Running Tor Browser Bundle in a sandbox
Dominick Grift
dominick.grift at gmail.com
Wed Aug 21 11:25:57 UTC 2013
On Wed, 2013-08-21 at 09:47 +0000, fedorauser wrote:
> Hi!
>
> since F19 my default browser is
> 'sandbox -X -t sandbox_web_t firefox %u'
> which makes me feel a little bit more comfortable when browsing the
> web without NoScript enabled.
>
> Now I'd like to also move the Tor Browser Bundle [1] into a sandbox,
> has anyone tried to do that yet?
>
> Besides outgoing connections TBB will also try to open two listeners
> at 127.0.0.1:9150 and 127.0.0.1:9151.
>
> So far a simple test failed:
>
> cd tor-browser_en-US-3.0-alpha-3
> sandbox -X -H . -t sandbox_net_t ./start-tor-browser
> Error: Tor Browser exited abnormally. Exit code: 127
>
> Is there another sandbox type (-t) that would be more appropriate for
> this?
> Does sandbox_net_t allow to open local listeners (9150+9151)?
>
Heres my take on it
> # sesearch -ASC -s sandbox_net_t -p name_bind
> Found 6 semantic av rules:
> DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
> DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ]
> DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
> DT allow nsswitch_domain port_t : udp_socket name_bind ; [ nis_enabled ]
> DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
> DT allow nsswitch_domain ephemeral_port_t : udp_socket name_bind ; [ nis_enabled ]
# semanage port -l | grep 9150
tor_port_t tcp 6969, 9001, 9030, 9050, 9051,
9150
> # semanage port -l | grep 9151
> #
So sandbox_net_t is allowed to bind tcp and udp sockets to ports labeled
with the unreserved_port_t, port_t. and ephermeral_port_t type security
identifiers, but only if the nis_enabled boolean is set to true ( its
currently set to false in my policy)
But this doesnt help you because tcp 9150 is labeled with the tor_port_t
type security identifier (port 9151 should be allowed since it currently
has no private type security identifier so it falls back on
unreserver_port_t i suspect.
So i guess one would need to allow the sandbox to bind tcp sockets to
tor_port_t type ports
You can create sandboxes that are tailored to a specific requirements
In the video in the link below i demonstrate the procedure of creating
custom sandboxes.
I basically create a sandbox called hello and make that able to run
firefox and connect to the network via tor, http and xserver ports
Just a quick example that might get you started
https://www.youtube.com/watch?v=0PaNlkjXrWk&feature=youtu.be
More information about the selinux
mailing list