26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing)

oxing) « Null…

CYBER WEAPONS LAB  

NULL BYTE

LO C K I N G D OWN L I N U X

Using Ubuntu as Your Primary OS, Part 3

(Application Hardening & Sandboxing)
BY TOKYONEON  07/03/2018 7:39 PM  12/03/2020 6:09 PM CYBER WEAPONS LAB KALI ALTERNATIVES

O nce you've installed Ubuntu with security in mind and reduced the possibility of network
attacks on your system, you can start thinking about security on an application level. If a
malicious file is opened on your system, will an attacker be able to access every file on the
computer? The chances are much slimmer if you put the proper defenses in place.

In this third part of our mini-series on strengthening your primary Ubuntu installation, you'll
learn how Ubuntu package repositories work, which repos you should avoid, and how to
update. You'll also see how to import additional AppArmor profiles to limit resources that apps
can use and create sandboxes to isolate unsafe applications from the operating system
completely.

If you missed the beginning of this article series, you should check out the first part to learn
more about my motivations for starting this four-part guide.

Part 2: Using Ubuntu as Your Primary OS, Part 2 (Network Attack Defense)

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 1/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

Protect Your Ubuntu System with AppArmor & Firejail [Tutorial]

Step 1

Install the Lastest System Updates

Part of keeping your system secured is simply ensuring the latest package and application
updates are installed.

If you're coming from Windows 10, you'll be used to downloading and installing new
applications from random websites. This practice is inherently unsafe. Unsigned, unverified
applications distributed by one source creates the potential for supply chain attacks.

Linux handles installing software differently. Ubuntu uses several repositories (servers) that
contain packages (software and dependencies) audited by Canonical, Ubuntu developers, and
the security team. Not all of Ubuntu's repositories are audited by the Ubuntu team, however.

The Ubuntu repositories are set up in the following categories:

Main: The main component contains applications that are free software, can be freely
redistributed, and are fully supported by the Ubuntu team. This includes the most popular
and most reliable open-source applications available, many of which are included by
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 2/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

default when installing Ubuntu. The software in Main includes a hand-selected list of
applications that the Ubuntu developers, community, and users feel are most important
and that the Ubuntu security team are willing to support. When we install software from
the Main repository, we're assured that the software will come with security updates and
that support is available from Canonical.
Universe: The Universe repository is a collection of free, open-source software. It houses
almost every piece of open-source software, all built from a range of public sources.
Canonical will provide regular security updates for software in the Universe repo when
made available by the community. Popular or well-supported pieces of software will move
from Universe into Main if they are backed by maintainers willing to meet the Ubuntu
team's standards.
Restricted: Ubuntu's commitment is only to promote free software, i.e., software available
under a free license. However, they make exceptions for a small set of tools and drivers
that make it possible to install Ubuntu and its free applications on everyday hardware.
These proprietary drivers are kept in the Restricted repository. Please note that it may not
be possible to provide complete support for this software because Ubuntu developers
cannot fix the software; they can only forward problem reports to the actual authors.
Ubuntu developers will only use non-open-source software when there is no other way to
install Ubuntu. The Ubuntu team works with vendors to accelerate the open-sourcing of
their software to ensure that as much software as possible is available under a free
license.
Multiverse: The Multiverse repository contains software that is not free, which means this
software's licensing requirements do not meet the Ubuntu license policy. The
responsibility is on you to verify your rights to use this software and comply with the
copyright holder's licensing terms. This software is not supported and usually cannot be
fixed or updated. Use it at your own risk.
Disabling Unsafe Repositories
Before updating any packages, open the "Software & Updates" window and disable the
"multiverse" and "restricted" repositories in the "Ubuntu Software" tab. These repositories
distribute closed-source software, can't be audited, and sometimes require non-free (paid) user
licenses.

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 3/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

Then, head over to the "Other Software" tab and uncheck the "Canonical Partners" options.

Disabling Backports
Backports offers a way to selectively provide newer versions of software for older Ubuntu
releases. Most commonly, the Backports team will provide new versions of standalone
applications which can be safely updated without impacting the rest of the system. However,
the Ubuntu security team does not update packages in Backports. For that reason, disabling
backports is recommended. In the "Update" tab, make sure "bionic-backports" is unchecked.

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 4/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

By default, Ubuntu should download and update security updates automatically on a daily
basis.
Manually Checking for Updates
To check for updates manually, use the sudo apt update && sudo apt dist-upgrade command.

