You are not logged in.

#26 2010-10-27 21:51:26

Gen2ly
Member
From: Sevierville, TN
Registered: 2009-03-06
Posts: 1,529
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

I've been restoring my system so I'm beginning to think that I'm missing some programs to make this run.  I had been using more programs before.  Can you think of any programs I need to have?


Setting Up a Scripting Environment | Proud donor to wikipedia - link

Offline

#27 2010-10-28 07:45:25

linux-ka
Member
From: ADL
Registered: 2010-05-07
Posts: 232

Re: Sandfox - A Poor Man's Firefox Sandboxer

I guess it is a good tool, but why can't I use my .mozilla folder? It  has standard ugo-rights. but after

 sandfox firefox && firefox 

firefox starts naked, without any plugin and session.

Offline

#28 2010-11-28 05:26:41

jdm
Member
Registered: 2009-02-25
Posts: 10

Re: Sandfox - A Poor Man's Firefox Sandboxer

Gen2ly wrote:

Not sure what I did but sandfox starting firefox no longer works.  I troubleshooted by reading Getting Programs To Run Well In A Sandbox.  I ran 'sudo sandfox --verbose firefox' then in a seperate shell did 'sudo sandfox firefox' and it gave me this:

Executing /tmp/sandfox-events/firefox/firefox-b6b6fea5.sh...
Deleting /tmp/sandfox-events/firefox/firefox-b6b6fea5.sh...
>>> inotifywait -eq modify  "/tmp/sandfox-events/firefox"
No protocol specified
No protocol specified
Error: cannot open display: :0.0

Any ideas on what might be going on?

Yes, I had the same issue. I did some troubleshooting and I modified the default firefox.profile very slightly:

bindro=/home/$user/.Xauthority
bind=/tmp/.X11-unix
bind=/tmp/.X11-unix/X0

The last two lines are probably unnecessary since the entire /tmp directory is bind'd at the top of the file, but doing

$ sudo sandfox --profile firefox firefox

worked after adding those three lines. Voilà.

Offline

#29 2010-11-28 15:31:29

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

Gen2ly and linux-ka, my apologies for the delayed response.  For some reason the forum did not notify me of new posts in this thread.

As jdm said, the "cannot open display" is probably connected with .Xauthority, as I've gotten feedback on it being required in some circumstances.  I'll probably add that to the default profile.  Just note that the .Xauthority file may not be available if the sandbox is created at boot before the user is logged into X.   So in that case it may help to open the sandbox after the user is logged in.  Or in one case a user modified the sandfox boot startup script so it waits until it sees the user logged in.

I guess it is a good tool, but why can't I use my .mozilla folder? It  has standard ugo-rights. but after

sandfox firefox && firefox

firefox starts naked, without any plugin and session.

~/.mozilla should be available.  First, the way you are calling sandfox is starting Firefox twice.  To create the sandbox and run Firefox use:

sudo sandfox firefox

If you then close Firefox, you can start it again in the existing sandbox with:

sandfox firefox

If you don't think the .mozilla folder is accessible, with the sandbox open try:

sudo sandfox bash

That will allow you to explore the sandbox.  For example:

$ sudo sandfox bash

>>> shell - you are myuser in sandbox "firefox" <<<

$ ls -la /home/myuser
total 84
drwxrwx--T 16 myuser myuser  4096 Nov 28 08:17 .
drwxr-xr-x  3 myuser myuser  4096 Nov 25 16:31 ..
drwx------  2 myuser myuser    40 Nov 28 04:05 .adobe
-rw-------  1 myuser myuser     8 Nov 28 08:17 .bash_history
-rw-r-----  1 myuser myuser    16 Oct 29  2009 .bash_profile
-rw-r-----  1 myuser myuser   470 Oct 19 10:54 .bashrc
drwxr-xr-x  2 myuser myuser  4096 Nov 25 16:33 .cache
drwxrwx--T  5 myuser myuser  4096 Nov 25 16:31 .config
-rw-------  1 myuser myuser    16 Dec  1  2009 .esd_auth
drwx------  2 myuser myuser  4096 Nov  9 10:09 .fontconfig
drwx------  3 myuser myuser  4096 Nov 25 16:33 .gnome2
drwx------  2 myuser myuser  4096 Nov 25 16:33 .gnome2_private
-rw-r-----  1 myuser myuser   155 Feb 15  2010 .gtkrc-2.0
drwx------  3 myuser myuser  4096 Jul 10 20:59 .java
drwx------  2 myuser myuser    40 Nov 28 04:05 .macromedia
drwx------  4 myuser myuser  4096 May  2  2010 .mozilla
-rw-------  1 myuser myuser   218 Nov 28 05:00 .recently-used.xbel
-rw-r-----  1 myuser myuser    57 Jun 19 08:34 .Xdefaults

