sandbox-app-launcher - Sandboxed Application Launcher
sandbox-app-launcher is an application launcher that starts each app inside its own restrictive sandbox. It runs each app as its own user, in a bubblewrap sandbox and confined by AppArmor.

Introduction[edit]
sandbox-app-launcher
is an application launcher that can start each application inside its own restrictive sandbox. It runs each application as its own user, within a bubblewrap sandbox and confined by AppArmor.
This launcher is geared towards end-user applications, not any system software. The directory /shared
is shared across all application sandboxes to transfer files across.
This implements a permissions system to configure what applications can access. There are currently five available permissions:
- network access;
- webcam access;
- microphone access;
- shared storage access (read-only or read-write); and
- dynamic native code execution.
All user-installed applications will be automatically configured to run in the sandbox and a prompt will ask which permissions should be granted to the application (not implemented yet).
The launcher is currently a work-in-progress and is not yet ready for actual use. To learn more, see:
- https://github.com/Kicksecure/sandbox-app-launcher
- https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008
Design[edit]
Bubblewrap allows developers to make use of namespaces and seccomp
. All applications are run in mount, PID, cgroup and UTS namespaces; IPC namespaces are planned but are not currently implemented due to limitations in Xorg. Fine-grained filesystem restrictions are implemented via mount namespaces and AppArmor. Seccomp blocks certain syscalls which can greatly reduce kernel attack surface among other things.
All applications by default use a seccomp whitelist to block dangerous and unused syscalls. In addition, the arguments of some syscalls are filtered to:
- Block unused socket address families
.
- Block any dangerous or unused ioctls
such as TIOCSTI (can be used in sandbox escapes), TIOCSETD (can increase kernel attack surface by loading vulnerable line disciplines), SIOCGIFHWADDR (can retrieve the user’s MAC address), etc.
- Implement W^X
(explained in detail further below).
Apparmor also gives fine-grained controls over IPC signals, D-Bus, UNIX sockets, ptrace and more.
Sandbox Escape Mitigation[edit]
Table: Sandboxed Application Launcher Mitigations
Sandbox Escape Vector | Mitigation |
---|---|
D-Bus | D-Bus![]() ![]() |
Dynamic Native Code Execution | Dynamic native code execution is generally a security issue since it allows an attacker to execute new arbitrary code. This is prevented by the following mechanisms:
These mechanisms force attackers to utilize the already existing code (e.g. Return-oriented programming (ROP) |
Malware Persistence | The only places malware can persist inside the sandbox are the home directory or shared storage (if enabled as read-write) and it can only ever be executed if W^X is disabled. Everything else is mounted read-only or as a tmpfs![]() |
PulseAudio | PulseAudio![]() ![]() |
Separate User per Sandboxed Application | This approach provides a higher security threshold: [3]
|
X11 | X11![]() |
Installation[edit]
Install sandbox-app-launcher
. To accomplish that, the following steps A. to D. need to be done.
A. Update the package lists.
sudo apt update
B. Upgrade the system.
sudo apt full-upgrade
C. Install the sandbox-app-launcher
package.
Using apt
command line parameter --no-install-recommends
is in most cases optional.
sudo apt install --no-install-recommends sandbox-app-launcher
D. Done.
The procedure of installing sandbox-app-launcher
is complete.
Usage[edit]
Setup[edit]
For example, to setup a sandbox for firefox, run.
sudo sandbox-app-launcher setup firefox
Use[edit]
For example, to start firefox using sandbox-app-launcher, run.
sandbox-app-launcher start firefox
To show all sand boxes.
sandbox-app-launcher list
To delete user data.
sudo sandbox-app-launcher remove firefox
Development Discussion[edit]
https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008
References[edit]
- ↑ One such example is: https://github.com/netblue30/firejail/issues/796
- ↑ https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/Developer/AccessControl/
- ↑ https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008/265
- ↑
https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
- ↑ https://forums.whonix.org/t/use-xfce-with-wayland/9063
Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!