Re: Is it possible to use pledge(2) to make something similar to firejail?

2015-12-05 Thread dan mclaughlin 
On Mon, 30 Nov 2015 23:30:49 +0100 Lampshade  wrote:
> Thanks for answers.
> @dan mclaughlin. But how to prevent attacker going out of chroot?

as far as i am aware only root can break out of a chroot. as long as nothing
runs as root, and there are no suid root this shouldn't be a problem.

> Do you think that this is possible to prevent this using pledge(2)?

pledge may not be the best tool. see
https://marc.info/?l=openbsd-ports=144822758614817=2

there is systrace(1) which does something similar.

> 
> Thanks for links. Especially Jonathan's "Re: making firefox less
> insecure"
> mail dated 2014-11-23 is worth reading for me. I wonder if
> pledge(2), in theory, can be used to extend his program.
> 

see the above url re pledge.

Re: Is it possible to use pledge(2) to make something similar to firejail?

2015-11-30 Thread Lampshade 
Thanks for answers.
@dan mclaughlin. But how to prevent attacker going out of chroot?
Do you think that this is possible to prevent this using pledge(2)?

Thanks for links. Especially Jonathan's "Re: making firefox less
insecure"
mail dated 2014-11-23 is worth reading for me. I wonder if
pledge(2), in theory, can be used to extend his program.

Re: Is it possible to use pledge(2) to make something similar to firejail?

2015-11-29 Thread dan mclaughlin 
On Sun, 29 Nov 2015 07:08:57 -0700 "Anthony J. Bentley"  
wrote:
> Lampshade writes:
> > Is it possible, in theory, to use pledge(2) to make something similar to 
> > fire
> > jail?
> > https://packages.debian.org/sid/main/firejail
> > Firejail is a Gnu/Linux's program which executes Firefox as it's descendant
> > with reduced privilages.
> > For example I would like to restrict Firefox to not write and read to 
> > directo
> > ry
> > outside /home/firefox directory. Let's assume that I run firefox as another 
> > u
> > ser than
> > my normal account. I would restrict, using traditional Unix privilages, 
> > Firef
> > ox
> > and all its descendants, logging as another user to regain privilages to
> > for example to /home/open. I imagine that would still leave huge attack 
> > vecto
> > r
> > to pown system and/or sniff password, but I think it is better than nothing.
> 
> After the recent Firefox pdf.js exploit (where malicious PDFs on an ad
> server were reading files under ~, including ssh keys), I started
> running Firefox as its own user, and tightened the permissions on my
> home directory so Firefox can't access it.
> 
> There's a large class of attacks this doesn't help against (anything
> that uses X to access keystrokes or similar) but it stops a large set of
> potential Firefox exploits right away with nothing but Unix filesystem
> permissions.
> 
> http://lists.dragonflybsd.org/pipermail/users/2015-August/228324.html
> 
> -- 
> Anthony J. Bentley
> 

you can mitigate those X attacks using 'ssh -X'. i detailed a number of
mitigations here in 'isolating untrusted programs in ssh chroot jails'
(https://marc.info/?l=openbsd-misc=142676615612510=2).

it has been reported that those methods work for firefox as well.

if going the route of chroot itself is too extreme, you would still profit
from some of the other information in that post ie X11 Security Extensions,
Xephyr.

for pdfs, i have a chroot under a user who is denied access to the net
via pf. i find it a good idea to only allow specific users access, eg:

pass out log quick on $intif proto tcp user { browse, 1000, pfetch }
pass out log quick on $intif proto udp user { browse, 1000, pfetch }

even root is denied net access with the above.

Re: Is it possible to use pledge(2) to make something similar to firejail?

2015-11-29 Thread Anthony J. Bentley 
Lampshade writes:
> Is it possible, in theory, to use pledge(2) to make something similar to fire
> jail?
> https://packages.debian.org/sid/main/firejail
> Firejail is a Gnu/Linux's program which executes Firefox as it's descendant
> with reduced privilages.
> For example I would like to restrict Firefox to not write and read to directo
> ry
> outside /home/firefox directory. Let's assume that I run firefox as another u
> ser than
> my normal account. I would restrict, using traditional Unix privilages, Firef
> ox
> and all its descendants, logging as another user to regain privilages to
> for example to /home/open. I imagine that would still leave huge attack vecto
> r
> to pown system and/or sniff password, but I think it is better than nothing.

After the recent Firefox pdf.js exploit (where malicious PDFs on an ad
server were reading files under ~, including ssh keys), I started
running Firefox as its own user, and tightened the permissions on my
home directory so Firefox can't access it.

There's a large class of attacks this doesn't help against (anything
that uses X to access keystrokes or similar) but it stops a large set of
potential Firefox exploits right away with nothing but Unix filesystem
permissions.

http://lists.dragonflybsd.org/pipermail/users/2015-August/228324.html

-- 
Anthony J. Bentley

Re: Is it possible to use pledge(2) to make something similar to firejail?

2015-11-29 Thread Jiri B 
On Sun, Nov 29, 2015 at 01:15:24PM +0100, Lampshade wrote:
> Is it possible, in theory, to use pledge(2) to make something similar to 
> firejail?
> https://packages.debian.org/sid/main/firejail
> Firejail is a Gnu/Linux's program which executes Firefox as it's descendant
> with reduced privilages.
> For example I would like to restrict Firefox to not write and read to 
> directory
> outside /home/firefox directory. Let's assume that I run firefox as another 
> user than
> my normal account. I would restrict, using traditional Unix privilages, 
> Firefox
> and all its descendants, logging as another user to regain privilages to
> for example to /home/open. I imagine that would still leave huge attack vector
> to pown system and/or sniff password, but I think it is better than nothing.

Firefox is a huge app. IMO you should ask upstream for a feature to be
able to define r/o and r/w paths which Firefox could use. Then OS specific
sandboxing-like features could implement enforcing such policy.

j.

Is it possible to use pledge(2) to make something similar to firejail?

2015-11-29 Thread Lampshade 
Is it possible, in theory, to use pledge(2) to make something similar to 
firejail?
https://packages.debian.org/sid/main/firejail
Firejail is a Gnu/Linux's program which executes Firefox as it's descendant
with reduced privilages.
For example I would like to restrict Firefox to not write and read to directory
outside /home/firefox directory. Let's assume that I run firefox as another 
user than
my normal account. I would restrict, using traditional Unix privilages, Firefox
and all its descendants, logging as another user to regain privilages to
for example to /home/open. I imagine that would still leave huge attack vector
to pown system and/or sniff password, but I think it is better than nothing.