Sandbox Firefox – First step to security

2014-03-19 325 words 2 mins read

Fedora Firefox

First we will setup cgroup to limit cpu and memory usage, so here we go:

Add the configuration in /etc/cgconfig.conf

#------start cgconfig----------------
#new group
group firefox {
    perm {
        task {
#user your login id and group here, so that you can control this group
        uid = amitag;
        gid = amitag;
        }
        admin {
# same as above, set to your login id and group.
           uid = amitag;
           gid = amitag;
        }
    }
# set the limits for cpu.. by default there are 1024 shares of cpu with no other groups,
# so share of 102 would be around 10% .
    cpu{
        cpu.shares="102";
    }
# limit the cpus to be used to only 0-1
    cpuset{
        cpuset.cpus=0-1;
        cpuset.mems=0;
    }
# limit the maximum memory to 700Mb.
    memory {
        memory.limit_in_bytes="700M";
        memory.max_usage_in_bytes="0";
    }
}
#------end cgconfig----------------

Now, we will configure cdred service:

For this we will add few lines in /etc/cgrules.conf

#------start cgrules.conf----------------
amitag:firefox cpu,memory   firefox
#------end cgrules.conf----------------

The above will allow cgroup to ensure that whenever you start firefox, it is put in the firefox group for user amitag. So, you would need to change amitag with your username here. Now, the fun part, I know about this only in Fedora (and guess it can be done with apparmour on Ubuntu, but dont know how to do that.) We will make a contianer for the firefox browser so that it cannot access any files from

#------start firefox_sandbox----------------
# If you are getting errors in audit logs, then you may need to do chcon
# chcon -R -t bin_t /home/amitag/Downloads/fedora/Firefox/firefox/
cmd=firefox

find ~/.mozilla -type f >/tmp/ffiles.sbox
find ~/.fluxbox -type f >>/tmp/ffiles.sbox
find ~/GNUstep -type f >>/tmp/ffiles.sbox
find ~/.bash.d/ -type f >>/tmp/ffiles.sbox
find ~/.ssh/ -type f >>/tmp/ffiles.sbox
echo "~/.bashrc" >>/tmp/ffiles.sbox# This is what does the magic...
cgexec --sticky -g cpu,memory,cpuset:firefox sandbox -X -w 1024x768 -W fluxbox -t sandbox_web_t -I /tmp/ffiles.sbox $cmd &
#------end firefox_sandbox----------------

Note: On fedora, I needed the following packages, not sure about ubunut:

libcgroup-tools

policycoreutils-python

fluxbox

Tags: cgexec Fedora Firefox Linux security virt-manager

2010/06/04 Security — Installing and monitoring snort logs.
2014/01/06 cgroups – use to control your cpu and memory
2013/08/23 pkgwat -search packages for Fedora.
2013/08/20 power save mode for battery in Fedora 19.
2013/05/10 Fedora – Ramdisk creation

Authored By Amit Agarwal

Amit Agarwal, Linux and Photography are my hobbies.Creative Commons Attribution 4.0 International License.

❮ Sandbox apache (httpd) for better security. fetchmail to get the mails from your imap account ❯

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now

Related Articles:

Authored By Amit Agarwal