Sandboxing Applications with AppArmor, Firejail and More

Sandboxing is a tecnique for confining application to access specific resources and protect the operating system from vulnerabilities and threats.

AppArmor
1. Used profiles that define what known application need to perform their tasks and provide those minimum resources.
Firejail
1. An incredibly easy to use wat to simply spin up and application from the terminal with few arguments as needed.

Additionally I also mentioned how to use the iptables to restrict applications by uid or gid to only use a VPN connection (tun0 from OpenVPN) and the application called proychains that tunnel all traffic over a Proxy server or even use Tor Network.

APPARMOR

AppArmor is a Kernel Enhancement that allows to sandbox applications giving it only the minimum amount of resources that it needs to perform its tasks, but nothing else.

sudo apt install apparmor-profiles apparmor-utils -y
sudo aa-status

To enforce all profiles or a single profile use the following syntax:

sudo aa-enforce /etc/apparmor.d/*
sudo aa-enforce /etc/apparmor.d/usr.sbin.traceroute

FIREJAIL

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted or vulnerable applications with low overhead.

sudo apt install firejail firejail-profiles -y
firejail --help

Execute any application with Firejail to apply restrictions or limitations:

firejail --net=none firefox
firejail --net=tun0 firefox

Other examples:

firejail --private --dns=8.8.8.8 --hosts-file=/etc/hosts firefox
firejail --net=eth0 --defaultgw=192.168.1.1 firefox
firejail --cpu=2,3 firefox

Limiting bandwidth:

firejail --name=slow --private --net=eth0 firefox -no-remote
firejail --bandwidth=slow set eth0 200 100

Optionally create a Bridge Network (using bridge-utils and uml-utilities) attached to the VPN interface and force the desired application over the Bridge Interface.

BONUS

Restrict the desired application to only run through the desired network interface such as a VPN, for example.

sudo iptables -A OUTPUT -m owner --uid-owner debian-transmission \! -o tun0 -j REJECT
sudo -u debian-transmission transmission-gtk &

Or create additional rules to guarantee it is still accessible from the local network on specific ports while restricted to using the VPN interface to reach the Internet.

sudo iptables -A OUTPUT -d 192.168.0.0/16 -p tcp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -p udp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT
sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o tun0 -j ACCEPT
sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o lo -j ACCEPT
sudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -j REJECT

See also the next post with examples of usage and configuration for ProxyChains [Link] to learn how to restrict a specific application to strictly use the Tor Network.