Parrot’s anonsurf is systemd unit now so we should use it apparmor settings to create our own profiles
We can sandbox the units with the systemd built in sandbox feauture.9m working on an anonsurf sandbox,but it needs some more work as the CapabilityBoundingSet,mostly,breaks iptables.
I would like to have read + write only for some specific path and prevent anonsurf + tor from reading files and folders in
That can be achived with ReadWritePath directive. More here https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
My anonsurfd init has this as for hardening
Latest directive(CapabilityBoundingSet=) cannot be set to disable all capabilities as some dont allow iptables to start.
Above settings need testing and they are not finished.
Most of them can of course be set for all services.
As @adrelanos said on Telegram
that entirely depends on implementation details
what files are parsed, which inputs it reads from, with which privileges it runs
if it is a bash script that sets iptables rules that is run by a systemd unit then i see little need for systemd sandboxing
That was in response in whether systemd sandboxing a bash script such as anonsurf would matter. This is logical and we should take it under consideration.
The anonsurf needs accessing iptables and calling tor service.
Still I don’t see why capabilities directives will be needed for example.