$ exit
exit

<<< exit - you are myuser out of the sandbox >>>

That will allow you to see what Firefox has access to.  ugo permissions are not required as Firefox will be running with your normal user permissions inside the sandbox.

You can also issue a 'mount' command to see what mounts exist.  You should see one like:

$ mount | grep mozilla
...
/home/myuser/.mozilla on /mnt/sandfox/firefox/home/myuser/.mozilla type none (rw,nosuid,bind,noatime)

Last edited by IgnorantGuru (2010-11-28 15:35:05)

Offline

#30 2010-12-16 04:37:03

Gen2ly
Member
From: Sevierville, TN
Registered: 2009-03-06
Posts: 1,529
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

Thanks for the reply IgnorantGuru.  Got an .Xauthority file in my sandbox now and it runs good.  Thanks for the work you do on this good idea.


Setting Up a Scripting Environment | Proud donor to wikipedia - link

Offline

#31 2011-02-17 18:27:18

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

Sandfox 1.0.8 is available.  This update corrects a problem which users with usernames longer than 8 characters may have encountered.  (It turns out ps reports a username as a userid if the username is longer than 8 characters, which was news to me.  That caused an erroneous 'Could not start daemon' error in Sandfox.)  It also corrects the mount count in ––status for sandboxes with similar names, and if you explicitly specify a sandbox name with ––sandbox, Sandfox will now know to create it if it doesn't exist.

Also, the default Skype profile should now work with video as well as audio.  And the Xauthority bind referenced above has been added to the default Firefox profile.

http://igurublog.wordpress.com/download … t-sandfox/
http://aur.archlinux.org/packages.php?ID=34261

Last edited by IgnorantGuru (2011-02-17 18:29:22)

Offline

#32 2011-06-09 18:40:08

Gen2ly
Member
From: Sevierville, TN
Registered: 2009-03-06
Posts: 1,529
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

IgnorantGuru,

I was wondering if I could get the script to symlink the home folder .adobe and .macromedia folders to /dev/null.  I discovered this exploit a bit back and we discussed it here:

https://bbs.archlinux.org/viewtopic.php?pid=572576

I tried altering the script to add it manually but am only getting the .macromedia folder to symlink:

# Required by flash player for persisent LSOs
# Hide will store the cookies in ram and destroy them on exit.  If you need
# LSOs to be permanent, use bind= instead.
# http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/
#hide=/home/\$user/.adobe     # creates a dummy folder
#hide=/home/\$user/.macromedia  # creates a dummy folder
ln -s /dev/null /home/\$user/.adobe 
ln -s /dev/null /home/\$user/.macromedia 

Probably something in the script to prevent this.  Lately I believe that not symlinking to /dev/null has possibly caused another exploit, any ideas?


Setting Up a Scripting Environment | Proud donor to wikipedia - link

Offline

#33 2011-06-10 12:50:19

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

@Gen2ly
/dev/null is a file whereas ~/.macromedia and ~/.adobe are directories.  So if you create a symlink to /dev/null with those names, you (or Flash) won't be able to create or move files to it.  I doubt Flash will run well in such circumstances.  In cases where .macromedia and .adobe are made root-owned without user write permissions, Flash used to crash outright on some websites.