~$ sudo apt update && sudo apt dist-upgrade

Hit:1 http://nz.archive.ubuntu.com/ubuntu bionic InRelease

Hit:2 http://nz.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://security.ubuntu.com/ubuntu bionic-security InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Step 2

Use AppArmor Profiles

AppArmor is a kernel enhancement that confines applications and programs to a limited set of
resources. For example, using AppArmor, it's possible to restrict a PDF viewer from accessing
the internet and predefined directories on the OS. If a malicious PDF is opened, it won't be
allowed to view certain directories or exfiltrate data the attacker's server. AppArmor is already

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 5/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

installed and enabled in every Ubuntu installation. This can be verified using the below
command.

~$ sudo aa-status

Installing Additional AppAmrmor Profiles

Use the sudo apt install apparmor-profiles apparmor-utils command to add more AppArmor
profiles.

~$ sudo apt install apparmor-profiles apparmor-utils

Reading package lists... Done

Building dependency tree
Reading state information... Done
The following additional packages will be installed:
python3-apparmor (2.12-4ubuntu5)
python3-libapparmor (2.12-4ubuntu5)
Suggested packages:
vim-addon-manager (0.5.7)
The following NEW packages will be installed:
apparmor-profiles (2.12-4ubuntu5)
apparmor-utils (2.12-4ubuntu5)
python3-apparmor (2.12-4ubuntu5)
python3-libapparmor (2.12-4ubuntu5)
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 189 kB of archives.
After this operation, 1,329 kB of additional disk space will be used.
Do you want to continue? [Y/n] y

Enabling Every Profile

Then, use the following aa-enforce command to enable all of the newly added profiles.

~$ sudo aa-enforce /etc/apparmor.d/*

Profile for /etc/apparmor.d/abstractions not found, skipping

Profile for /etc/apparmor.d/apache2.d not found, skipping
Setting /etc/apparmor.d/bin.ping to enforce mode.
Profile for /etc/apparmor.d/cache not found, skipping
Profile for /etc/apparmor.d/disable not found, skipping
Profile for /etc/apparmor.d/force-complain not found, skipping
Profile for /etc/apparmor.d/local not found, skipping
Setting /etc/apparmor.d/sbin.dhclient to enforce mode.
Setting /etc/apparmor.d/sbin.klogd to enforce mode.
Setting /etc/apparmor.d/sbin.syslogd to enforce mode.
Setting /etc/apparmor.d/sbin.syslog-ng to enforce mode.
Setting /etc/apparmor.d/snap.core.4830.usr.lib.snapd.snap-confine to enforce mod

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 6/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

Profile for /etc/apparmor.d/tunables not found, skipping

Setting /etc/apparmor.d/usr.bin.chromium-browser to enforce mode.
Setting /etc/apparmor.d/usr.bin.evince to enforce mode.
Setting /etc/apparmor.d/usr.bin.firefox to enforce mode.
Setting /etc/apparmor.d/usr.bin.man to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.anvil to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.auth to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.config to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.deliver to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.dict to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.dovecot-auth to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.dovecot-lda to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.imap to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.imap-login to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.lmtp to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.log to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.managesieve to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.managesieve-login to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.pop3 to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.pop3-login to enforce mode.
Setting /etc/apparmor.d/usr.lib.dovecot.ssl-params to enforce mode.
Setting /etc/apparmor.d/usr.lib.snapd.snap-confine.real to enforce mode.
Setting /etc/apparmor.d/usr.sbin.avahi-daemon to enforce mode.
Setting /etc/apparmor.d/usr.sbin.cups-browsed to enforce mode.
Setting /etc/apparmor.d/usr.sbin.cupsd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
Setting /etc/apparmor.d/usr.sbin.dovecot to enforce mode.
Setting /etc/apparmor.d/usr.sbin.identd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.ippusbxd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.mdnsd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.nmbd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.nscd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbldap-useradd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.tcpdump to enforce mode.
Setting /etc/apparmor.d/usr.sbin.traceroute to enforce mode.

It's also possible to create script profiles for any application on the OS. For a comprehensive
look at AppArmor, use the man command to view the manuals.

~$ man apparmor
~$ man aa-status
~$ man aa-enforce

Step 3

Isolate Files & Apps in a Sandboxed Environment

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 7/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

Firejail, created by netblue30, reduces the risk of security breaches by using a lightweight
visualization technology to isolate applications and restrict them to sandboxed (container)
environments. Below is a GIF of Evince, Ubuntu's default PDF reader, opening an unsafe file in
a heavily sandboxed environment.

Both Firejail and AppArmor can be used together (cooperatively) or independently of each
other. If one of them failed to restrict a certain file or directory, it would be possible for the
other to compensate and contain the vulnerability.

