Execute an executable under a dynamically-created AppArmor profile?
I've been looking into the possibility of running commands under dynamically created AppArmor profiles on my Ubuntu Server 16.04.1 LTS. I'm looking for something similar to the macOS sandbox-exec, except obviously for Linux.
Some initial research showed some promise, from a command called aa-exec
.
- Ubuntu Manual
- Stack Overflow Question
However, it appears that the argument to perform this functionality has been removed.
aa-exec: invalid option -- 'f'
This newer manual version page makes no mention of it, and I assume it was removed in this version. Perhaps this feature was moved to another utility?
Is there any way to do this?
I'd like to do this without granting permissions to install new profiles into privileged areas. Solutions involving compiling my own code are welcome.
Solution 1:
Have a look at firejail, which can create a sandbox per application :
http://packages.ubuntu.com/search?keywords=firejail
https://firejail.wordpress.com/
https://wiki.archlinux.org/index.php/Firejail