[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?

Mon Dec 10 15:38:00 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

Hash: SHA1

On 12/07/2012 04:59 PM, Rob Townley wrote:
> Daniel,
> Can the Firefox profile file hierarchy be sandboxed?  So everything 
> downloaded within the profile cache is sandboxed.  More like if any 
> application accesses something in a particular folder, sandboxing 
> automatically kicks in.
You would need to setup something separately to do this.  Sandboxing tool is
by user choice.  For example in firefox/thunderbird I can specify that any
time it downloads content, firefox/thunderbird will run a command to view that
content. rather then use evince or ooffice, I have them run sandboxevince and
sandboxooffice, which are simple shell scripts wrapping sandbox command.

cat ~/bin/sandboxevince
/usr/bin/sandbox -X /usr/bin/evince "$@"

cat ~/bin/sandboxooffice
/usr/bin/sandbox -w 1400x750 -X ooffice "$@"

You can run your entire firefox session within a sandbox.  Here is how I do this.

 cat ~/bin/sandboxfirefox
sandbox -i ~/.mozilla -X -t sandbox_web_t -W metacity -w 1000x900 firefox $*

Now getting apps to run sandbox when looking at certain content is something
you would need to figure out.
> On Fri, Dec 7, 2012 at 5:49 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> On 12/06/2012 09:05 PM, David McGuffey wrote:
>>>> Moat of the advanced persistent threats (APT) are initiated via
>>>> e-mail. Opening an attachment or clicking on a web link starts the
>>>> process.
>>>> Why isn't Firefox and Evolution confined with SELinux policy in a
>>>> way
> that
>>>> APT can't damage the rest of the system? Why are we not sandboxing
>>>> these two apps with SELinux?
>>>> I've discovered some guidance for sandboxing Firefox using the
>>>> 'sandbox' command.  Once I test it a bit, I'll post the results back
>>>> here.  Seems
> to
>>>> me that if this works, it should be the default.
>>>> DaveM
>>>> _______________________________________________ CentOS mailing list 
>>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> Very difficult to sandbox thunderbird and firefox.  But sandbox tool 
> actually works well for sandboxing viewers of downloaded data.  I sandbox
> all content that will be viewed by evince and libreoffice.
>> _______________________________________________ CentOS mailing list 
>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/