Firejail container's support a number of features:

Blacklisting: Deny access to specific files and directories. Access attempts are reported to
syslog.
Whitelisting: Allow only files and directories specified by the user.
Temporary filesystem: Mount a temporary filesystem on top of a directory.
Private: Mount copies of files and directories and discard them when the sandbox is
closed.
Restricted home: Only the current user /home directory is available inside the sandbox.
Reduced system information leakage: Restrict access to sensitive directories such as /boot,
/proc, and /sys.

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 8/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

Download Firejail
Head over to the download page and grab the latest stable version of Firejail and the .asc file.
At the time of this writing, the latest version is "firejail_0.9.54_1_amd64.deb." Then, open a new
terminal, change into the Downloads/ directory using cd and view its contents using the ls
command.

~$ cd Downloads/
~/Downloads$ ls

firejail_0.9.54_1_amd64.deb firejail-0.9.54.asc

Import the Developer's Public Key

The downloaded firejail-0.9.54.asc file contains the secure cryptographic hashes used to verify
the .deb download hasn't been tampered with by SourgeForge or any third-parties. Download
netblue30's public key from a PGP keyserver and import it into your GPG keyring.

~$ wget -O- 'https://pgp.mit.edu/pks/lookup?op=get&search=0x2CCB36ADFC5849A7' |

---- https://pgp.mit.edu/pks/lookup?op=get&search=0x2CCB36ADFC5849A7
Resolving pgp.mit.edu (pgp.mit.edu)... 18.9.60.141
Connecting to pgp.mit.edu (pgp.mit.edu)|18.9.60.141|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2341 (2.3K) [text/html]
Saving to: ‘STDOUT’

- 100%[==============>] 2.29K --.-KB/s in 0s

gpg: key 2CCB36ADFC5849A7: public key "netblue (firejail key) <netblue30@yahoo.co

gpg: Total number processed: 1
gpg: imported: 1

Verify the Hashes

Then, to verify the .asc file, use the gpg --verify firejail-0.9.54.asc command.

~$ gpg --verify firejail-0.9.54.asc

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 9/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

gpg: Signature made Wed 16 May 2018 06:50:24 AM PDT

gpg: using RSA key F951164995F5C4006A73411E2CCB36ADFC5849A7
gpg: Good signature from "netblue (firejail key) <netblue30@yahoo.com>" [unknown
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F951 1649 95F5 C400 6A73 411E 2CCB 36AD FC58 49A7

Notice the "Good signature" line above. This is verification that the .asc file is legitimate. We
can now view the contents of the file using the cat command. If you do not see the good
signature line, don't panic. It's possible the Firejail .asc was malformed during the download.
Try downloading it again.

~$ cat firejail-0.9.54.asc

1 -----BEGIN PGP SIGNED MESSAGE-----

2 Hash: SHA256
3
4 08698324685adac8a2d3935e7f493f527cbd5ae792ac21226728a42dd9f84c3f fireja
5 ce996854278863f3e91ff185198c7cc1377fb70053d37a43e3b1ef1021c57756 fireja
6 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 fireja
7 080f72ab8467570e70953910d9001c1dce43be5c5b932a2bed3cd213af44351b fireja
8 -----BEGIN PGP SIGNATURE-----
9
10 iQEzBAEBCAAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAlr8NyAACgkQLMs2rfxY
11 Sae8UAf+IkDv99oiTc+ihmhq6rrFrV/41Tb92jMIJJW8hfEZFJFWd0ZHhmZv/7Fz
12 nW6W+gKrPf9MhC9bVmhOeU/UwcIUBlR5yQs+frJbHE8zuBzBGWZqgKGj78hlrkov
13 7Xyab/jrSOm4FgpvKAqBh5nLWYyLtZKTT1DGswl2XpsXncMVdNFPnYjVOb1l5aDl
14 ga2VHVKbGkrOY+8r7Vuhc0G+B+mugMt7jwUWMJgo84H4fY+Bpl/+6qS7RzJZw2Ew
15 JlH/RADxbiFMGqBlk0hWY8jhJhE6R79Ea2+5bsCzJIbI89PgbUuyvlwCtVv38hsN
16 C72d/NJJ6QrafBqWUWjTQPWSdMBt3g==
17 =IEak
18 -----END PGP SIGNATURE-----

Copy the hash on line #6 and use the below grep command to compare the SHA256 hash of
the .deb to the .asc. If all went well, the command will produce the following result.

~/Downloads$ sha256sum firejail_0.9.54_1_amd64.deb | grep '0e92d90d583b3fe549539a

0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54

Install Firejail

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-… 10/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

Finally, install the .deb using the below dpkg command.

