Sandbox Firefox – First step to security

First we will setup cgroup to limit cpu and memory usage, so here we go:

Add the configuration in /etc/cgconfig.conf

#------start cgconfig----------------
#new group
group firefox {
    perm {
        task {
#user your login id and group here, so that you can control this group
        uid = amitag;
        gid = amitag;
        }
        admin {
# same as above, set to your login id and group.
           uid = amitag;
           gid = amitag;
        }
    }
# set the limits for cpu.. by default there are 1024 shares of cpu with no other groups,
# so share of 102 would be around 10% .
    cpu{
        cpu.shares="102";
    }
# limit the cpus to be used to only 0-1
    cpuset{
        cpuset.cpus=0-1;
        cpuset.mems=0;
    }
# limit the maximum memory to 700Mb.
    memory {
        memory.limit_in_bytes="700M";
        memory.max_usage_in_bytes="0";
    }
}
#------end cgconfig----------------

 

 

Now, we will configure cdred service:

For this we will add few lines in /etc/cgrules.conf

#------start cgrules.conf----------------
amitag:firefox cpu,memory   firefox
#------end cgrules.conf----------------

The above will allow cgroup to ensure that whenever you start firefox, it is put in the firefox group for user amitag. So, you would need to change amitag with your username here. Now, the fun part, I know about this only in Fedora (and guess it can be done with apparmour on Ubuntu, but dont know how to do that.) We will make a contianer for the firefox browser so that it cannot access any files from

#------start firefox_sandbox----------------
# If you are getting errors in audit logs, then you may need to do chcon
# chcon -R -t bin_t /home/amitag/Downloads/fedora/Firefox/firefox/
cmd=firefox

find ~/.mozilla -type f >/tmp/ffiles.sbox
find ~/.fluxbox -type f >>/tmp/ffiles.sbox
find ~/GNUstep -type f >>/tmp/ffiles.sbox
find ~/.bash.d/ -type f >>/tmp/ffiles.sbox
find ~/.ssh/ -type f >>/tmp/ffiles.sbox
echo "~/.bashrc" >>/tmp/ffiles.sbox# This is what does the magic...
cgexec --sticky -g cpu,memory,cpuset:firefox sandbox -X -w 1024x768 -W fluxbox -t sandbox_web_t -I /tmp/ffiles.sbox $cmd &
#------end firefox_sandbox----------------

Note: On fedora, I needed the following packages, not sure about ubunut:

  • libcgroup-tools
  • policycoreutils-python
  • fluxbox

fetchmail to get the mails from your imap account

Table of contents for RaspBerry Pi Automation Robot

  1. fetchmail to get the mails from your imap account
  2. Raspberry Pi automate certain tasks – script example

Now, that you have set the RPi to send emails, lets do the next best thing. Setup fetchmail so that we can setup a cron job to run and get us the emails on Raspberry Pi. What can we do with these emails, lots :) (I hope you already have a Raspberry Pi, if not then head over to  element14.)

For now, first install fetchmail:

sudo apt-get install fetchmail

and if you are one of the guys who wants easy configuration then :

sudo apt-get install fetchmailconf

If you are using fetchmailconf, then just fire up “fetchmailconf”. You will get a GUI, where you can configure the setting. If not, then you can create a file “~/.fetchmailrc” which should look something like this:

poll 
protocol IMAP
user "" with password "" mda ""
folder 'INBOX'
fetchlimit 1
# do not delete the mails on server.
keep
# do not re-write the headers for the mail, get saner headers for the script to process.
no rewrite
# use ssl
ssl

 

Enhanced by Zemanta

Raspberry Pi automate certain tasks – script example

Table of contents for RaspBerry Pi Automation Robot

  1. fetchmail to get the mails from your imap account
  2. Raspberry Pi automate certain tasks – script example

Now, if you have followed these :

fetchmail

ssmtp

Then you already have a working system for sending and receiving mail. Now, you can set the mda in the fetmailrc to a script which can do few things for you. The script below will get a page and mail it to you, if you have the subject as “get” and send “wake on LAN” to desired PC if you have subject as “wol”. Cool :)

Original idea from here.

Here is the script:

#!/bin/bash

expectedFrom=""
expectedFrom2=""
homePC="MAC Here"

mailHelp() {
	sendMail $1 "Help - Possible Commands" "Help"
}

sendMail() {
	echo "To: "$1 > $tmpMail
	echo "From: From address here" >> $tmpMail
	echo "Subject: "$2 >> $tmpMail
	echo "Content-Type: text/html" >> $tmpMail
	echo "" >> $tmpMail
	echo $3 >> $tmpMail
	cat $tempMail >> $tmpMail
	cat $tmpMail|/usr/sbin/ssmtp  $1
}
#here we start the actual processing

rightSender=0
sender=""
tmpFile=/tmp/mailtemp
tmpMail="/var/tmp/mailtxt.txt"
tempMail="/tmp/tosend.txt"
>$tempMail
>$tmpFile
>$tmpMail

#Write the mail to tmpFile
while read line
do
	echo $line >> $tmpFile
done

grep "From:" $tmpFile | grep $expectedFrom > /dev/null
if [ $? -eq 0 ]; then
	rightSender=1
	sender=$expectedFrom
fi

grep "From:" $tmpFile | grep $expectedFrom2 > /dev/null
if [ $? -eq 0 ]; then
	rightSender=1
	sender=$expectedFrom2
fi

if [ $rightSender -eq 1 ]; then
	task=`grep "Subject:" $tmpFile`
	task=${task:9}
	task=`echo $task | tr [:upper:] [:lower:]`

	echo $task | grep "help" > /dev/null
	if [ $? -eq 0 ]; then
		mailHelp $sender
		exit
	fi
fi
while read line
do
	if [[ $line =~ ^$|^Content*:*|^charset=*|^--=* ]]; then
		continue;
	fi
	echo "LINE :: $line"
	case $task in
		get)
			cmd="wget -o /dev/null -O - $line"
		;;
		wol)
			cmd="sudo etherwake $$line"
		;;
		*)
			cmd="$line"
		;;
	esac
	eval $cmd >> $tempMail
done < <( sed '1,/^$/ d' $tmpFile|sed '/^--$/,$ d')
sendMail $sender "Output result of command $task" "Happy Hacking"

rm $tmpFile
rm $tmpMail
rm $tempMail
Enhanced by Zemanta

Linux – Simple and Short

Scan ME
Scan ME

Switch to our mobile site