“App” containing on the modern Linux desktop

(Just released Arkose 1.0 that’s a full rewrite in python using LXC and introducing a nice GUI for fine grained app restriction. Read below for details.)

Those of you who read my blog know that I’ve been working on a pet-project of mine called Arkose.
This project is used as the base for WebLive‘s feature allowing users to easily test any package in the Ubuntu archive.

At the Ubuntu Developer Summit, last month in Hungary, I was leading a session on application containing and gathered ideas on how to improve the safety of our user’s desktop while still making it easy for app developers.

Today, I’d like to present you with the initial result, the new version of Arkose which I ended up releasing as 1.0 (as it’s a full rewrite).

The biggest new feature is the “wrapper” that can be used by packagers or upstreams to specify what the software will have access to, so Arkose will spawn a container that only has access to these resources.

Arkose wrapper for gedit

Current access controls include:
- Which user to run the software as (current user or root user)
- Network access (currently, all or nothing)
- X server access (either no access at all, an independent X server using xpra or direct X access)
- DBUS access (any combination of session bus, system bus or no dbus access at all)
- Pulseaudio access (enabled or not)

Then the app can specify a list of paths using one of these options:
- Direct filesystem access with read/write depending on user permissions
- Overlay filesystem access, similar to direct but all changes are dropped when the app exits
- Temporary empty directory. created and available to the app and dropped when the app exits

As an example, here’s the definition file for a completely isolated “xeyes”:
[xeyes]
cmd="xeyes"
runas=user
network=false
xserver=isolated
dbus=none
pulseaudio=false
mount_bind=
mount_cow=
mount_restrict=

In this case, xeyes will appear almost as it’d in a regular environment. The only difference you’ll notice is that it won’t follow your mouse unless it’s in xeyes’ window. Also, if xeyes was to have some bug, it wouldn’t be able to eavesdrop on dbus, do any damage to the filesystem or even play a sound.

This 1.0 release is available for download at:
https://launchpad.net/arkose/trunk/1.0
Development code is available on Launchpad at:
https://code.launchpad.net/~arkose-devel/arkose/trunk
I have PPA builds for Maverick and Natty at:
https://launchpad.net/~arkose-devel/+archive/stable
The package also just got uploaded to Ubuntu Oneiric.

To start the gedit from the screenshot above, use:
arkose-wrapper-gui /usr/share/doc/arkose/examples/profiles/gedit.conf
Some other example profiles are available in:
/usr/share/doc/arkose/examples/profiles/

Here’s an example of how to use the new python module:
import arkose
container=arkose.ArkoseContainer(xserver="isolated",pulseaudio=True,network=True)
container.run_command("su stgraber -c xterm")
container.cleanup()

That will start an xterm as the user “stgraber” on an isolated X server and with pulseaudio and network support.

Next step for the project is to improve the GUI part, add all the new cool features to the old commands (arkose and arkose-gui), work on fine grained network access control and allow for translations. 1.1 should be released relatively soon with bug fixes and maybe some of these features.

I appreciate any comment or bug report. Comments can be left on this blog and bug reports on Launchpad: https://launchpad.net/arkose/+filebug

This entry was posted in Arkose, Canonical voices, LXC, Planet Ubuntu and tagged . Bookmark the permalink.

11 Responses to “App” containing on the modern Linux desktop

  1. Nigel says:

    Just dropping by to say, its seriously good work :-)

  2. Seb says:

    Nice, seems very usefull. Especially for binary software not available through the package management (i.e. that I don’t like to trust).
    Minor grammar bug in the screenshot: “…some the access…” -> “…some of the access…”

  3. Flimm says:

    What’s the difference between this and AppArmor?

    • Thanks for asking, this is one of the usual questions when we’re talking of containers :)

      I’m not too familiar with AppArmor so what I’ll answer below may very well be inaccurate.

      My understanding of AppArmor is that it’s path based and so allows you to easily restrict what a specific binary on your filesystem can access.

      LXC and arkose create containers where any app that’s spawned within them has access to a different “view” of your system. That includes different filesystem structure, different network stack, …

      Ideally, you should be able to use the two together with arkose/lxc to create a container representing the view of the system we want to give to an app or a set of apps and apparmor to be used to minimize risks of damage caused by a privileged app running in these containers.

      I hope I was relatively clear. I remember I had a better explanation back at UDS when I was around the AppArmor folks but can’t remember it :)

  4. toobuntu says:

    This is really interesting. Thank you. Will we have this packaged in Debian, too? Please. A suggestion for the UI: “… some of the access rights listed below. Please review them. If approved, click Execute.”

    • Hi!

      Text updated in trunk.

      As for Debian, I was contacted a while ago by a Debian developer who wanted to get arkose into Debian, not sure what happened since then.
      I’ll see if I can convince someone into becoming the packager for it in Debian so I can just be the upstream for the code and get arkose synced from Debian into Ubuntu :)

      Thanks!

  5. Pingback: “App” containing on the modern Linux desktop |

  6. brian mullan says:

    Glad I found Arkose while I was learning to use LXC on ubuntu.

    Stephane… I downloaded and installed v1.5 but after installation I went to look for the template application config files you mention in your Blog:

    To start the gedit from the screenshot above, use:
    arkose-wrapper-gui /usr/share/doc/arkose/examples/profiles/gedit.conf
    Some other example profiles are available in:
    /usr/share/doc/arkose/examples/profiles/

    But there is no directory on my system /usr/share/doc/arkose/examples?
    Are they posted anywhere else?
    Is there any online docs for Arkose that go beyond using –help on the command line?

    • The blog post was asumming the user would be on Ubuntu using the arkose and arkose-gui packages available since Ubuntu 11.10 or from the PPA.
      If running from the bzr branch, you’d need to use: “wrapper/arkose-wrapper-gui wrapper/profiles/gedit.conf”

      There isn’t much documentation about it at this point, though the version that’ll ship in Ubuntu 12.04 has had a lot of features made visible in the “arkose” command line tool (cli/arkose in the branch), all of them described in –help and the manpage.

  7. Timmy says:

    I really like the idea of this software.

    I have a couple questions: first, I would like to know, is it appropriate for protecting my system from malicious websites? I would like to be able to use the games on the Publishers Clearing House website with out having to worry whether some cracker has gotten control of one of the servers I am running java script or flash from, & are using some flaw in firefox to gain control of my computer, stuff like that.

    Second, I have been testing arkose-wrapper-gui, & I have the problem of firefox not being able to access the dbus daemon or pulse audio, even when I have explicitly set arkose to allow it to do so.

    I should also mention that I had the problem of things in my home folder being set to the wrong owner, which kept me from loging in in a graphical environment, right after having used arkose for the first time after installing xubuntu 12.04. I’ve fixed that problem now, but I thought you would like to know.

    Thanks in advance,

    -Timmy

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>