Re: Is it possible to use pledge(2) to make something similar to firejail?
On Mon, 30 Nov 2015 23:30:49 +0100 Lampshadewrote: > Thanks for answers. > @dan mclaughlin. But how to prevent attacker going out of chroot? as far as i am aware only root can break out of a chroot. as long as nothing runs as root, and there are no suid root this shouldn't be a problem. > Do you think that this is possible to prevent this using pledge(2)? pledge may not be the best tool. see https://marc.info/?l=openbsd-ports=144822758614817=2 there is systrace(1) which does something similar. > > Thanks for links. Especially Jonathan's "Re: making firefox less > insecure" > mail dated 2014-11-23 is worth reading for me. I wonder if > pledge(2), in theory, can be used to extend his program. > see the above url re pledge.
Re: Is it possible to use pledge(2) to make something similar to firejail?
Thanks for answers. @dan mclaughlin. But how to prevent attacker going out of chroot? Do you think that this is possible to prevent this using pledge(2)? Thanks for links. Especially Jonathan's "Re: making firefox less insecure" mail dated 2014-11-23 is worth reading for me. I wonder if pledge(2), in theory, can be used to extend his program.
Re: Is it possible to use pledge(2) to make something similar to firejail?
On Sun, 29 Nov 2015 07:08:57 -0700 "Anthony J. Bentley"wrote: > Lampshade writes: > > Is it possible, in theory, to use pledge(2) to make something similar to > > fire > > jail? > > https://packages.debian.org/sid/main/firejail > > Firejail is a Gnu/Linux's program which executes Firefox as it's descendant > > with reduced privilages. > > For example I would like to restrict Firefox to not write and read to > > directo > > ry > > outside /home/firefox directory. Let's assume that I run firefox as another > > u > > ser than > > my normal account. I would restrict, using traditional Unix privilages, > > Firef > > ox > > and all its descendants, logging as another user to regain privilages to > > for example to /home/open. I imagine that would still leave huge attack > > vecto > > r > > to pown system and/or sniff password, but I think it is better than nothing. > > After the recent Firefox pdf.js exploit (where malicious PDFs on an ad > server were reading files under ~, including ssh keys), I started > running Firefox as its own user, and tightened the permissions on my > home directory so Firefox can't access it. > > There's a large class of attacks this doesn't help against (anything > that uses X to access keystrokes or similar) but it stops a large set of > potential Firefox exploits right away with nothing but Unix filesystem > permissions. > > http://lists.dragonflybsd.org/pipermail/users/2015-August/228324.html > > -- > Anthony J. Bentley > you can mitigate those X attacks using 'ssh -X'. i detailed a number of mitigations here in 'isolating untrusted programs in ssh chroot jails' (https://marc.info/?l=openbsd-misc=142676615612510=2). it has been reported that those methods work for firefox as well. if going the route of chroot itself is too extreme, you would still profit from some of the other information in that post ie X11 Security Extensions, Xephyr. for pdfs, i have a chroot under a user who is denied access to the net via pf. i find it a good idea to only allow specific users access, eg: pass out log quick on $intif proto tcp user { browse, 1000, pfetch } pass out log quick on $intif proto udp user { browse, 1000, pfetch } even root is denied net access with the above.
Re: Is it possible to use pledge(2) to make something similar to firejail?
Lampshade writes: > Is it possible, in theory, to use pledge(2) to make something similar to fire > jail? > https://packages.debian.org/sid/main/firejail > Firejail is a Gnu/Linux's program which executes Firefox as it's descendant > with reduced privilages. > For example I would like to restrict Firefox to not write and read to directo > ry > outside /home/firefox directory. Let's assume that I run firefox as another u > ser than > my normal account. I would restrict, using traditional Unix privilages, Firef > ox > and all its descendants, logging as another user to regain privilages to > for example to /home/open. I imagine that would still leave huge attack vecto > r > to pown system and/or sniff password, but I think it is better than nothing. After the recent Firefox pdf.js exploit (where malicious PDFs on an ad server were reading files under ~, including ssh keys), I started running Firefox as its own user, and tightened the permissions on my home directory so Firefox can't access it. There's a large class of attacks this doesn't help against (anything that uses X to access keystrokes or similar) but it stops a large set of potential Firefox exploits right away with nothing but Unix filesystem permissions. http://lists.dragonflybsd.org/pipermail/users/2015-August/228324.html -- Anthony J. Bentley
Re: Is it possible to use pledge(2) to make something similar to firejail?
On Sun, Nov 29, 2015 at 01:15:24PM +0100, Lampshade wrote: > Is it possible, in theory, to use pledge(2) to make something similar to > firejail? > https://packages.debian.org/sid/main/firejail > Firejail is a Gnu/Linux's program which executes Firefox as it's descendant > with reduced privilages. > For example I would like to restrict Firefox to not write and read to > directory > outside /home/firefox directory. Let's assume that I run firefox as another > user than > my normal account. I would restrict, using traditional Unix privilages, > Firefox > and all its descendants, logging as another user to regain privilages to > for example to /home/open. I imagine that would still leave huge attack vector > to pown system and/or sniff password, but I think it is better than nothing. Firefox is a huge app. IMO you should ask upstream for a feature to be able to define r/o and r/w paths which Firefox could use. Then OS specific sandboxing-like features could implement enforcing such policy. j.
Is it possible to use pledge(2) to make something similar to firejail?
Is it possible, in theory, to use pledge(2) to make something similar to firejail? https://packages.debian.org/sid/main/firejail Firejail is a Gnu/Linux's program which executes Firefox as it's descendant with reduced privilages. For example I would like to restrict Firefox to not write and read to directory outside /home/firefox directory. Let's assume that I run firefox as another user than my normal account. I would restrict, using traditional Unix privilages, Firefox and all its descendants, logging as another user to regain privilages to for example to /home/open. I imagine that would still leave huge attack vector to pown system and/or sniff password, but I think it is better than nothing.