SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#1 2012-07-12 18:00:34

tradetaxfree
#! CrunchBanger
Registered: 2011-03-05
Posts: 122

Securing Applications with Sandfox in a chroot

There are several ways of locking down applications to prevent Zero Day Exploits from completely compromising your system (SELinux / Apparmor / Grsecurity) - a much simpler method is to run applications as a normal user in a chroot jail with Sandfox (written by the author of the SpaceFM File Manager).

If an application is compromised it will only be able to access the limited number of files it requires to operate.

Installation

sudo -s
gpg --keyserver keys.gnupg.net --recv-keys 7977070A723C6CCB696C0B0227A5AC5A01937621
gpg --check-sigs 0x01937621
bash -c 'gpg --export -a 01937621 | apt-key add -'
echo "deb http://ignorantguru.github.com/debian/ unstable main" >> /etc/apt/sources.list
apt-get update
apt-get install sandfox

Init Script

Next create an Init Script:

leafpad /etc/init.d/sandfox

& add the following & change the username on line 13:

#!/bin/bash
### BEGIN INIT INFO
# Provides: /usr/bin/sandfox
# Required-Start: 
# Required-Stop: 
# Default-Start: 4 5
# Default-Stop: 0 1 6
# Short-Description: Sandfox - Sandbox for running applications
# Description: https://igurublog.wordpress.com/downloads/script-sandfox/
# sudo update-rc.d sandfox start 70 4 5 . stop 70 0 1 6 .
### END INIT INFO

sandfoxuser=your-user-name
sandfoxbin=sandfox
sandfoxprofile1=firefox
sandfoxprofile2=thunderbird
sandfoxprofile3=skype
sandfoxprofile4=pidgin

### If you add more profiles just add them above & to the following line ###
MYPROFILES="$sandfoxprofile1 $sandfoxprofile2 $sandfoxprofile3 $sandfoxprofile4"

start() {
    for PROFILE in $MYPROFILES
    do
       echo -n "Starting Sandfox with Sandbox $PROFILE"
       $sandfoxbin --profile $PROFILE --sandbox $PROFILE --user $sandfoxuser --verbose --logfile /tmp/sandfox.log
       if [ $? -gt 0 ]; then
        echo "failure starting Sandbox $PROFILE"
        RETVAL=$?
       else
        echo "success starting Sandbox $PROFILE"
        RETVAL=0
       fi
    done
}

stop() {
    echo -n "Stopping Sandfox: "
    $sandfoxbin --closeall --user $sandfoxuser
    if [ $? -gt 0 ]; then
        echo "failure"
        RETVAL=$?
    else
        echo "success"
        RETVAL=0
    fi
}

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart)
        stop
        sleep 3
        start
        ;;
    *)
        echo "Usage: $0 {start|stop|restart}"
        RETVAL=1
esac
exit $RETVAL

Next make the script executable & set the init levels so sandfox starts on every boot:

chmod +x /etc/init.d/sandfox
update-rc.d sandfox start 70 4 5 . stop 70 0 1 6 . 

If you mount /tmp noexec then you will need to change the bind folder for "sandfox-events" in /etc/sandfox/default.profile & also edit the eventsfolder variable at around line 839 of /usr/bin/sandfox so they both reflect a folder with execution permissions.

To start an application inside it's sandbox / chroot:

sandfox --sandbox skype skype

Sandfox comes with profiles built in for Firefox / Skype (version 2) & Google Earth. Here are some additional profiles for Thunderbird & Pidgin to be stored in /etc/sandfox:

Thunderbird Profile: (save to /etc/sandfox/thunderbird.profile)

This profile will need adjustment if Thunderbird is not located under /opt/thunderbird

# Sandfox Thunderbird Profile
#
# Note that default.profile is always loaded in addition to other profiles 
#
# For instructions consult http://igurublog.wordpress.com/downloads/script-sandfox/
# OPTION
# or
# OPTION=VALUE   (Do not use quotes)
#
# To include another profile in this profile:
# profile=PROFILENAME

# root folders and files required by Thunderbird
bind=/dev/null
bind=/dev/urandom    # used by for security purposes
bind=/dev/random    # used by for printing
#bindro=/etc
#bindro=/lib
#bindro=/lib32
#bindro=/lib64
#bindro=/opt/lib32
bind=/tmp
#bindro=/usr
#bindro=/var/lib
hide=/var/lib/mlocate
bindro=/opt/thunderbird

# required by alsa for sound
bindro=/dev/snd
bindro=/proc

# required by Cups printing in Thunderbird
bind=/var/cache/cups        # starts faster
bind=/var/cache/fontconfig    # starts faster
bind=/var/run            # shows Cups printers

# home folders and files
# You may need to add additional binds to your home folders and files 
# in order for every aspect of Thunderbird to work as you want.  
bind=/home/$user/.thunderbird
# If you use Microsoft Office / WINE uncomment the next 2 lines:
#bind=/home/your-username/.wine

