[AgentME]

AppArmor is great for incrementally sandboxing parts of your environment. I'm pretty sure the ubuntu repos contain a set of profiles for common applications like Firefox which you can choose to enable. It's very easy to write your own profiles too. Just save it into /etc/apparmor.d/ (I always make the name of my own custom profiles start with "local." so I don't mix them up with the repo-provided ones) and then run "sudo aa-complain FILENAME" to put the profile in non-enforcing complain mode. Watch syslog for a bit to make sure your profile isn't too restrictive, and then once you're sure the profile is good, switch it to enforce mode with aa-enforce. "sudo apparmor_status" tells you the current modes of all profiles.

Here's an apparmor profile I made to lock down the Skype linux client: https://gist.github.com/AgentME/5640268 . It works as a whitelist listing out exactly what Skype can access. I've got another profile for Steam (and all games that Steam starts up) which just blacklists a few directories (and lets me know if Steam or any games ever tries to access those).

[pflanze]

Are you / is AppArmor using a separate X11 instance for these? As otherwise, forget about it, I wrote about it here:

https://news.ycombinator.com/item?id=8652228

[AgentME]

Ugh, that's a good point. I don't think AppArmor does any restrictions on X11 use. (I think it supports some fine-tuned controls on dbus usage though, so the idea isn't completely out of scope.) I guess it's better to think of AppArmor like a tripwire than a full sandbox if you open up an app to X11.

[pflanze]

Yes, if the tripwire raises an alarm instead of triggering a bomb. A bomb would stop the attacker by killing/injuring him, which is not the case here (he can just come back with X11 exploitation code).

[InsideTheBox]

Amazing, if even Skype works I'm sure anything else does. Testing it right now.