[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
Daniel J Walsh
dwalsh at redhat.com
Mon Dec 10 15:38:00 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/07/2012 04:59 PM, Rob Townley wrote:
> Daniel,
>
> Can the Firefox profile file hierarchy be sandboxed? So everything
> downloaded within the profile cache is sandboxed. More like if any
> application accesses something in a particular folder, sandboxing
> automatically kicks in.
>
You would need to setup something separately to do this. Sandboxing tool is
by user choice. For example in firefox/thunderbird I can specify that any
time it downloads content, firefox/thunderbird will run a command to view that
content. rather then use evince or ooffice, I have them run sandboxevince and
sandboxooffice, which are simple shell scripts wrapping sandbox command.
cat ~/bin/sandboxevince
#!/bin/sh
/usr/bin/sandbox -X /usr/bin/evince "$@"
cat ~/bin/sandboxooffice
#!/bin/sh
/usr/bin/sandbox -w 1400x750 -X ooffice "$@"
You can run your entire firefox session within a sandbox. Here is how I do this.
cat ~/bin/sandboxfirefox
sandbox -i ~/.mozilla -X -t sandbox_web_t -W metacity -w 1000x900 firefox $*
Now getting apps to run sandbox when looking at certain content is something
you would need to figure out.
> On Fri, Dec 7, 2012 at 5:49 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> On 12/06/2012 09:05 PM, David McGuffey wrote:
>>>> Moat of the advanced persistent threats (APT) are initiated via
>>>> e-mail. Opening an attachment or clicking on a web link starts the
>>>> process.
>>>>
>>>> Why isn't Firefox and Evolution confined with SELinux policy in a
>>>> way
> that
>>>> APT can't damage the rest of the system? Why are we not sandboxing
>>>> these two apps with SELinux?
>>>>
>>>> I've discovered some guidance for sandboxing Firefox using the
>>>> 'sandbox' command. Once I test it a bit, I'll post the results back
>>>> here. Seems
> to
>>>> me that if this works, it should be the default.
>>>>
>>>> DaveM
>>>>
>>>>
>>>> _______________________________________________ CentOS mailing list
>>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>>>>
> Very difficult to sandbox thunderbird and firefox. But sandbox tool
> actually works well for sandboxing viewers of downloaded data. I sandbox
> all content that will be viewed by evince and libreoffice.
>> _______________________________________________ CentOS mailing list
>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________ CentOS mailing list
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDGAdcACgkQrlYvE4MpobNnTACgotqePhY2NY03GEZitDU2job7
Ia0An3YijmST+kuUxxLDPRsBhTzmEM0c
=k1X2
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list