sandbox: open new firefox tab from outside
Daniel J Walsh
dwalsh at redhat.com
Mon Sep 13 17:54:36 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/12/2010 08:54 AM, Christoph A. wrote:
> Hi,
>
> I was using firefox within sandboxes for a while without perm. home
> directory.
> To store bookmarks, addons and so on, I started to use perm. homedir (-H).
>
> Because firefox does not allow multiple concurrent sessions (lock on
> .mozilla) it is not possible to open multiple websites when specifying
> the same sandbox homedir, hence I'm looking for a possibility to open
> new websites within a running sandbox from outside.
>
> Without sandboxes everyone can open new websites in a running firefox
> instance using:
> firefox -remote "openurl(http://www.mozilla.org)"
>
> sandbox scenario:
> 1. step:
> start firefox:
> sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
>
> 2. step:
> sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
> -remote "openurl(http://www.mozilla.org)"
>
> My current attempts fail because I'm unable use the '-l' option
> (#632377) but would the policy allow the 'firefox -remote' command if
> type and security level matches with the already running sandbox?
>
> kind regards,
> Christoph
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I have gotten this to work, but it is not pretty.
I created a file in homedir called firefox.sh
It looks like
cat homedir/firefox.sh
#!/bin/sh
DISPLAY=:1.0 /usr/bin/firefox -remote "openurl($1)"
Then
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 /bin/sh ~/firefox.sh http://www.redhat.com
Seems to work.
The key thing is figuring out the DISPLAY.
A possible solution would be to change the /usr/share/sandbox/sandboxX.sh
To the attached.
Which creates a ~/seremote application within homedir that looks like
#!/bin/sh -x
DISPLAY=:1 $*
:1 will be different for each additional sandbox.
Then you could execute
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 /bin/sh ~/seremote firefox -remote "openurl(http://www.redhat.com)"
And it will work.
I will have to make policy changes to allow
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 ~/seremote firefox -remote "openurl(http://www.redhat.com)"
to work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyOZVUACgkQrlYvE4MpobP9AQCcDznCUgsZ6AYdVg/FXzKPfq7J
0QwAn1cRXFJ7hps0GUA/ukQb6ugkvFF7
=RoYb
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sandboxX.sh
Type: application/x-shellscript
Size: 694 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100913/634f2769/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sandboxX.sh.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100913/634f2769/attachment-0001.bin
More information about the selinux
mailing list