| 1 |
Marcel Meyer wrote: |
| 2 |
> Am Sonntag, 24. Februar 2008 schrieb 7v5w7go9ub0o: |
| 3 |
>> The hardened toolchain'll protect you outright against some types of |
| 4 |
>> memory attacks; GRSEC'll provide additional PAX protections; putting |
| 5 |
>> net-clients into the much-harder jails provided by some hardened kernels |
| 6 |
>> (e.g. grsecurity) will confine damage (e.g. my browsers, mail clients, |
| 7 |
>> media players, chat client, ooffice, etc. are each in their own |
| 8 |
>> hardened-chroot jail), plus RBAC will stop a browser that suddenly |
| 9 |
>> decides to browse about the box (well, within the jail :-) ) looking for |
| 10 |
>> information, or trying to effect changes. |
| 11 |
> Did you (or anybody else here) already set up some chroot/jail/other |
| 12 |
> restrictions for a browser like Konqueror with grsec/RSBAC? |
| 13 |
|
| 14 |
Haven't done Konqueror; I do have Opera and FireFox in individual jails. |
| 15 |
|
| 16 |
How does it |
| 17 |
> look like? |
| 18 |
|
| 19 |
I have a directory /jail that contains sub directories; each a jailed |
| 20 |
application. Most of the time, I simply cd to the application directory |
| 21 |
and start the jail. In the cases of opera, thunderbird, and firefox, I |
| 22 |
copy the individual jail into ram disk first, and then start the jail in |
| 23 |
ramdisk (this so that any changes other than bookmarks, mail, etc. are |
| 24 |
automatically discarded) |
| 25 |
|
| 26 |
It's hard for me to image what to restrict without dramatically |
| 27 |
> cut down the usefullness of the program. |
| 28 |
|
| 29 |
It is NOT as convenient as it was, but remains fully useful; |
| 30 |
e.g. if you want to jump to a link in thunderbird (mail client), you |
| 31 |
need to rt-click copy the link and then ctr-click paste it onto the |
| 32 |
opened browser window. Cumbersome at first, it becomes second nature |
| 33 |
after a while. |
| 34 |
|
| 35 |
There is probably a way to use X to safely allow a one-way connection |
| 36 |
from the tbird jail to the browser jail for the purpose of links, but I |
| 37 |
haven't figured it out yet (low priority - but would be useful). |
| 38 |
|
| 39 |
Another alternative is to put your browser into the same jail as the |
| 40 |
mail client - problem there is that I keep account information, personal |
| 41 |
scheduling information, mailing lists, etc. in my mail client, so I |
| 42 |
don't want that information anywhere near my browser which might be |
| 43 |
compromised. |
| 44 |
|
| 45 |
And how to deal with spontaneous |
| 46 |
> exceptions to the rules (like limiting to ports 80 and 443 and then wanting |
| 47 |
> to contact port 8080). |
| 48 |
|
| 49 |
Exactly right..... some web page'll have 8080 or some other http port, |
| 50 |
and RBAC will block it. I use multitail to monitor the syslog, and |
| 51 |
whenever grsec entries occur, I pop up an xmessage window with a copy of |
| 52 |
the log message (which are pretty good at describing what was blocked). |
| 53 |
You then edit the RBAC policy file to allow that port (or not). After a |
| 54 |
while, you get the RBAC rules set up and the popups subside. |
| 55 |
|
| 56 |
HTH |
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
|
| 61 |
-- |
| 62 |
gentoo-hardened@l.g.o mailing list |
Archives