Any one using Arkose sandbox on Ubuntu or any distro? If so does anyone know how secure it is? I like sandboxing, and so far the only ways I've found to do it are either using selinux or going through the hassle of setting up a VM or Chroot. If anyone has used it and would like to pass on tips that would cool too! Thanks!
It seems that Arkose creates a Chroot environment for programs. It uses LXC and I've found a good bit of info here: http://lxc.sourceforge.net/
Thanks i've been having trouble finding info on it. I am trying it right now and all seems good. I just wonder how secure it is. EDIT: Spoke to soon. Worked with ff but chrome gives:
It's like a refined Chroot. Using Chrome in it would screw things up, I assume because Chrome's SUID sandbox already uses Chroot. If you were to disable the SUID sandbox it may work... but you'd end up with a weaker sandbox.
You could always try Chromium OS in a VM lol Chrome with seccomp doesn't really need anything else. Everything I've read on their seccomp sandbox makes it sounds very thorough. I would focus on other internet facing applications. I like that there are apparmor profiles for system processes, that's really nice. EDIT: Try it out with something like Pidgin, I'd be curious to see how well it works.
Does it work on top of AppArmor? Stacking would be interesting because you could explicitly remove CHROOT rights. You can chroot out of a chroot lol so it's important to revoke that ability if it isn't already. Have you read about Seccomp? It's being including in 12.04. Very cool.
Interesting. I do have pidgin profile in complain mode right now. I will enforce it and see what happens. I did see the post about Seccomp. Can't wait to try it out. I was just about to switch back to Fedora and this happens
Yes, I was really tempted to move to Fedora as well for SELinux. With Seccomp + Apparmor (and possible chroot?) I'll be very confident. Before you turn your apparmor profile on maybe run sudo aa-logprof? This way if there are any conflicts you can sort them out now.
Not sure I "get" how to use it. I've tried arkose-gui but I don't really understand what to do. I'm interested in setting up a separate file system for programs. I've been reading about chroot and it's very powerful and if you lock it down properly very difficult to bypass.
So far nothing I run works. Maybe I'm miss understanding something. I am using SeLinux sandbox on my Debian VM.
Yeah I don't really get it. I can't find any decent guides either. I might just Chroot my Pidgin instead.
From what I've read (although I have very limited experiencing using it) chroot is easily broken out of (you can chroot back out of a chroot). I read that chroot-jail adds security and is more akin to bsdjails. I was reading: https://en.wikipedia.org/wiki/Chroot and http://www.bpfh.net/simes/computing/chroot-break.html Again I haven't used chroot much. I never had much use, besides when installing a system.