Application Confinement

Applications in Obscurix are restricted as much as possible with AppArmor and bubblewrap.


AppArmor is a MAC (Mandatory Access Control) system which restricts what applications can do. By default, it blocks access to every file unless it is whitelisted in a profile. AppArmor profiles are configured for a number of different applications such as the Tor Browser and Tor daemon.


Bubblewrap is a sandboxing program that uses Linux namespaces, seccomp and Linux capabilities to isolate applications. Obscurix uses this for many applications such as the Tor Browser.

Xpra is used to used to sandbox X11. Applications create their own Xpra server in their own sandbox and connect to it with their own Xpra client outside of the sandbox. This prevents the applications from accessing any other X windows. Xpra is also restricted with AppArmor. Unneeded Xpra features such as mDNS are disabled to reduce attack surface and improve security.

Firejail is not used as it adds a lot of attack surface for privilege escalation, has had trivial privilege escalation vulnerabilities in the past and it may even worsen security.

Systemd Sandboxes

Systemd allows you to sandbox systemd services. Obscurix sandboxes as many services as possible.


'Sandbox' is a script I developed that creates a restrictive bubblewrap sandbox you can run your applications in. If you don't want to create sandboxes yourself for applications that aren't already sandboxed, you can use this tool to create one for you.

It also uses Xephyr for X11 sandboxing.

Do not use this with applications that are already sandboxed like the Tor Browser.

For example, if you want to confine firefox with this script, run

sandbox firefox

If you add the "--unshare-net" parameter, the application will run inside a network namespace with no access to the network. For example, if you want to run firefox in a sandbox with no network access, run

sandbox --unshare-net firefox