Also, Sandfox's profiles are config files, not scripts, so they only accept what Sandfox accepts on the command line - no commands like ln.  If you need to execute such commands after a sandbox is created, you can run your own script after sandfox and have it directly alter the contents of /mnt/sandfox/SANDBOXNAME.  However, doing so is not generally necessary and can introduce complications.

By default, Sandfox creates a ramfs for .macromedia and .adobe - folders which can hold data Flash wants to store there, but they are saved in ram only and are destroyed when the sandbox is closed.  This takes care of persistent LSOs.  This is usually sufficient, but if you are concerned about LSO's tracking your movement from one website to another in a single session, it won't help.  For that, you could occasionally delete the LSOs and restart Firefox, or you could use a Firefox plugin that handles them in real time.  You can also configure Flash to not store them (though I wouldn't trust it).  Also, the FlashBlock plugin will prevent LSOs from being created by websites, unless you explicitly click 'play' in the Flash content.  NoScript works similarly.  Personally, I think running Firefox in the sandbox with hide mounts on .adobe and .macromedia, and using both NoScript and FlashBlock, are sufficient to handle LSOs for most purposes.

If you want to stop Flash from writing anything to .macromedia and .adobe, Sandfox doesn't provide a mechanism to accomplish this directly, and as I said I think it will cause problems with Flash.  But you could run a script after sandbox creation which makes those folders read-only to the user.  eg:

#!/bin/bash
chown root:root /mnt/sandfox/firefox/home/user/.macromedia /mnt/sandfox/firefox/home/user/.adobe
chmod ugo-wx /mnt/sandfox/firefox/home/user/.macromedia /mnt/sandfox/firefox/home/user/.adobe

Or if you really want your /dev/null links:

#!/bin/bash
ln -s /dev/null /mnt/sandfox/firefox/home/user/.adobe 
ln -s /dev/null /mnt/sandfox/firefox/home/user/.macromedia

(In all of the above, you'll need to change "user" to your username, and "firefox" to the actual sandbox name.)

Of course, an exploit could conceivably delete and change permissions on the folders since the home folder is not root-owned, but it probably won't.  (This is true of any solution, even your links to /dev/null.)

Yet another solution would be to ensure ~\.adobe\ and ~\.macromedia\ are empty before you create the sandbox, then use bindro to bind mount them into the sandbox as read-only (instead of using hide).  This is more powerful as once they are bind mounted in this fashion, only root from outside the sandbox can alter them.

Last edited by IgnorantGuru (2011-06-10 13:24:33)

Offline

#34 2011-06-19 10:28:51

whitethorn
Member
Registered: 2010-05-02
Posts: 153

Re: Sandfox - A Poor Man's Firefox Sandboxer

I can't seem to be able to close the default firefox sandboxes.

whitethorn@wt-bossa ~ $ sudo sandfox firefox
Password: 
There are no usable sandbox daemons running for whitethorn - make has been enabled
Loading profile "default"
Loading profile "firefox"
Creating new sandbox "firefox-7e79"
Starting firefox as whitethorn in sandbox "firefox-7e79"...
whitethorn@wt-bossa ~ $ sudo sandfox --closeall
sandfox: Error: Closure incomplete - mounts may still exist on
         /mnt/sandfox  Close programs running in
         the sandbox and try again.
whitethorn@wt-bossa ~ $ sudo sandfox firefox
There are no usable sandbox daemons running for whitethorn - make has been enabled
Loading profile "default"
Loading profile "firefox"
Creating new sandbox "firefox-9db7"
Starting firefox as whitethorn in sandbox "firefox-9db7"...
whitethorn@wt-bossa ~ $ sudo sandfox --closeall
sandfox: Error: Closure incomplete - mounts may still exist on
         /mnt/sandfox  Close programs running in
         the sandbox and try again.

