-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi!
since F19 my default browser is 'sandbox -X -t sandbox_web_t firefox %u' which makes me feel a little bit more comfortable when browsing the web without NoScript enabled.
Now I'd like to also move the Tor Browser Bundle [1] into a sandbox, has anyone tried to do that yet?
Besides outgoing connections TBB will also try to open two listeners at 127.0.0.1:9150 and 127.0.0.1:9151.
So far a simple test failed:
cd tor-browser_en-US-3.0-alpha-3 sandbox -X -H . -t sandbox_net_t ./start-tor-browser Error: Tor Browser exited abnormally. Exit code: 127
Is there another sandbox type (-t) that would be more appropriate for this? Does sandbox_net_t allow to open local listeners (9150+9151)?
thanks!
[1] https://archive.torproject.org/tor-package-archive/torbrowser/3.0a3/
-------------------------------------------------
VFEmail.net - http://www.vfemail.net $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
On Wed, 2013-08-21 at 09:47 +0000, fedorauser wrote:
Hi!
since F19 my default browser is 'sandbox -X -t sandbox_web_t firefox %u' which makes me feel a little bit more comfortable when browsing the web without NoScript enabled.
Now I'd like to also move the Tor Browser Bundle [1] into a sandbox, has anyone tried to do that yet?
Besides outgoing connections TBB will also try to open two listeners at 127.0.0.1:9150 and 127.0.0.1:9151.
So far a simple test failed:
cd tor-browser_en-US-3.0-alpha-3 sandbox -X -H . -t sandbox_net_t ./start-tor-browser Error: Tor Browser exited abnormally. Exit code: 127
Is there another sandbox type (-t) that would be more appropriate for this? Does sandbox_net_t allow to open local listeners (9150+9151)?
Heres my take on it
# sesearch -ASC -s sandbox_net_t -p name_bind Found 6 semantic av rules: DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ] DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ] DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ] DT allow nsswitch_domain port_t : udp_socket name_bind ; [ nis_enabled ] DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ] DT allow nsswitch_domain ephemeral_port_t : udp_socket name_bind ; [ nis_enabled ]
# semanage port -l | grep 9150 tor_port_t tcp 6969, 9001, 9030, 9050, 9051, 9150
# semanage port -l | grep 9151 #
So sandbox_net_t is allowed to bind tcp and udp sockets to ports labeled with the unreserved_port_t, port_t. and ephermeral_port_t type security identifiers, but only if the nis_enabled boolean is set to true ( its currently set to false in my policy)
But this doesnt help you because tcp 9150 is labeled with the tor_port_t type security identifier (port 9151 should be allowed since it currently has no private type security identifier so it falls back on unreserver_port_t i suspect.
So i guess one would need to allow the sandbox to bind tcp sockets to tor_port_t type ports
You can create sandboxes that are tailored to a specific requirements
In the video in the link below i demonstrate the procedure of creating custom sandboxes.
I basically create a sandbox called hello and make that able to run firefox and connect to the network via tor, http and xserver ports
Just a quick example that might get you started
https://www.youtube.com/watch?v=0PaNlkjXrWk&feature=youtu.be
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi Dominick,
So i guess one would need to allow the sandbox to bind tcp sockets to tor_port_t type ports
You can create sandboxes that are tailored to a specific requirements
In the video in the link below i demonstrate the procedure of creating custom sandboxes.
I basically create a sandbox called hello and make that able to run firefox and connect to the network via tor, http and xserver ports
Just a quick example that might get you started
https://www.youtube.com/watch?v=0PaNlkjXrWk&feature=youtu.be
Thank you very much for your comprehensive answer and your video! I'll try to create a 'sandbox_torbrowserbundle_t'.
-------------------------------------------------
VFEmail.net - http://www.vfemail.net $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/21/2013 05:47 AM, fedorauser wrote:
Hi!
since F19 my default browser is 'sandbox -X -t sandbox_web_t firefox %u' which makes me feel a little bit more comfortable when browsing the web without NoScript enabled.
Now I'd like to also move the Tor Browser Bundle [1] into a sandbox, has anyone tried to do that yet?
Besides outgoing connections TBB will also try to open two listeners at 127.0.0.1:9150 and 127.0.0.1:9151.
So far a simple test failed:
cd tor-browser_en-US-3.0-alpha-3 sandbox -X -H . -t sandbox_net_t ./start-tor-browser Error: Tor Browser exited abnormally. Exit code: 127
Is there another sandbox type (-t) that would be more appropriate for this? Does sandbox_net_t allow to open local listeners (9150+9151)?
thanks!
[1] https://archive.torproject.org/tor-package-archive/torbrowser/3.0a3/
VFEmail.net - http://www.vfemail.net $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What avc messages are you seeing?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi Dan,
What avc messages are you seeing?
As Dominick anticipated I got:
avc: denied { name_bind } for pid=23725 comm="tor" src=9150 scontext=unconfined_u:unconfined_r:sandbox_net_client_t:s0:c353,c458 tcontext=system_u:object_r:tor_port_t:s0 tclass=tcp_socket
(in permissive mode and nis_enabled --> on)
-------------------------------------------------
VFEmail.net - http://www.vfemail.net $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
On Mon, 2013-08-26 at 22:33 +0000, fedorauser wrote:
Hi Dan,
What avc messages are you seeing?
As Dominick anticipated I got:
avc: denied { name_bind } for pid=23725 comm="tor" src=9150 scontext=unconfined_u:unconfined_r:sandbox_net_client_t:s0:c353,c458 tcontext=system_u:object_r:tor_port_t:s0 tclass=tcp_socket
(in permissive mode and nis_enabled --> on)
You will probably want nis_enabled off if possible , it is a very coarse boolean
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
What avc messages are you seeing?
