[svlug] Restricting privileges

Ivan Sergio Borgonovo mail at webthatworks.it
Thu Jan 15 02:50:21 PST 2015


On 01/15/2015 02:19 AM, Sarah Newman wrote:
> So, hopefully most of you have seen the advisory about the updates for firefox allowing arbitrary
> code execution. Other than or in addition to running firefox as a different user, I'm wondering
> about further mechanisms for restricting access as running firefox in a full-blown VM is not
> necessarily feasible for video intensive operations.

I'm running debian and last night I saw ffox 35 coming down the pipe
during an upgrade. It's one of the few programs I've pinned to get
picked from experimental.

Few days ago when I was refreshing my memory about lxc I came across a
page that explain how to run chrome and skype inside a lxc container.
Since a guest on an lxc container is running on the same kernel of the
host the video board hardware shouldn't be virtualized and since you may
have several applications you'd prefer to run jailed, it could be a more
convenient solution at the cost of some extra space.

Another option could be selinux, but I've heard it's a pain to setup and
make it work reliably and your programs need to run in a nested X.

I've just learned that a whole lxc container can be apparmored.

There are many software you may use on the internet that may not receive
the cures they need because they aren't under so heavy scrutiny as
firefox may be, so make all these stuff running in a container may be
simpler to maintain than configure apparmor for each of them.

Anyway I saw many of my friends that work in security running
"sandboxed" programs (at least that's the trace their browser or irc
client leave behind).
I've always been curious what that means and I waited to ask since I
knew I wouldn't invest time to learn it and apply it, it could be the
right time.

I'll get back when and if I've something interesting to say.

So even for this year ffox is in front of Chrom* in the remote code
execution competition ;) Nostalgia.

Thanks for the introduction to apparmor.

-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it




More information about the svlug mailing list