All I had running was firefox and it's closed. I don't know if this helps, but here's some lsof output for the /mnt/sandfox folder.

ps -eF|grep fire
whitethorn    2978  2923  0  2508   972   3 12:25 pts/4    00:00:00 grep fire

sudo lsof |grep /mnt/sandfox/
lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/whitethorn/.gvfs
      Output information may be incomplete.
dbus-laun 2039      whitethorn  cwd       DIR               8,17     4096     804252 /mnt/sandfox/firefox-7e79
dbus-laun 2039      whitethorn  rtd       DIR               8,17     4096     804252 /mnt/sandfox/firefox-7e79
dbus-laun 2039      whitethorn  txt       REG               8,17    25624    3158434 /mnt/sandfox/firefox-7e79/usr/bin/dbus-launch
dbus-laun 2039      whitethorn  mem       REG               8,17    47600     138799 /mnt/sandfox/firefox-7e79/lib/libnss_files-2.13.so
dbus-laun 2039      whitethorn  mem       REG               8,17    20088    3159641 /mnt/sandfox/firefox-7e79/usr/lib/libXdmcp.so.6.0.0
dbus-laun 2039      whitethorn  mem       REG               8,17     9976    3159655 /mnt/sandfox/firefox-7e79/usr/lib/libXau.so.6.0.0
dbus-laun 2039      whitethorn  mem       REG               8,17    14688     130822 /mnt/sandfox/firefox-7e79/lib/libdl-2.13.so
dbus-laun 2039      whitethorn  mem       REG               8,17   111824    3159704 /mnt/sandfox/firefox-7e79/usr/lib/libxcb.so.1.1.0
dbus-laun 2039      whitethorn  mem       REG               8,17  1420688     131554 /mnt/sandfox/firefox-7e79/lib/libc-2.13.so
dbus-laun 2039      whitethorn  mem       REG               8,17   135917     130856 /mnt/sandfox/firefox-7e79/lib/libpthread-2.13.so
dbus-laun 2039      whitethorn  mem       REG               8,17  1305856    3162945 /mnt/sandfox/firefox-7e79/usr/lib/libX11.so.6.3.0
dbus-laun 2039      whitethorn  mem       REG               8,17   144927     138793 /mnt/sandfox/firefox-7e79/lib/ld-2.13.so
dbus-laun 2039      whitethorn    0r      CHR                1,3      0t0       3608 /mnt/sandfox/firefox-7e79/dev/null
dbus-laun 2039      whitethorn    1u      CHR                1,3      0t0       3608 /mnt/sandfox/firefox-7e79/dev/null
dbus-laun 2039      whitethorn    2u      CHR                1,3      0t0       3608 /mnt/sandfox/firefox-7e79/dev/null
dbus-laun 2039      whitethorn    4u      CHR                1,3      0t0       3608 /mnt/sandfox/firefox-7e79/dev/null
dbus-daem 2040      whitethorn  cwd       DIR               8,17     4096     804252 /mnt/sandfox/firefox-7e79
dbus-daem 2040      whitethorn  rtd       DIR               8,17     4096     804252 /mnt/sandfox/firefox-7e79
dbus-daem 2040      whitethorn  txt       REG               8,17   343120    3157110 /mnt/sandfox/firefox-7e79/usr/bin/dbus-daemon
dbus-daem 2040      whitethorn  mem       REG               8,17    47600     138799 /mnt/sandfox/firefox-7e79/lib/libnss_files-2.13.so
dbus-daem 2040      whitethorn  mem       REG               8,17  1420688     131554 /mnt/sandfox/firefox-7e79/lib/libc-2.13.so
dbus-daem 2040      whitethorn  mem       REG               8,17    31728     146120 /mnt/sandfox/firefox-7e79/lib/librt-2.13.so
dbus-daem 2040      whitethorn  mem       REG               8,17   135917     130856 /mnt/sandfox/firefox-7e79/lib/libpthread-2.13.so
dbus-daem 2040      whitethorn  mem       REG               8,17   168592    3156655 /mnt/sandfox/firefox-7e79/usr/lib/libexpat.so.1.5.2
dbus-daem 2040      whitethorn  mem       REG               8,17   144927     138793 /mnt/sandfox/firefox-7e79/lib/ld-2.13.so
dbus-daem 2040      whitethorn    0u      CHR                1,3      0t0       3608 /mnt/sandfox/firefox-7e79/dev/null
dbus-daem 2040      whitethorn    1u      CHR                1,3      0t0       3608 /mnt/sandfox/firefox-7e79/dev/null
dbus-daem 2040      whitethorn    2u      CHR                1,3      0t0       3608 /mnt/sandfox/firefox-7e79/dev/null
dbus-daem 2040      whitethorn    4u      CHR                1,3      0t0       3608 /mnt/sandfox/firefox-7e79/dev/null

Offline

#35 2011-06-19 13:54:35

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

whitethorn wrote:

I can't seem to be able to close the default firefox sandboxes.

