Controlled launch of another sandbox from inside of a sandbox?

[topimiettinen]

Firejail could selectively allow launching of new sandboxed apps from a sandbox by bind mounting a proxy program in the sandbox in place of the actual program. The proxy would pass its program arguments (but not the environment variables nor file descriptors?) to Firejail controlling the sandbox. Firejail would then launch a new sandbox for the app using the (sanitized) arguments. Signals and exit status would be relayed back to process in the original sandbox. By default, nothing would be proxied and then only when a profile requests proxying for only the explicitly selected apps.

The advantage would be better integration at the expense of weakened security. Though this would still be an improvement if the alternative is to not use a sandbox at all or weaken the profiles (or AppArmor rules) to allow both apps. Firejail may need to keep superuser capabilities or not setting NoNewPrivileges in order to be able to launch a new sandbox, which is pretty bad. Some cases may never work well if the apps expect to run in the same mount/PID namespaces etc.

One use case would be firejailed browser or email app, which could be allowed to launch selected viewer apps. This would be exactly the model of phishing attacks in case of email, so the negative and positive security implications should be considered carefully.

WDYT? I'm hesitant because of the security downsides.

Relates to:

• [meta] Opening links outside of the sandbox #6462

[rusty-snake]

Some previous discussions were at #3785.

WDYT?

IMHO this is a good and wanted feature. It would allow to sandbox programs that need to start other programs without making a extremely weak profile. So for example you could use a weak sandbox for your IDE and start an other program from it that can get it's own tight profile.

I fully agree with "this would still be an improvement if the alternative is to not use a sandbox at all or weaken the profiles".

Firejail may need to keep superuser capabilities or not setting NoNewPrivileges in order to be able to launch a new sandbox, which is pretty bad.

My impression was always that such a feature should be implemented via D-Bus or an own socket. Maybe together with #3315.

Some cases may never work well if the apps expect to run in the same mount/PID namespaces etc.

Some already expect to run in the default namespace and are broken with firejail.

[topimiettinen]

My impression was always that such a feature should be implemented via D-Bus or an own socket. Maybe together with #3315.

I was thinking about something simple (just stash strings together with NUL separators or Varlink), but I like your D-Bus idea very much. The protocol would be well defined and for example Wireshark could be used to look at the bus traffic. Then D-Bus daemon would launch the program using traditional activation (direct launch of the program) or systemd activation, possibly involving Firejail again. I guess passing file descriptors, signals and environment variables would not be possible, so this would not be very useful to sandbox /bin/bash running /bin/cat or capturing output of the program in your IDE example. Maybe there could be two different methods, systemd-run mentioned in #3785 could be a third option.