Re: Running Tor Browser Bundle in a sandbox

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2013-08-21 at 09:47 +0000, fedorauser wrote:
> Hi!
> 
> since F19 my default browser is
> 'sandbox -X -t sandbox_web_t firefox %u'
> which makes me feel a little bit more comfortable when browsing the
> web without NoScript enabled.
> 
> Now I'd like to also move the Tor Browser Bundle [1] into a sandbox,
> has anyone tried to do that yet?
> 
> Besides outgoing connections TBB will also try to open two listeners
> at 127.0.0.1:9150 and 127.0.0.1:9151.
> 
> So far a simple test failed:
> 
> cd tor-browser_en-US-3.0-alpha-3
> sandbox -X -H . -t sandbox_net_t ./start-tor-browser
> Error: Tor Browser exited abnormally. Exit code: 127
> 
> Is there another sandbox type (-t) that would be more appropriate for
> this?
> Does sandbox_net_t allow to open local listeners (9150+9151)?
> 

Heres my take on it

> # sesearch -ASC -s sandbox_net_t -p name_bind
> Found 6 semantic av rules:
> DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
> DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ]
> DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
> DT allow nsswitch_domain port_t : udp_socket name_bind ; [ nis_enabled ]
> DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
> DT allow nsswitch_domain ephemeral_port_t : udp_socket name_bind ; [ nis_enabled ]

# semanage port -l | grep 9150
tor_port_t                     tcp      6969, 9001, 9030, 9050, 9051,
9150

> # semanage port -l | grep 9151
> #

So sandbox_net_t is allowed to bind tcp and udp sockets to ports labeled
with the unreserved_port_t, port_t. and ephermeral_port_t type security
identifiers, but only if the nis_enabled boolean is set to true ( its
currently set to false in my policy)

But this doesnt help you because tcp 9150 is labeled with the tor_port_t
type security identifier (port 9151 should be allowed since it currently
has no private type security identifier so it falls back on
unreserver_port_t i suspect.

So i guess one would need to allow the sandbox to bind tcp sockets to
tor_port_t type ports

You can create sandboxes that are tailored to a specific requirements

In the video in the link below i demonstrate the procedure of creating
custom sandboxes.

I basically create a sandbox called hello and make that able to run
firefox and connect to the network via tor, http and xserver ports

Just a quick example that might get you started

https://www.youtube.com/watch?v=0PaNlkjXrWk&feature=youtu.be



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux