X', it: - adds an explicit deny rule for ~/.Xauthority - generates a dynamic Xauthority file for the session in ~/.Xauthority-sandbox<DISPLAYNUMBER> - adds an allow rule for ~/.Xauthority-sandbox<DISPLAYNUMBER> - adds checks for xhost being properly setup - honors the --with-xauthority option which can be used with --profile With the above, the :0.0 display should no longer be accessible. Eg: $ ./aa-sandbox -t ~/sandbox-xterm -X /usr/bin/xterm $ XAUTHORITY=~/.Xauthority DISPLAY=:0.0 xinput No protocol specified Unable to connect to X server This requires a specifically configured xauth/xhost setup, which is less common on modern distributions. The man page details how to get this setup. = Trying it out = Apply the patch, then: $ cd ./utils # cli $ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates --read-path=/proc/ /usr/bin/uptime # 2d only $ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/xeyes $ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X /usr/bin/gedit # 2d alternate (xephyr) $ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/xeyes $ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xephyr /usr/bin/gedit # 3d $ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/xeyes $ ./aa-sandbox --templates-dir=`pwd`/easyprof/templates -X --with-xserver=xpra3d /usr/bin/glxgears # With an existing profile: $ ./aa-sandbox --profile=/usr/bin/evolution -X --with-xserver=xpra3d /usr/bin/evolution = The Patch = The patch itself is pretty self contained: utils/aa-easyprof: - adjusted to import optparse utils/easyprof/templates/sandbox* - add two new templates to easyprof utils/apparmor/easyprof.py: - use 'profile <foo>' if '<foo>' is not an absolute path - adjust parser handling so we can reuse it utils/aa-sandbox: - small script to drive utils/apparmor/sandbox.py utils/apparmor/common.py: - the start of our python library. aa-easyprof would eventually use this (along with the various rewrites), but for now, only the sandboxing uses it. utils/apparmor/sandbox.py: - the sandboxing code itself. Of particular note is the use of classing to support different X servers utils/aa-sandbox.pod: - the corresponding man page = Improvements = * don't use sudo * make pulseaudio in xpra opt-in (currently it is off) * take advantage of upstream's 3D patches when they stabilize * investigate how applications can work with the Unity global menu * surely lots more [1]http://xpra.org/Xdummy.html [2]http://xpra.org/trac/ticket/1473c41028c
