Any one using Arkose sandbox?

Any one using Arkose sandbox on Ubuntu or any distro? If so does anyone know how secure it is? I like sandboxing, and so far the only ways I've found to do it are either using selinux or going through the hassle of setting up a VM or Chroot.

If anyone has used it and would like to pass on tips that would cool too!

Thanks!

 

It seems that Arkose creates a Chroot environment for programs.

It uses LXC and I've found a good bit of info here:
http://lxc.sourceforge.net/

 

Thanks i've been having trouble finding info on it. I am trying it right now and all seems good. I just wonder how secure it is.

EDIT:

Spoke to soon. Worked with ff but chrome gives:

 

It's like a refined Chroot. Using Chrome in it would screw things up, I assume because Chrome's SUID sandbox already uses Chroot.

If you were to disable the SUID sandbox it may work... but you'd end up with a weaker sandbox.

 

Wow fail on my part, I didn't even think of that lol I think I will stick with chrome and VM's.

 

You could always try Chromium OS in a VM lol

Chrome with seccomp doesn't really need anything else. Everything I've read on their seccomp sandbox makes it sounds very thorough.

I would focus on other internet facing applications. I like that there are apparmor profiles for system processes, that's really nice.

EDIT: Try it out with something like Pidgin, I'd be curious to see how well it works.

 

Worked well with pidgin. I should try a vulnerable version and see if I can break out of Arkose.

 

Does it work on top of AppArmor? Stacking would be interesting because you could explicitly remove CHROOT rights. You can chroot out of a chroot lol so it's important to revoke that ability if it isn't already.

Have you read about Seccomp? It's being including in 12.04. Very cool.

 

Interesting. I do have pidgin profile in complain mode right now. I will enforce it and see what happens.

I did see the post about Seccomp. Can't wait to try it out. I was just about to switch back to Fedora and this happens

 

Yes, I was really tempted to move to Fedora as well for SELinux. With Seccomp + Apparmor (and possible chroot?) I'll be very confident.

Before you turn your apparmor profile on maybe run sudo aa-logprof? This way if there are any conflicts you can sort them out now.

 

Not sure I "get" how to use it. I've tried arkose-gui but I don't really understand what to do.

I'm interested in setting up a separate file system for programs. I've been reading about chroot and it's very powerful and if you lock it down properly very difficult to bypass.

 

So far nothing I run works. Maybe I'm miss understanding something. I am using SeLinux sandbox on my Debian VM.

 

Yeah I don't really get it. I can't find any decent guides either. I might just Chroot my Pidgin instead.

 

From what I've read (although I have very limited experiencing using it) chroot is easily broken out of (you can chroot back out of a chroot). I read that chroot-jail adds security and is more akin to bsdjails.

I was reading:
https://en.wikipedia.org/wiki/Chroot

and http://www.bpfh.net/simes/computing/chroot-break.html

Again I haven't used chroot much. I never had much use, besides when installing a system.