As Dominick anticipated I got:
avc: denied { name_bind } for pid=23725 comm="tor" src=9150 scontext=unconfined_u:unconfined_r:sandbox_net_client_t:s0:c353,c458
tcontext=system_u:object_r:tor_port_t:s0 tclass=tcp_socket
The quickest (but dirty) fix seams to be to configure TBB to bind to another port (I used 9152 instead of tcp/9150). Changing the SocksPort in TBB's torrc + nis_enabled works for me, but I will build a new sandbox domain anyway.
In the end I'd like to have sandbox type that is able to run TBB out of the box without nis_enabled.
(Why is 9150 in tor_port_t anyway? Tor uses 9050 by default. Are there other common configurations that use 9150 for tor?)
I tried to create a copy of sandbox_net_t (with different name) by copying the "sandbox_net_client_t local policy" section from sandboxX.te [1] and the "sandbox_x_domain_template(sandbox_net)" - line, but failed (typeattribute line).
What would be *the* way to create a (renamed) copy of sandbox_net_t? (I'd prefer just to create an exact copy instead of approximating the domain via audit2allow runs.)
After having an exact copy I'd add allow rules to cover binding to tcp/9150.
thanks!
[1] https://git.fedorahosted.org/cgit/selinux-policy.git/tree/sandboxX.te?h=f19-...
-------------------------------------------------
VFEmail.net - http://www.vfemail.net $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
On Thu, 2013-08-29 at 12:01 +0000, fedorauser wrote:
What avc messages are you seeing?
As Dominick anticipated I got:
avc: denied { name_bind } for pid=23725 comm="tor" src=9150 scontext=unconfined_u:unconfined_r:sandbox_net_client_t:s0:c353,c458
tcontext=system_u:object_r:tor_port_t:s0 tclass=tcp_socket
The quickest (but dirty) fix seams to be to configure TBB to bind to another port (I used 9152 instead of tcp/9150). Changing the SocksPort in TBB's torrc + nis_enabled works for me, but I will build a new sandbox domain anyway.
In the end I'd like to have sandbox type that is able to run TBB out of the box without nis_enabled.
(Why is 9150 in tor_port_t anyway? Tor uses 9050 by default. Are there other common configurations that use 9150 for tor?)
I tried to create a copy of sandbox_net_t (with different name) by copying the "sandbox_net_client_t local policy" section from sandboxX.te [1] and the "sandbox_x_domain_template(sandbox_net)" - line, but failed (typeattribute line).
What would be *the* way to create a (renamed) copy of sandbox_net_t? (I'd prefer just to create an exact copy instead of approximating the domain via audit2allow runs.)
I showed you in the video how to create custom sandboxes.
sandbox_net_t is just another sandbox with full network access as far as i know
So the procedure is pretty much the same as my video
to grant full network access you would do probably something like this:
policy_module(mysandbox, 1.0.0)
sandbox_x_domain_template(mysandbox)
# the below grants pretty much full access to the tcp/udp network
gen_require(` attribute port_type; ')
allow mysandbox_t self:tcp_socket create_stream_socket_perms; allow mysandbox_t self:udp_socket create_stream_socket_perms;
allow mysandbox_t port_type:tcp_socket { name_connect name_bind }; allow mysandbox_t port_type:udp_socket name_bind;
#EOF
After that its pretty much the same procedure as i demonstrated in my video
On Fri, 2013-08-30 at 18:55 +0200, Dominick Grift wrote:
On Thu, 2013-08-29 at 12:01 +0000, fedorauser wrote:
What avc messages are you seeing?
As Dominick anticipated I got:
avc: denied { name_bind } for pid=23725 comm="tor" src=9150 scontext=unconfined_u:unconfined_r:sandbox_net_client_t:s0:c353,c458
tcontext=system_u:object_r:tor_port_t:s0 tclass=tcp_socket
The quickest (but dirty) fix seams to be to configure TBB to bind to another port (I used 9152 instead of tcp/9150). Changing the SocksPort in TBB's torrc + nis_enabled works for me, but I will build a new sandbox domain anyway.
In the end I'd like to have sandbox type that is able to run TBB out of the box without nis_enabled.
(Why is 9150 in tor_port_t anyway? Tor uses 9050 by default. Are there other common configurations that use 9150 for tor?)
I tried to create a copy of sandbox_net_t (with different name) by copying the "sandbox_net_client_t local policy" section from sandboxX.te [1] and the "sandbox_x_domain_template(sandbox_net)" - line, but failed (typeattribute line).
What would be *the* way to create a (renamed) copy of sandbox_net_t? (I'd prefer just to create an exact copy instead of approximating the domain via audit2allow runs.)
I showed you in the video how to create custom sandboxes.
sandbox_net_t is just another sandbox with full network access as far as i know
So the procedure is pretty much the same as my video
to grant full network access you would do probably something like this:
policy_module(mysandbox, 1.0.0)
sandbox_x_domain_template(mysandbox)
# the below grants pretty much full access to the tcp/udp network
gen_require(` attribute port_type; ')
allow mysandbox_t self:tcp_socket create_stream_socket_perms; allow mysandbox_t self:udp_socket create_stream_socket_perms;
allow mysandbox_t port_type:tcp_socket { name_connect name_bind }; allow mysandbox_t port_type:udp_socket name_bind;
#EOF
After that its pretty much the same procedure as i demonstrated in my video
Well not quite, you probably also need to add stuff like this:
corenet_all_recvfrom_unlabeled(mysandbox_t) corenet_tcp_sendrecv_generic_if(mysandbox_t) corenet_tcp_bind_generic_node(mysandbox_t) corenet_udp_sendrecv_generic_if(mysandbox_t) corenet_udp_bind_generic_node(mysandbox_t)
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
fedorauser