sandbox: open new firefox tab from outside
Christoph A.
casmls at gmail.com
Wed Sep 22 12:29:47 UTC 2010
On 09/13/2010 06:54 PM, Daniel J Walsh wrote:
> On 09/12/2010 08:54 AM, Christoph A. wrote:
>> Hi,
>
>> I was using firefox within sandboxes for a while without perm. home
>> directory.
>> To store bookmarks, addons and so on, I started to use perm. homedir (-H).
>
>> Because firefox does not allow multiple concurrent sessions (lock on
>> .mozilla) it is not possible to open multiple websites when specifying
>> the same sandbox homedir, hence I'm looking for a possibility to open
>> new websites within a running sandbox from outside.
>
>> Without sandboxes everyone can open new websites in a running firefox
>> instance using:
>> firefox -remote "openurl(http://www.mozilla.org)"
>
>> sandbox scenario:
>> 1. step:
>> start firefox:
>> sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
>
>> 2. step:
>> sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
>> -remote "openurl(http://www.mozilla.org)"
>
>> My current attempts fail because I'm unable use the '-l' option
>> (#632377) but would the policy allow the 'firefox -remote' command if
>> type and security level matches with the already running sandbox?
>
>> kind regards,
>> Christoph
>
>
>
>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> I have gotten this to work, but it is not pretty.
>
> I created a file in homedir called firefox.sh
>
> It looks like
>
> cat homedir/firefox.sh
> #!/bin/sh
> DISPLAY=:1.0 /usr/bin/firefox -remote "openurl($1)"
>
> Then
>
> sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
> s0:c100 /bin/sh ~/firefox.sh http://www.redhat.com
>
> Seems to work.
>
> The key thing is figuring out the DISPLAY.
>
> A possible solution would be to change the /usr/share/sandbox/sandboxX.sh
> To the attached.
>
> Which creates a ~/seremote application within homedir that looks like
>
> #!/bin/sh -x
> DISPLAY=:1 $*
>
>
> :1 will be different for each additional sandbox.
>
> Then you could execute
>
> sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
> s0:c100 /bin/sh ~/seremote firefox -remote "openurl(http://www.redhat.com)"
>
>
> And it will work.
>
> I will have to make policy changes to allow
>
> sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
> s0:c100 ~/seremote firefox -remote "openurl(http://www.redhat.com)"
>
> to work.
Great! Let me know when these policy changes are available in FC13.
This hole method of opening new urls in an existing sandbox will
absolutely kill the argument
'..but opening websites in sandboxes takes way more time then without
sandbox' :)
thanks,
Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100922/f983f74a/attachment.bin
More information about the selinux
mailing list