Sandbox Firefox – First step to security

2014-03-19 2 min read Fedora Firefox

First we will setup cgroup to limit cpu and memory usage, so here we go:

Add the configuration in /etc/cgconfig.conf

#------start cgconfig----------------
#new group
group firefox {
    perm {
        task {
#user your login id and group here, so that you can control this group
        uid = amitag;
        gid = amitag;
        }
        admin {
# same as above, set to your login id and group.
           uid = amitag;
           gid = amitag;
        }
    }
# set the limits for cpu.. by default there are 1024 shares of cpu with no other groups,
# so share of 102 would be around 10% .
    cpu{
        cpu.shares="102";
    }
# limit the cpus to be used to only 0-1
    cpuset{
        cpuset.cpus=0-1;
        cpuset.mems=0;
    }
# limit the maximum memory to 700Mb.
    memory {
        memory.limit_in_bytes="700M";
        memory.max_usage_in_bytes="0";
    }
}
#------end cgconfig----------------

 

 

Now, we will configure cdred service:

For this we will add few lines in /etc/cgrules.conf

#------start cgrules.conf----------------
amitag:firefox cpu,memory   firefox
#------end cgrules.conf----------------

The above will allow cgroup to ensure that whenever you start firefox, it is put in the firefox group for user amitag. So, you would need to change amitag with your username here. Now, the fun part, I know about this only in Fedora (and guess it can be done with apparmour on Ubuntu, but dont know how to do that.) We will make a contianer for the firefox browser so that it cannot access any files from

#------start firefox_sandbox----------------
# If you are getting errors in audit logs, then you may need to do chcon
# chcon -R -t bin_t /home/amitag/Downloads/fedora/Firefox/firefox/
cmd=firefox

find ~/.mozilla -type f >/tmp/ffiles.sbox
find ~/.fluxbox -type f >>/tmp/ffiles.sbox
find ~/GNUstep -type f >>/tmp/ffiles.sbox
find ~/.bash.d/ -type f >>/tmp/ffiles.sbox
find ~/.ssh/ -type f >>/tmp/ffiles.sbox
echo "~/.bashrc" >>/tmp/ffiles.sbox# This is what does the magic...
cgexec --sticky -g cpu,memory,cpuset:firefox sandbox -X -w 1024x768 -W fluxbox -t sandbox_web_t -I /tmp/ffiles.sbox $cmd &
#------end firefox_sandbox----------------

Note: On fedora, I needed the following packages, not sure about ubunut:

  • libcgroup-tools
  • policycoreutils-python
  • fluxbox
  • comments powered by Disqus