On Wed, 2013-08-21 at 09:47 +0000, fedorauser wrote:
Hi!
since F19 my default browser is
'sandbox -X -t sandbox_web_t firefox %u'
which makes me feel a little bit more comfortable when browsing the
web without NoScript enabled.
Now I'd like to also move the Tor Browser Bundle [1] into a sandbox,
has anyone tried to do that yet?
Besides outgoing connections TBB will also try to open two listeners
at 127.0.0.1:9150 and 127.0.0.1:9151.
So far a simple test failed:
cd tor-browser_en-US-3.0-alpha-3
sandbox -X -H . -t sandbox_net_t ./start-tor-browser
Error: Tor Browser exited abnormally. Exit code: 127
Is there another sandbox type (-t) that would be more appropriate for
this?
Does sandbox_net_t allow to open local listeners (9150+9151)?
Heres my take on it
# sesearch -ASC -s sandbox_net_t -p name_bind
Found 6 semantic av rules:
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [
nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ]
DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled
]
DT allow nsswitch_domain port_t : udp_socket name_bind ; [ nis_enabled ]
DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [
nis_enabled ]
DT allow nsswitch_domain ephemeral_port_t : udp_socket name_bind ; [ nis_enabled ]
# semanage port -l | grep 9150
tor_port_t tcp 6969, 9001, 9030, 9050, 9051,
9150
# semanage port -l | grep 9151
#
So sandbox_net_t is allowed to bind tcp and udp sockets to ports labeled
with the unreserved_port_t, port_t. and ephermeral_port_t type security
identifiers, but only if the nis_enabled boolean is set to true ( its
currently set to false in my policy)
But this doesnt help you because tcp 9150 is labeled with the tor_port_t
type security identifier (port 9151 should be allowed since it currently
has no private type security identifier so it falls back on
unreserver_port_t i suspect.
So i guess one would need to allow the sandbox to bind tcp sockets to
tor_port_t type ports
You can create sandboxes that are tailored to a specific requirements
In the video in the link below i demonstrate the procedure of creating
custom sandboxes.
I basically create a sandbox called hello and make that able to run
firefox and connect to the network via tor, http and xserver ports
Just a quick example that might get you started
https://www.youtube.com/watch?v=0PaNlkjXrWk&feature=youtu.be