Any one using Arkose sandbox?

Discussion in 'all things UNIX' started by x942, Mar 16, 2012.

Thread Status:
Not open for further replies.
  1. x942

    x942 Guest

    Any one using Arkose sandbox on Ubuntu or any distro? If so does anyone know how secure it is? I like sandboxing, and so far the only ways I've found to do it are either using selinux or going through the hassle of setting up a VM or Chroot.

    If anyone has used it and would like to pass on tips that would cool too!

    Thanks!
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It seems that Arkose creates a Chroot environment for programs.

    It uses LXC and I've found a good bit of info here:
    http://lxc.sourceforge.net/
     
  3. x942

    x942 Guest

    Thanks i've been having trouble finding info on it. I am trying it right now and all seems good. I just wonder how secure it is.

    EDIT:

    Spoke to soon. Worked with ff but chrome gives:

     
    Last edited by a moderator: Mar 16, 2012
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's like a refined Chroot. Using Chrome in it would screw things up, I assume because Chrome's SUID sandbox already uses Chroot.

    If you were to disable the SUID sandbox it may work... but you'd end up with a weaker sandbox.
     
  5. x942

    x942 Guest

    Wow fail on my part, I didn't even think of that lol I think I will stick with chrome and VM's.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You could always try Chromium OS in a VM lol

    Chrome with seccomp doesn't really need anything else. Everything I've read on their seccomp sandbox makes it sounds very thorough.

    I would focus on other internet facing applications. I like that there are apparmor profiles for system processes, that's really nice.

    EDIT: Try it out with something like Pidgin, I'd be curious to see how well it works.
     
    Last edited: Mar 17, 2012
  7. x942

    x942 Guest

    Worked well with pidgin. I should try a vulnerable version and see if I can break out of Arkose.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Does it work on top of AppArmor? Stacking would be interesting because you could explicitly remove CHROOT rights. You can chroot out of a chroot lol so it's important to revoke that ability if it isn't already.

    Have you read about Seccomp? It's being including in 12.04. Very cool.
     
  9. x942

    x942 Guest

    Interesting. I do have pidgin profile in complain mode right now. I will enforce it and see what happens.

    I did see the post about Seccomp. Can't wait to try it out. I was just about to switch back to Fedora and this happens :thumb:
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, I was really tempted to move to Fedora as well for SELinux. With Seccomp + Apparmor (and possible chroot?) I'll be very confident.

    Before you turn your apparmor profile on maybe run sudo aa-logprof? This way if there are any conflicts you can sort them out now.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not sure I "get" how to use it. I've tried arkose-gui but I don't really understand what to do.

    I'm interested in setting up a separate file system for programs. I've been reading about chroot and it's very powerful and if you lock it down properly very difficult to bypass.
     
  12. x942

    x942 Guest

    So far nothing I run works. Maybe I'm miss understanding something. I am using SeLinux sandbox on my Debian VM.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah I don't really get it. I can't find any decent guides either. I might just Chroot my Pidgin instead.
     
  14. x942

    x942 Guest

    From what I've read (although I have very limited experiencing using it) chroot is easily broken out of (you can chroot back out of a chroot). I read that chroot-jail adds security and is more akin to bsdjails.

    I was reading:
    https://en.wikipedia.org/wiki/Chroot

    and http://www.bpfh.net/simes/computing/chroot-break.html

    Again I haven't used chroot much. I never had much use, besides when installing a system.
     
Loading...
Thread Status:
Not open for further replies.