Those are the right steps - it looks like dbus is for some reason hanging onto several libraries in the sandboxes, but off-hand I can't tell you why that would be.  I haven't seen that behavior before.  I would try killing some processes to see what releases it, and that might give you a clue to the cause.  Also note any processes or apps that firefox or its plugins may be launching (try disabling your firefox plugins, flash, java, etc, one at a time).  As with any mount, the sandbox mounts can't be unmounted while the system reports they are in use or files are open in them.

You might also narrow down the specific umount which is failing by using 'sandfox --verbose --closeall', or manually umounting the relevant mounts shown remaining by 'mount'.

Last edited by IgnorantGuru (2011-06-19 13:57:08)

Offline

#36 2011-06-20 21:12:43

whitethorn
Member
Registered: 2010-05-02
Posts: 153

Re: Sandfox - A Poor Man's Firefox Sandboxer

Well gave it another try and looks like it has problems with certain folders. The following aren't unmounting properly.

/mnt/sandfox/firefox-1b67/tmp/
/mnt/sandfox/firefox-1b67/dev/null
/mnt/sandfox/firefox-1b67/usr
/mnt/sandfox/firefox-1b67/lib

For some reason even I wasn't able to unmount /dev/null with the force flag. Another odd thing, if I start sandfox firefox again then I get an error message from firefox. Looks like it can't use dbus anymore, closing the box works fine though.

Failed to contact configuration server; the most common cause is a missing or misconfigured D-Bus session bus daemon. See http://projects.gnome.org/gconf/ for information. (Details -  1: GetIOR failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.GConf was not provided by any .service files)

