All File Ages Tree-View

Files in the top-level directory from the latest check-in of branch trunk

  • examples
  • LICENSE.txt
  • README.md
  • sandbox.sh

FreeBSD Sandbox

A simple sandboxing script for FreeBSD using jail(8), allowing you to run untrusted scripts or binaries on your system while limiting the attack surface. Based on my sandbox for Linux script. Note that the primary goal is to prevent access to your home directory, not to secure against all possible attacks.

Features

  • No configuration or setup needed, simply run sandbox.sh in any directory
  • A sandbox is created per directory that it is run inside, so for example each directory inside ~/Projects/ can have it's own sandbox.
  • An immutable copy of the base OS is mounted into the sandbox, ensuring it cannot be modified from the sandbox. All sandboxes thus also inherit any OS updates automatically.
  • Packages can be installed per sandbox, by creating a file called pkg.packages with one package per line. These packages and dependencies are not installed into the base OS, keeping the system clutter-free.
  • Your home directory is protected by not being mounted into the sandbox (except if you start the sandbox in your home directory), thus protecting access to your sensitive files (e.g. .ssh or .mozilla). Each sandbox gets it's own home directory (these are stored in ~/sandboxes/...)
  • Share files using the Downloads folder. For convenience, your ~/Downloads directory is mounted into the sandbox as read-write (which reduces security a bit, so comment out the mount line if you don't need this).
  • You can customize the sandbox by creating a sandbox.args file to remove network access or add custom mounts into the sandbox.

Installation

Copy the sandbox.sh script into your path, e.g. ~/bin or /usr/local/bin. The sudo package is required.

Usage

Simply cd into a directory you want and then run sandbox.sh. You can also pass a command to run as arguments, e.g. sandbox.sh firefox https://freebsd.org

To install packages into the sandbox, create a file called pkg.packages with one package per line, e.g. 

neofetch
vim

To customize the sandbox, create a file called sandbox.args with one parameter per line. Supported parameters:

  • --unshare-net: create a vnet jail to isolate the network (thus also removing internet access).
  • --bind [outside mountpoint] [inside mountpoint]: bind a file/folder from the host OS into the sandbox as read-write
  • --ro-bind [outside mountpoint] [inside mountpoint]: bind a file/folder from the host OS into the sandbox as read-only
  • --tmpfs [inside mountpoint]: Create a tmpfs mountpoint inside the sandbox (read-write)

See the examples folders for examples of usage.

Use cases

Explore the sandboxing

  • cd /tmp && sandbox.sh, then note that the /tmp folder is now ~/app inside the sandbox.
  • If you ls -la ~, you see a new home folder, and ls -la ~/Downloads has your downloads.
  • Now touch ~/test.txt && touch test2.txt. Run exit then ls ~/sandboxes/#tmp/home/[user] to find the test.txt file, and ls to find the test2.txt file.

Safer browsing

Let's say you want a Firefox profile for Telegram that is separate to your main browsing profile.

  • Create the folder ~/firefox/telegram
  • cd ~/firefox/telegram && sandbox.sh firefox https://web.telegram.org
  • Firefox opens with a new profile and no access to your real home folder

Development environments

Let's say you want to work on a Python 2 project, but don't want to install Python 2 on your host system.

  • Create a project directory, e.g. mkdir -p ~/Projects/py2
  • echo python2 > ~/Projects/py2/pkg.packages.
  • Now you can enter the sandbox: cd ~/Projects/py2 && sandbox.sh.
  • It may ask for your sudo password and will install Python 2 into the sandbox the first time.
  • Now python2 will run Python 2. If you exit the sandbox, Python 2 is not available, but re-enter the sandbox and it is back.

The actual packages are installed into ~/sandboxes/#home#[user]#Projects#py2.

If you need to use npm for example, but are worried about all the supply-chain attacks:

  • cd ~/Projects/myproject
  • run sandbox.sh first to limit attack surface.
  • Now safely run npm install, etc.

Viewing e-mail attachments

If you receive an e-mail attachment, and you're worried it may contain active content that can track you (e.g. ping back to a server with your IP address).

  • Let's use our Downloads folder for this.
  • cd ~/Downloads and create a file sandbox.args containing: --unshare-net
  • Save the attachment to ~/Downloads
  • In the Downloads folder: sandbox.sh libreoffice suspicious.xls

Limitations

  • While the sandbox uses a jail, note that the X socket and clipboard, etc. are other attack surfaces, so you may wish to create a more secure version by removing some of the default mounts.
  • If you rename any directory in the path to your sandbox, you will get new sandboxes for all sub-folders. You will need to manually rename the appropriate directories inside ~/sandboxes to re-associate them.

Contact

Toby Kurien