Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Easiest sandboxing for Chromium & Skype
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jago25_98
Apprentice
Apprentice


Joined: 23 Aug 2002
Posts: 180

PostPosted: Sat Nov 03, 2012 12:05 am    Post subject: Easiest sandboxing for Chromium & Skype Reply with quote

I notice Chromium runs as root, ostentatiously in order to setup it's own sandbox.

Is there anything we can do about that? I'd like to make full use of Chromium apps but, same as on Android, you know at some point you're going to want to use something with big permissions. It would be nice to put it in a sandbox.

Other than running a heavy QEMU or VMWare instance, what's the easiest way to do this?

I've tried:
- apparmor: succeeded by seLinux, now investigating that but the selinux Chromium policy is masked; should I be worried? It seems overly complicated:
http://archives.gentoo.org/gentoo-hardened/msg_c006f5768549ecdda53ef213f0a0b373.xml
- setting up a new user. I'm not sure this works since Chromium runs as root? Also I can't seem to get the syntax right with /etc/sudoers so I have to enter the users password everytime:

Code:

root    ALL=(ALL) ALL

#Added by Sabayon Installer
%wheel  ALL=ALL

#this is for skype but I'd adapt it for Chromium if I thought it might help
%wheel ALL=(skype) NOPASSWD: /opt/bin/skype


- lxc just confuses me:
Code:

I jjj # /etc/init.d/lxc start
 * You have to create an init script for each container:
 *  ln -s lxc /etc/init.d/lxc.container
 * ERROR: lxc failed to start
I jjj # ln -s lxc /etc/init.d/lxc.container
ln: failed to create symbolic link ���/etc/init.d/lxc.container���: File exists
I jjj #


- and rainbow doesn't seem to work:
Code:

jjj@I ~ $ rainbow-
rainbow-easy      rainbow-run       rainbow-sugarize  rainbow-xify     
jjj@I ~ $ rainbow-run chromium
Traceback (most recent call last):
  File "/usr/bin/rainbow-run", line 140, in <module>
    main()
  File "/usr/bin/rainbow-run", line 109, in main
    uid, gid, home = check_owner(opts)
  File "/usr/bin/rainbow-run", line 72, in check_owner
    p = pwd.getpwnam(opts.user)
TypeError: must be string, not None
jjj@I ~ $ rainbow-easy chromium
sudo /usr/bin/rainbow-easy ID /path/to/program
ex: sudo /usr/bin/rainbow-easy banking /bin/bash
jjj@I ~ $ sudo rainbow-easy skype chromium
Password:
Sorry, try again.
Password:
sudo: 1 incorrect password attempt
jjj@I ~ $
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Nov 03, 2012 2:54 am    Post subject: Reply with quote

out of curiosity, where are you seeing chromium running anything as root?

running it here, everything running as my logged on user.

chromium's own built-in sandboxing uses kernel namespaces, though for me that's always been a touch shaky

If you desperately want to run it in some sort of jail, I guess you could always just make a chroot. mkdir /mnt/chroot, untar a stage3 to this chroot, chroot, emerge chromium, done and done, chroot and use the chroot'd chromium.

but, if you're going through that based on the premise that chromium runs as root, i would re-check that premise, as I've found nothing indicating that's the case. In fact, last i looked, chromium is coded specifically to prevent people from trying to run it as root. Remember, only listening on a privileged port requires root, initiating a connection outbound to a privileged port does not.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
phajdan.jr
Retired Dev
Retired Dev


Joined: 23 Mar 2006
Posts: 1777
Location: Poland

PostPosted: Sat Nov 03, 2012 5:41 pm    Post subject: Re: Easiest sandboxing for Chromium & Skype Reply with quote

jago25_98 wrote:
I notice Chromium runs as root, ostentatiously in order to setup it's own sandbox.


Sandbox is SETUID root, that's true. Note however it drops the privileges as soon as namespaces / chroot / other security mechanisms only root has access to are set up, and certainly before processing any untrusted input.

jago25_98 wrote:
- apparmor: succeeded by seLinux, now investigating that but the selinux Chromium policy is masked; should I be worried? It seems overly complicated:
http://archives.gentoo.org/gentoo-hardened/msg_c006f5768549ecdda53ef213f0a0b373.xml


What do you mean by Chromium SELinux policy being masked? It's not masked, but you need to set up a SELinux profile. And it's not overly complicated, it's generally as simple as it can be. The post you linked to is about an older version of the policy by the way. Please let me know how your testing of SELinux-enabled Chromium goes.

If you have any other questions I'd be happy to answer, I'm co-maintaing the Chromium packages in Gentoo, and I'm also upstream developer.
_________________
http://phajdan-jr.blogspot.com/
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Sat Nov 03, 2012 5:49 pm    Post subject: Reply with quote

cach0rr0 wrote:
chromium's own built-in sandboxing uses kernel namespaces, though for me that's always been a touch shaky

It also uses seccomp-bpf as of kernel 3.5 (chrome://sandbox/). That's an order of magnitude more safe than a flimsy chroot — which isn't real security in the first place if a process inside can get root — and is about on par with SELinux with less overhead.
Back to top
View user's profile Send private message
jago25_98
Apprentice
Apprentice


Joined: 23 Aug 2002
Posts: 180

PostPosted: Sat Nov 03, 2012 7:14 pm    Post subject: Reply with quote

Ah it's not running as root anymore. Sorry, I'm out of date. It's something I noticed ages ago and read about again recently which is now wrong.

My Chromium is still running as my main user though with access to all my main files. I'm reliant on the Chromium sandbox to sandbox itself and apps. I'm not too familiar with the apps and how the permissions there work.

The other thing I wanted to sandbox though was Skype. Basically I want to sandbox and closed source online apps especially.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sun Nov 04, 2012 10:03 am    Post subject: Reply with quote

Ant P. wrote:
cach0rr0 wrote:
chromium's own built-in sandboxing uses kernel namespaces, though for me that's always been a touch shaky

It also uses seccomp-bpf as of kernel 3.5 (chrome://sandbox/). That's an order of magnitude more safe than a flimsy chroot — which isn't real security in the first place if a process inside can get root — and is about on par with SELinux with less overhead.


apparently, i have this enabled. apparently, as well, i havent been paying attention, and am on 3.6 now. I wish i could remember how long I've been on 3.6, because i havent the foggiest clue when my sandbox instability popped up, but it could well be related.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum