[Feature request] Add sandboxing options and apparmor profile

[knlnlo]

Hi!

The systemd services can now use sandboxing options, which has a positive effect on security. I would like noisy to use these settings as well. Also, additionally consider creating an apparmor profile.

Thanks for noisy!

[fireneat]

I have already done it in my fork fireneat/Noisy here also I think it would be better to have seccomp profile because you can use ioctl which I don't think apparmor has. And if you want to sandbox Noisy then I think you would need to sandbox Python3 completly, anyways here is the profile if you're still interested:

#include <tunables/global>

/usr/bin/python3.9 {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/python>

  /usr/bin/python3.9 mr,
  owner /noisy/ r,
  owner /noisy/config.json r,
  owner /noisy/noisy.py r,

}

[knlnlo]

Thank you very much. I understand that this version is no longer in development?

[Zbergen-cli]

@fireneat,You do realize that you are restricting all python and all scripts written in it, right?

[fireneat]

@Zbergen-cli Yes, I've also mentioned it, therefore I think it's only use case would be in Docker