# Needed for KDE and Gnome themes (may be incomplete for gnome)
# To find out what other binds you may need, run 'env' in a shell as user
#       and examine the values of GTK2_RC_FILES and GTK_RC_FILES and XCURSOR_THEME
# Note: The bind for kdeglobals below is a limited privacy risk, as KDE4 stores
#       recent file and folder names in this file.  You can clean this file with 
#       kscrubber:  http://igurublog.wordpress.com/downloads/script-kscrubber/
#       or don't bind it, but your theme may not work in Thunderbird
bind=/home/$user/.config/gtk-2.0
bindro=/home/$user/.fontconfig
bindro=/home/$user/.fonts
bind=/home/$user/.gtkrc-2.0
#bind=/home/$user/.gtkrc-2.0-kde4
#bind=/home/$user/.kde/share/config/gtkrc
#bind=/home/$user/.kde/share/config/gtkrc-2.0      
#bindro=/home/$user/.kde/share/config/kdeglobals
#bind=/home/$user/.kde4/share/config/gtkrc
#bind=/home/$user/.kde4/share/config/gtkrc-2.0      
#bindro=/home/$user/.kde4/share/config/kdeglobals
#bindro=/home/$user/.gtkrc-2.0-kde
#bind=/home/$user/.kde3/share/config/gtkrc
#bind=/home/$user/.kde3/share/config/gtkrc-2.0      
#bindro=/home/$user/.kde3/share/config/kdeglobals
bindro=/home/$user/.Xdefaults    # for cursor theme
bindro=/home/$user/.Xauthority
#bindro=/etc/gtk-2.0/gtkrc    # used but already binded all of /etc

# other folders and files
# You may want to bind your Downloads or other data folders below so you
# can easily save and upload files from within Thunderbird.
bind=/home/$user/documents

Pidgin Profile: (save to /etc/sandfox/pidgin.profile)

# Sandfox Pidgin Profile
#
# Note that default.profile is always loaded in addition to other profiles 
# For instructions consult http://igurublog.wordpress.com/downloads/script-sandfox/
# OPTION
# or
# OPTION=VALUE   (Do not use quotes)
#
# To include another profile in this profile:
# profile=PROFILENAME

# Set this to your Pidgin video device
bind=/dev/video0
bind=/dev/shm
bind=/dev/snd
bindro=/proc/interrupts
bindro=/var/cache/libx11/compose
bind=/tmp
bind=/usr/share/purple

# Following only needed if all of /tmp not bound above
# copy=/tmp/.ICE-unix            
# copy=/tmp/.X11-unix/X0
# bind=/tmp/pulse-*/native

bindro=/usr/lib/libgtk2.0-0
bindro=/usr/share/X11/locale
bindro=/usr/share/icons
bindro=/usr/share/fonts

bind=/home/$user/.config/gtk-2.0
bindro=/home/$user/.fontconfig
bindro=/home/$user/.fonts
bind=/home/$user/.gtkrc-2.0
bind=/home/$user/.purple
#bindro=/home/$user/.ICEauthority
bindro=/home/$user/.Xauthority
bindro=/home/$user/.fontconfig

The Skype profile currently built in to Sandfox does not work for the latest Skype version 4. You will need to revise the Skype profile to include the following directories (this is a working Apparmor Profile for Skype 4.0):

  /dev/ r,
  /dev/snd/* mrw,
  /dev/video0 rw,
  /etc/fonts/** r,
  /etc/pulse/client.conf r,
  /home/*/.Skype/ r,
  /home/*/.Skype/** rwk,
  /home/*/.Xauthority r,
  /home/*/.config/Skype/Skype.conf rwk,
  /home/*/.config/Trolltech.conf rk,
  /home/*/.fontconfig/* r,
  /home/*/.fonts.conf r,
  /home/*/.gtkrc-2.0 r,
  /home/*/.icons/default/index.theme r,
  /home/*/.pulse-cookie rwk,
  /home/*/.pulse/ r,
  /home/*/.pulse/* rw,
  /proc/*/cmdline r,
  /proc/*/fd/ r,
  /proc/*/net/arp r,
  /proc/*/net/route r,
  /run/shm/ r,
  /run/shm/* mrw,
  /sys/devices/LNXSYSTM:00/** r,
  /sys/devices/pci0000:00/** r,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq r,
  /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq r,
  /usr/bin/skype mr,
  /usr/bin/xdg-open Cx,
  /usr/lib{,32,64}/** mr,
  /usr/share/alsa/alsa.conf r,
  /usr/share/alsa/alsa.conf.d/ r,
  /usr/share/alsa/cards/* r,
  /usr/share/alsa/pcm/* r,
  /usr/share/fonts/** mr,
  /usr/share/icons/DMZ-White/** r,
  /usr/share/icons/hicolor/index.theme rk,
  /usr/share/libthai/thbrk.tri r,
  /usr/share/skype/** mr,
  /usr/share/skype/sounds/* k,
  /usr/share/themes/** r,
  /var/cache/fontconfig/* mr,
  /var/lib/dbus/machine-id r,
  /var/tmp/* rwk, ## ** this may be /tmp on ##
  /var/tmp/*/ w,  ## ** your system         ##
  owner @{PROC}/[0-9]*/task/ r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,

Offline

Help fund CrunchBang, donate to the project!

#2 2012-07-23 07:24:06

Tim
#! CrunchBanger
From: SWeden
Registered: 2012-07-09
Posts: 142

Re: Securing Applications with Sandfox in a chroot

Going to try this at my waldorf netbook smile
Thanks for a nice tutorial!!


Crunchy feeling #!

Offline

#3 2012-07-23 08:45:26

Tunafish
#! Die Hard
From: the Netherlands
Registered: 2010-03-07
Posts: 1,204

Re: Securing Applications with Sandfox in a chroot

I added your howto to the the list here:
http://crunchbanglinux.org/forums/post/74826


sed 's/stress/relaxation/g'
Privacy & Security on #!

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.

Debian Logo