Complete output from umount

sudo sandfox --verbose --closeall
commandline: Option verbose
commandline: Option closeall
>>> rm -rf /tmp/sandfox-events/*
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.macromedia"
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.adobe"
>>> umount "/mnt/sandfox/firefox-1b67/var/lib/mlocate"
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.gtkrc-2.0"
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.config/gtk-2.0"
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.java"
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.esd_auth"
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.mozilla"
>>> umount "/mnt/sandfox/firefox-1b67/var/run"
>>> umount "/mnt/sandfox/firefox-1b67/var/cache/fontconfig"
>>> umount "/mnt/sandfox/firefox-1b67/var/cache/cups"
>>> umount "/mnt/sandfox/firefox-1b67/tmp"
umount: /mnt/sandfox/firefox-1b67/tmp: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
sandfox: Error: Closure incomplete - mounts may still exist on
         /mnt/sandfox  Close programs running in
         the sandbox and try again.
whitethorn@wt-bossa ~ $ sudo umount -f /mnt/sandfox/firefox-1b67/tmp/
whitethorn@wt-bossa ~ $ sudo sandfox --verbose --closeall
commandline: Option verbose
commandline: Option closeall
>>> rm -rf /tmp/sandfox-events/*
>>> umount "/mnt/sandfox/firefox-1b67/dev/random"
>>> umount "/mnt/sandfox/firefox-1b67/dev/urandom"
>>> umount "/mnt/sandfox/firefox-1b67/dev/null"
umount: /mnt/sandfox/firefox-1b67/dev/null: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
sandfox: Error: Closure incomplete - mounts may still exist on
         /mnt/sandfox  Close programs running in
         the sandbox and try again.
whitethorn@wt-bossa ~ $ sudo umount -f /mnt/sandfox/firefox-1b67/dev/null 
umount2: Device or resource busy
umount: /mnt/sandfox/firefox-1b67/dev/null: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
umount2: Device or resource busy
whitethorn@wt-bossa ~ $ sudo umount -fl /mnt/sandfox/firefox-1b67/dev/null 
whitethorn@wt-bossa ~ $ sudo sandfox --verbose --closeall
commandline: Option verbose
commandline: Option closeall
>>> rm -rf /tmp/sandfox-events/*
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.Xauthority"
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.Xdefaults"
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.kde4/share/config/kdeglobals"
>>> umount "/mnt/sandfox/firefox-1b67/home/whitethorn/.fontconfig"
>>> umount "/mnt/sandfox/firefox-1b67/proc"
>>> umount "/mnt/sandfox/firefox-1b67/dev/snd"
>>> umount "/mnt/sandfox/firefox-1b67/var/lib"
>>> umount "/mnt/sandfox/firefox-1b67/usr"
umount: /mnt/sandfox/firefox-1b67/usr: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
sandfox: Error: Closure incomplete - mounts may still exist on
         /mnt/sandfox  Close programs running in
         the sandbox and try again.
whitethorn@wt-bossa ~ $ sudo umount -fl /mnt/sandfox/firefox-1b67/usr/
whitethorn@wt-bossa ~ $ sudo sandfox --verbose --closeall
commandline: Option verbose
commandline: Option closeall
>>> rm -rf /tmp/sandfox-events/*
>>> umount "/mnt/sandfox/firefox-1b67/lib64"
>>> umount "/mnt/sandfox/firefox-1b67/lib"
umount: /mnt/sandfox/firefox-1b67/lib: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
sandfox: Error: Closure incomplete - mounts may still exist on
         /mnt/sandfox  Close programs running in
         the sandbox and try again.
whitethorn@wt-bossa ~ $ sudo umount -fl /mnt/sandfox/firefox-1b67/lib
whitethorn@wt-bossa ~ $ sudo sandfox --verbose --closeall
commandline: Option verbose
commandline: Option closeall
>>> rm -rf /tmp/sandfox-events/*
>>> umount "/mnt/sandfox/firefox-1b67/etc"
>>> umount "/mnt/sandfox/firefox-1b67/bin"
Removing /mnt/sandfox
>>> find "/mnt/sandfox" -xdev | sort -r

Offline

#37 2011-06-20 21:46:53

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

whitethorn wrote:

Well gave it another try and looks like it has problems with certain folders.

One possible theory - it looks like dbus is being launched within the sandbox (maybe triggered by firefox), and the dbus daemon keeps running in there even after firefox closes.  I would suggest starting dbus prior to running firefox, so it will be running outside the sandbox.  eg if you're running gnome from .xinitrc, you might put this in your .xinitrc:

exec dbus-launch --auto-syntax --exit-with-session gnome-session

Beyond that theory, personally I would explore whether the fuse or gvfs daemons are involved in some way.  Also, I assume you're not running selinux or apparmor - if so you may want to temporarily disable them to see if it changes anything.  In general, simplify what's running on the system to narrow down the cause.

If the above doesn't help, it looks like you could hack the sandfox script and add the -l option to sandfox's umount command.  (/dev/null probably refused to unmount for you because you used -f instead of -l.)

Offline

#38 2011-06-21 01:34:19

whitethorn
Member
Registered: 2010-05-02
Posts: 153

Re: Sandfox - A Poor Man's Firefox Sandboxer

I'm running Openbox as a standalone WM, I use slim which uses this command to start openbox.

ck-launch-session dbus-launch openbox-session

Oh well, I'll just hack the script. Not the prettiest solution. The odd thing is, I can reproduce this behavior on my PC and on my netbook.  They both have mostly the same packages and architecture although completely different hardware.

Edit: I just removed the dbus-launch from my .xinitrc launched a second xsession, and sandfox firefox worked fine. Gah annoying, when I remove dbus-launch thunar no longer automounts usb drives.

Looks like this problem is solved. Thx for your feedback and help.

Last edited by whitethorn (2011-06-21 01:45:10)

Offline

#39 2011-06-21 12:29:44

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

whitethorn wrote:

Edit: I just removed the dbus-launch from my .xinitrc launched a second xsession, and sandfox firefox worked fine. Gah annoying, when I remove dbus-launch thunar no longer automounts usb drives.

