Restricting Firefox to the absolute minimum access with SELinux?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Restricting Firefox to the absolute minimum access with SELinux?
As there seems to be serious security flaws in Firefox now almost weekly, and Firefox is at least few days always vulnerable before the fix comes, because it takes time to get packaged and updated by a automatic package installer, how to use SELinux (in Fedora 10) to restrict Firefox's process/program to access any other files and directories it absolutely needs?
Is there some easy way to do it?
Like forbidding first everything, then trying running Firefox, then using audit2allow to pinch as tiny holes as possible to let it function.
I am looking step by step instructions or somehow to do it as easy as it would be done with AppArmor
Click here to see the post LQ members have rated as the most helpful post in this thread.
Linux isn't windows, if you're running as a non-priv'd user you don't have a high level of risk as even if something was written to exploit firefox on linux on a given distribution it wouldn't be able to do anything your user isn't able to do.
Linux isn't windows, if you're running as a non-priv'd user you don't have a high level of risk as even if something was written to exploit firefox on linux on a given distribution it wouldn't be able to do anything your user isn't able to do.
Like being one of the bots in the huge bot-network?
There is reasons why Java-applets also are not allowed to read just any data file and send it to anywhere.
Also every user may have private files (photos, diaries, calendar-data, addressbook, ....) which (s)he wouldn't like to be leaked out.
One option is to use chroot-jailed firefox, but it needs then more RAM memory. Also I kind of want to challenge SELinux, is it usable at all or is it just too difficult for a normal sysadmin?
Like being one of the bots in the huge bot-network?
There is reasons why Java-applets also are not allowed to read just any data file and send it to anywhere.
Also every user may have private files (photos, diaries, calendar-data, addressbook, ....) which (s)he wouldn't like to be leaked out.
One option is to use chroot-jailed firefox, but it needs then more RAM memory. Also I kind of want to challenge SELinux, is it usable at all or is it just too difficult for a normal sysadmin?
If it's not running under a privileged account and it's running as you, getting rid of it is as easy as deleting it and removing the file. This isn't like windows where some script kiddies file getting access to any account on the system immediately means the machine becomes part of some huge botnet and becomes a horrible mess to disinfect. rm file, kill -9 process, check netstat, check user login scripts.
A root level system breach is a wholly different story.
Again, this isn't windows. Mountain, molehill. The level of "attack" you seem to be formulating in your head is a directed attack not a scripted attack you typically see for exploiting browsers... and if someone is willing to spend that kinda time to attack you directly then you've got more serious concerns than if your browser has a few security holes... because they *are* going to get into your system... or just steal it.
Don't get me wrong, good security is very very important. Using selinux, chroot jails, etc... are all admirable things. However, in this case, a browser exploit in linux compared to windows unless it is targeted specifically at you (eg they know what software you're using, what desktop, etc) is pretty low risk.
Linux isn't windows, if you're running as a non-priv'd user you don't have a high level of risk as even if something was written to exploit firefox on linux on a given distribution it wouldn't be able to do anything your user isn't able to do.
Are you saying that even if say a heap-based buffer overflow existed in Firefox, then tricking it into some nice arbitrary code execution that "it wouldn't be able to do anything your user isn't able to do"?
Again, this isn't windows. Mountain, molehill. The level of "attack" you seem to be formulating in your head is a directed attack not a scripted attack you typically see for exploiting browsers... and if someone is willing to spend that kinda time to attack you directly then you've got more serious concerns than if your browser has a few security holes... because they *are* going to get into your system... or just steal it.
I disagree.
For example someone could have now an exploit code embedded in this linuxquestions.org and everyone visiting here with a Firefox 3.0.7 or earlier would become a part of a botnet. Or all visited users' files (the files the user has access in his/her host) would be stolen just to look if there would be something interesting.
There does not need to be someone willing to attack me directly, but just anyone or mass of people.
These kind of bugs have been pretty frequent in Firefox lately: (03.26.09) CanSecWest 2009 Pwn2Own Exploit and XSL Transform Vulnerability
So with SELinux, I would want to forbid Firefox process to access any other files or directories in my home direcory (or user's home directories) but $HOME/.mozilla/, /tmp/, and $HOME/Download/
And would want those restrictions to stay even when Firefox is automatically updated by a distribution package updater.
(edit: added later)
To be more precise, write access allowed only to ~/.mozilla/, /tmp/, and ~/Download/
AND,read access only to those resource files and library files Firefox needs in the host's root directory, nothing else.
Also, say, Firefox heap-based overflow exploit would run something like "...;echo (WHATEVER) > /tmp/file;crontab /tmp/file", it would not work because Firefox's process and its children are not allowed to read /usr/bin/echo nor /usr/bin/crontab and so on.
Last edited by zimon; 03-27-2009 at 05:39 PM.
Reason: just to make clear what would want to allow and forbid everything else
Are you saying that even if say a heap-based buffer overflow existed in Firefox, then tricking it into some nice arbitrary code execution that "it wouldn't be able to do anything your user isn't able to do"?
You're still talking about a directed attack, this isn't script kiddie stuff which make up 99% of web exploits and botnet crap the original poster seems to be afraid of. If you're talking about a directed attack there are far easier avenues of entry and access. My opinion is this: This particular case is an example of spending far to much effort on fixing a miniscle problem. The effort could better be spent in many other areas. There are cases where such effort is warranted, based on currently available information this isn't one of them.
You're still talking about a directed attack (..) This particular case is an example of spending far to much effort on fixing a miniscle problem.
No, way more generic. I'm pointing at you using the UNIX privilege separation concept as main argument. While there's nothing wrong with that, buffer overflows exist, and have existed in Firefox. So that problem is realistic but did not get mentioned here. Your opinion being noted (but apart from it just being your opinion and not even remotely contributing to help solve the OP's questions) DAC rights don't shield against that kind of vulnerability. SE Linux does. Even for processes running in unconfined_t SE Linux does memory checks, and those processes may not allocate writeable memory and execute it. So while DAC rights are a start they definately are not the only usable and combat-proven layer of protection one could have.
To the OP: two things that come to mind would be looking at F10's SE Linux xguest addition or TOMOYO (path-based) which (hurrah) will be (partially) in the next kernel release 2.6.30. If you're willing to experiment: TOMOYO will run alongside of SE Linux w/o problems, has an english-spoken user mailing list (the devs being Japanese) and just needs a kernel recompile and a wee bit of userland apps.
Last edited by unSpawn; 03-27-2009 at 07:31 PM.
Reason: clarity++
personally i would not worry about it .
Running as a normal user ( and NOT as root) with SE set to enforcing ,and everything up to date .For a automated script to be able to install something let alone be able to do anything in your home folder ( yes there are some things that can be done ) would be like hitting the " mega millions jackpot for $30,000,000 + . it could happen but not likely .
Now if a hacker/cracker is after you and trying to get in to your system then there really NOTHING you can do about it . They WILL get in .
I just don't get it. The OP has a simple, legitimate question. He isn't asking for opinions, and there's nothing in the OP that warrants talking about Wndws, botnets, crackers or automated scripts...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.