Are Yunohost apps sandboxed?

je-sendra · November 22, 2023, 7:17am

Recently found out about YH and was wondering if it was possible to sandbox each app separately (or if they are sandboxed by default).

In case they are sandboxed, is it possible to move an app and its data between physical servers?

Thanks in advance

tituspijean · November 22, 2023, 9:30am

Apps are not sandboxed as in containerized. We use the base tools given to us by Debian: user/group ownerships, ACLs, systemd protection flags, etc.

Containerized or not, it is still possible to move an app between physical servers by backing them up and restoring them elsewhere.

cocoyuno · November 22, 2023, 3:58pm

Debian 12 had introduced Apparmor 3 by default in the install. Apparmor profiles can be tweaked to restrict application capabilities. It’s quite effective but time-consuming as too many restrictions can prevent applications from working… I wonder how this will be implemented in Yunohost.

Aleks · November 22, 2023, 5:37pm

I’m not sure this would be anything really new compared to what we already do with systemd tweaking (which also includes “capabilities”, dunno if that refers to the same thing)

cichy1173 · November 25, 2023, 10:35am

Can you tell more about this?

ericg · November 25, 2023, 11:07am

I think this is what Aleks is referring to :

github.com

YunoHost/example_ynh/blob/master/conf/systemd.service

[Unit]
Description=Small description of the service
After=network.target

[Service]
Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__INSTALL_DIR__/
ExecStart=__INSTALL_DIR__/script
StandardOutput=append:/var/log/__APP__/__APP__.log
StandardError=inherit

# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes

This file has been truncated. show original