Re: sandbox: open new firefox tab from outside

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2010 08:54 AM, Christoph A. wrote:
> Hi,
> 
> I was using firefox within sandboxes for a while without perm. home
> directory.
> To store bookmarks, addons and so on, I started to use perm. homedir (-H).
> 
> Because firefox does not allow multiple concurrent sessions (lock on
> .mozilla) it is not possible to open multiple websites when specifying
> the same sandbox homedir, hence I'm looking for a possibility to open
> new websites within a running sandbox from outside.
> 
> Without sandboxes everyone can open new websites in a running firefox
> instance using:
> firefox -remote "openurl(http://www.mozilla.org)"
> 
> sandbox scenario:
> 1. step:
> start firefox:
> sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
> 
> 2. step:
> sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
> -remote "openurl(http://www.mozilla.org)"
> 
> My current attempts fail because I'm unable use the '-l' option
> (#632377) but would the policy allow the 'firefox -remote' command if
> type and security level matches with the already running sandbox?
> 
> kind regards,
> Christoph
> 
> 
> 
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I have gotten this to work, but it is not pretty.

I created a file in homedir called firefox.sh

It looks like

cat homedir/firefox.sh
#!/bin/sh
DISPLAY=:1.0 /usr/bin/firefox -remote "openurl($1)"

Then

sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 /bin/sh ~/firefox.sh http://www.redhat.com

Seems to work.

The key thing is figuring out the DISPLAY.

A possible solution would be to change the /usr/share/sandbox/sandboxX.sh
To the attached.

Which creates a ~/seremote application within homedir that looks like

#!/bin/sh -x
DISPLAY=:1 $*


:1 will be different for each additional sandbox.

Then you could execute

sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 /bin/sh ~/seremote firefox -remote "openurl(http://www.redhat.com)"


And it will work.

I will have to make policy changes to allow

sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 ~/seremote firefox -remote "openurl(http://www.redhat.com)"

to work.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyOZVUACgkQrlYvE4MpobP9AQCcDznCUgsZ6AYdVg/FXzKPfq7J
0QwAn1cRXFJ7hps0GUA/ukQb6ugkvFF7
=RoYb
-----END PGP SIGNATURE-----

Attachment: sandboxX.sh
Description: application/shellscript

Attachment: sandboxX.sh.sig
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux