1 |
Marcel Meyer wrote: |
2 |
> Am Sonntag, 24. Februar 2008 schrieb 7v5w7go9ub0o: |
3 |
>> The hardened toolchain'll protect you outright against some types of |
4 |
>> memory attacks; GRSEC'll provide additional PAX protections; putting |
5 |
>> net-clients into the much-harder jails provided by some hardened kernels |
6 |
>> (e.g. grsecurity) will confine damage (e.g. my browsers, mail clients, |
7 |
>> media players, chat client, ooffice, etc. are each in their own |
8 |
>> hardened-chroot jail), plus RBAC will stop a browser that suddenly |
9 |
>> decides to browse about the box (well, within the jail :-) ) looking for |
10 |
>> information, or trying to effect changes. |
11 |
> Did you (or anybody else here) already set up some chroot/jail/other |
12 |
> restrictions for a browser like Konqueror with grsec/RSBAC? |
13 |
|
14 |
Haven't done Konqueror; I do have Opera and FireFox in individual jails. |
15 |
|
16 |
How does it |
17 |
> look like? |
18 |
|
19 |
I have a directory /jail that contains sub directories; each a jailed |
20 |
application. Most of the time, I simply cd to the application directory |
21 |
and start the jail. In the cases of opera, thunderbird, and firefox, I |
22 |
copy the individual jail into ram disk first, and then start the jail in |
23 |
ramdisk (this so that any changes other than bookmarks, mail, etc. are |
24 |
automatically discarded) |
25 |
|
26 |
It's hard for me to image what to restrict without dramatically |
27 |
> cut down the usefullness of the program. |
28 |
|
29 |
It is NOT as convenient as it was, but remains fully useful; |
30 |
e.g. if you want to jump to a link in thunderbird (mail client), you |
31 |
need to rt-click copy the link and then ctr-click paste it onto the |
32 |
opened browser window. Cumbersome at first, it becomes second nature |
33 |
after a while. |
34 |
|
35 |
There is probably a way to use X to safely allow a one-way connection |
36 |
from the tbird jail to the browser jail for the purpose of links, but I |
37 |
haven't figured it out yet (low priority - but would be useful). |
38 |
|
39 |
Another alternative is to put your browser into the same jail as the |
40 |
mail client - problem there is that I keep account information, personal |
41 |
scheduling information, mailing lists, etc. in my mail client, so I |
42 |
don't want that information anywhere near my browser which might be |
43 |
compromised. |
44 |
|
45 |
And how to deal with spontaneous |
46 |
> exceptions to the rules (like limiting to ports 80 and 443 and then wanting |
47 |
> to contact port 8080). |
48 |
|
49 |
Exactly right..... some web page'll have 8080 or some other http port, |
50 |
and RBAC will block it. I use multitail to monitor the syslog, and |
51 |
whenever grsec entries occur, I pop up an xmessage window with a copy of |
52 |
the log message (which are pretty good at describing what was blocked). |
53 |
You then edit the RBAC policy file to allow that port (or not). After a |
54 |
while, you get the RBAC rules set up and the popups subside. |
55 |
|
56 |
HTH |
57 |
|
58 |
|
59 |
|
60 |
|
61 |
-- |
62 |
gentoo-hardened@l.g.o mailing list |