~$ sudo dpkg -i firejail_0.9.54_1_amd64.deb

Selecting previously unselected package firejail.

(Reading database ... 170565 files and directories currently installed.)
Preparing to unpack firejail_0.9.54_1_amd64.deb ...
Unpacking firejail (0.9.54-1) ...
Setting up firejail (0.9.54-1) ...
Processing triggers for man-db (2.8.3-2) ...

Use the --help argument to view Firejail's available options and verify it was installed correctly.

~$ firejail --help

Firejail has too many features to cover in this article, so I'll show two practical uses.
Sandboxing Unsafe PDFs Found on the Internet
One of Firejail's greatest features is its ability to create temporary, offline sandboxes that are
disposed of when the application is closed. Use the below command to create a strict
temporary sandbox configuration.

~$ firejail --seccomp --nonewprivs --private --private-dev --private-tmp --net=no

There a lot going on in the above command, so I'll breakdown each argument one by one.

--seccomp: Seccomp (secure computing mode) is enabled by default, but I included it in

the command because it's one of Firejail's best features. Seccomp is a computer security
facility in the Linux kernel. It allows a process to make a one-way transition into a
"secure" state where it cannot make any system calls. Should an application inside the
sandbox attempt any other system calls, the kernel will aggressively terminate the
process.
--nonewprivs: This option allows you to restrict processes from gaining new privileges
inside the container. This ensures that child processes cannot acquire new privileges using
the execve system call.
--private: Create a new /root and /home/user directories in temporary filesystems. All
modifications are discarded when the sandbox is closed.
--private-dev: The /dev directory generally contains sensitive device files. Using the --
private-dev argument, Firejail will create a new (temporary) /dev directory isolated from
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-… 11/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

the operating systems actual /dev.

--private-tmp: The /tmp directory in an Ubuntu operating system usually contains
temporary storage files created by running applications. Data in these files may be
sensitive and should be isolated from sandboxed applications.
--net=none: The only interface available in the sandbox is a new loopback interface (lo).
Use this option to deny network access to programs that don't really need internet access.
--x11: Sandbox the application using Xephyr. The sandbox prevents screenshot and
keylogger applications started inside the sandbox from accessing clients running outside
the sandbox.
--whitelist: Whitelist directory or file. Modifications to whitelisted files are persistent;
everything else is discarded when the sandbox is closed.
evince /tmp/unsafe.pdf: This final bit of the command calls the Evince PDF reader and
then opens the specified file.
Sandboxing Web Browsers
For a more lenient set of sandboxing rules, use the below command.

~$ firejail --seccomp --nonewprivs --private --private-tmp firefox

This will open Firefox in a sandboxed environment and dispose of files saved in the temporary
/home directories created by the --private argument.

I've barely scratched the surface of what Firejail can do. For more, check out the official
documentation and Firetools, Firejail's optional graphical user interface.

Next Up: Auditing, Antivirus & Monitoring

To conclude this series on locking down your Ubuntu system, we'll get into auditing the
system for vulnerabilities using (free) professional software, using antivirus software that
respects your privacy, and effectively monitoring system logs for abnormalities.

Part 4: Using Ubuntu as Your Primary OS (Auditing, Antivirus & Monitoring)

Want to start making money as a white hat hacker? Jump-start your hacking career with our
2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and
get over 60 hours of training from cybersecurity professionals.

Buy Now (90% off) >

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-… 12/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…

Other worthwhile deals to check out:

97% off The Ultimate 2021 White Hat Hacker Certification Bundle
99% off The 2021 All-in-One Data Scientist Mega Bundle
98% off The 2021 Premium Learn To Code Certification Bundle
62% off MindMaster Mind Mapping Software: Perpetual License
Cover image by Justin Meyers/Null Byte; Screenshots by tokyoneon/Null Byte

WonderHowTo.com About Us Terms of Use Privacy Policy

Don't Miss:
All the New iOS 16.5 Features for iPhone You Need to Know About
Your iPhone Has a Secret Button That Can Run Hundreds of Actions
7 Hidden iPhone Apps You Didn’t Know Existed
You’re Taking Screenshots Wrong — Here Are Better Ways to Capture Your iPhone’s Screen
Keep Your Night Vision Sharp with the iPhone’s Hidden Red Screen
Your iPhone Finally Has a Feature That Macs Have Had for Almost 40 Years
If You Wear Headphones with Your iPhone, You Need to Know About This

By using this site you acknowledge and agree to our terms of use & privacy policy.
We do not sell personal information to 3rd parties.

https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-… 13/13