[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?

Mon Dec 10 15:38:00 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/07/2012 04:59 PM, Rob Townley wrote:
> Daniel,
> 
> Can the Firefox profile file hierarchy be sandboxed?  So everything 
> downloaded within the profile cache is sandboxed.  More like if any 
> application accesses something in a particular folder, sandboxing 
> automatically kicks in.
> 
You would need to setup something separately to do this.  Sandboxing tool is
by user choice.  For example in firefox/thunderbird I can specify that any
time it downloads content, firefox/thunderbird will run a command to view that
content. rather then use evince or ooffice, I have them run sandboxevince and
sandboxooffice, which are simple shell scripts wrapping sandbox command.

cat ~/bin/sandboxevince
#!/bin/sh
/usr/bin/sandbox -X /usr/bin/evince "$@"

cat ~/bin/sandboxooffice
#!/bin/sh
/usr/bin/sandbox -w 1400x750 -X ooffice "$@"

You can run your entire firefox session within a sandbox.  Here is how I do this.

 cat ~/bin/sandboxfirefox
sandbox -i ~/.mozilla -X -t sandbox_web_t -W metacity -w 1000x900 firefox $*


Now getting apps to run sandbox when looking at certain content is something
you would need to figure out.
> On Fri, Dec 7, 2012 at 5:49 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
> On 12/06/2012 09:05 PM, David McGuffey wrote:
>>>> Moat of the advanced persistent threats (APT) are initiated via
>>>> e-mail. Opening an attachment or clicking on a web link starts the
>>>> process.
>>>> 
>>>> Why isn't Firefox and Evolution confined with SELinux policy in a
>>>> way
> that
>>>> APT can't damage the rest of the system? Why are we not sandboxing
>>>> these two apps with SELinux?
>>>> 
>>>> I've discovered some guidance for sandboxing Firefox using the
>>>> 'sandbox' command.  Once I test it a bit, I'll post the results back
>>>> here.  Seems
> to
>>>> me that if this works, it should be the default.
>>>> 
>>>> DaveM
>>>> 
>>>> 
>>>> _______________________________________________ CentOS mailing list 
>>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>>>> 
> Very difficult to sandbox thunderbird and firefox.  But sandbox tool 
> actually works well for sandboxing viewers of downloaded data.  I sandbox
> all content that will be viewed by evince and libreoffice.
>> _______________________________________________ CentOS mailing list 
>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>> 
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDGAdcACgkQrlYvE4MpobNnTACgotqePhY2NY03GEZitDU2job7
Ia0An3YijmST+kuUxxLDPRsBhTzmEM0c
=k1X2
-----END PGP SIGNATURE-----