apparmor.d VS firejail

If anyone want to look further into sandboxing applications on Linux, you can also look at AppArmor and the sandboxing features built into systemd.

I love this repository for bases for AppArmor profiles[1], really good work. Never found a repository as good for systemd, but there are a few around.

[1] https://github.com/roddhjav/apparmor.d

Then, categorize all your script zoo: maybe some script group want to only read the data, while some need to write, maybe one group needs to use certain set of binaries, and other group - others.

You could utilize some profiles from apparmor.d repo, but you should be slightly aware how it works (disclaimer: I'm the contributor).

Regardless, I wrote an AppArmor profile so it couldn't happen again.

Maintainer's response.

There is a project in early development: apparmor.d. Adopting some or all profiles will do the job. To use it smoothly, basic AppArmor knowledge is required. (I'm the contributor)

Dependent on the OS and Firefox distribution. I can advertise profile that I co-maintain. It uses non-standard tunables, which will require some README reading to get them into the system.

Red Hat based distros come preconfigured with a lot of SELinux policies. With AppArmor, you get basically nothing. There is a project I also contribute to from time to time, that gives you a lot more policies, but this is entirely out-of-tree (https://github.com/roddhjav/apparmor.d).

bubblewrap is designed as a low-level too. There is nothing quick and dirty about it. It disallows everything by default and you have to be explicit about what you want to share with the host. If your application needs complex permissions/resources, then you will need to have a complex bubblewrap command line.

Once you have figured out which permissions/resources you need for a given program, you can wrap the command line invocation in a shell script.

If you want other people to do the work of defining permissions/resources, then have a look at firejail: https://github.com/netblue30/firejail

Firejail is cool: https://github.com/netblue30/firejail

Linux namespaces/cgroups but nowhere near as heavy as Docker.

I use it when I want to limit the memory of a Python script:

```

Firejail can also be a useful option, though no good if you're on Mac https://firejail.wordpress.com/

Uses the same Linux primitives as docker etc, but can be a bit more ergonomic for this use case

Firejail, Flatpak (which uses Bubblewrap under the hood), and Snap (which uses AppArmor) all use the same underlying technology: Linux namespaces.

This question comes up a lot, and has been answered here: https://github.com/netblue30/firejail/wiki/Frequently-Asked-...

TL;DR: Firejail has much more comprehensive features than Flatpak (Bubblewrap). Firejail also has more comprehensive network support, support for AppArmor and SELinux, and easier seccomp filtering.

Compared to Snap (which uses AppArmor), Firejail is compatible with AppArmor and again goes above and beyond with a lot of additional features.

Wonderful little tool, too bad you must chain various exec calling tools to get cgroups (a bit akin to `ionice ... nice ... cmd`) and Linux users namespaces can't allow UNIX sockets while preventing network access (I think?).

Migrated from Firejail when its complexity annoyed me too much and I hit https://github.com/netblue30/firejail/issues/3001 (Firejail doesn't like parens or brackets in --put/--get parameters) to a badly NIH version using bwrap and bash to have "profiles":

Firejail does this. The profile database is the two "profile" directories in https://github.com/netblue30/firejail/tree/master/etc

What do you mean by a Firefox container? Do you mean FireJail?