I suggest adding dbus to your daemons array so it starts at boot, or otherwise insuring that it is already running when you start firefox.  From your lsof output it certainly looks like the dbus daemon is running inside the sandbox...

sudo lsof |grep /mnt/sandfox/
dbus-laun 2039      whitethorn  txt       REG               8,17    25624    3158434 /mnt/sandfox/firefox-7e79/usr/bin/dbus-launch
dbus-daem 2040      whitethorn  txt       REG               8,17   343120    3157110 /mnt/sandfox/firefox-7e79/usr/bin/dbus-daemon

Offline

#40 2011-06-21 23:35:43

whitethorn
Member
Registered: 2010-05-02
Posts: 153

Re: Sandfox - A Poor Man's Firefox Sandboxer

IgnorantGuru wrote:

I suggest adding dbus to your daemons array so it starts at boot, or otherwise insuring that it is already running when you start firefox.  From your lsof output it certainly looks like the dbus daemon is running inside the sandbox...

I already have dbus starting at boot. Here my daemons line from rc.conf.

DAEMONS=(hwclock syslog-ng dbus hal @network @crond @fancontrol @sshd @sensors @alsa @mpd @vnstat @cpufreq)

Offline

#41 2011-08-06 16:27:03

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

A fix for the dbus issue is included in Sandfox 1.1.0.

Offline

#42 2013-07-08 16:13:39

hasufell
Member
Registered: 2009-06-20
Posts: 38

Re: Sandfox - A Poor Man's Firefox Sandboxer

any1 got this to work with steam? It always crashes and gdb just tells me it doesn't find a directory (but not which one). Checked open files with lsof on non-chrooted steam and bind-mounted them all, did not help.

Offline

#43 2013-07-08 17:08:40

hasufell
Member
Registered: 2009-06-20
Posts: 38

Re: Sandfox - A Poor Man's Firefox Sandboxer

Also: is there any way to _exclude_ mounts (as in.. files from /usr)

e.g. I have:

bindro=/usr
hide=/usr/bin/perl

but that doesn't work and bails out:

sandfox: Error: bind mount failed on /mnt/sandfox/foo/usr/bin/perl

Offline

#44 2013-07-08 17:44:29

HalosGhost
Member
From: Twin Cities, MN
Registered: 2012-06-22
Posts: 1,485
Website

Re: Sandfox - A Poor Man's Firefox Sandboxer

hasufell wrote:

any1 got this to work with steam? It always crashes and gdb just tells me it doesn't find a directory (but not which one). Checked open files with lsof on non-chrooted steam and bind-mounted them all, did not help.

A few things here.

  1. You realize that this thread is old enough that the OP was last recommending people to add things to the daemons array?

  2. The whole thread is about sandboxing firefox—that's what the OP designed the script for—what led you to believe that this could be used for steam?

  3. We have an 'edit' function, there's no need to multi-post, when you can edit

All the best,

-HG

Last edited by HalosGhost (2013-07-08 17:46:03)


"All errors are ᴘᴇʙᴋᴀᴄ errors—It's just a matter of narrowing down which keyboard and chair." -Trilby
\ldots

Offline

#45 2013-07-08 17:45:30

hasufell
Member
Registered: 2009-06-20
Posts: 38

Re: Sandfox - A Poor Man's Firefox Sandboxer

HalosGhost wrote:
hasufell wrote:

any1 got this to work with steam? It always crashes and gdb just tells me it doesn't find a directory (but not which one). Checked open files with lsof on non-chrooted steam and bind-mounted them all, did not help.

A few things here.

  1. You realize that this thread is old enough that the OP was last recommending people to add things to the daemons array?

  2. The whole thread is about sandboxing firefox—that's what the OP designed the script for—what led you to believe that this could be used for steam?

  3. We have an 'edit' function, there's no need to multi-post, when you can edit

All the best,

-HG

That does not answer any of my questions.

Offline

Board footer

Powered by FluxBB