Hi All!
I'm using FreeBSD 11.0(now beta) on laptop.
I would like to isolate applications that have access to the Internet in a separate jail.
Xorg installed in base system.
Jailed applications connected to Xorg via unix socket in this way:
I do not know how much the correctly this decision.
Instead of browser I am using Chromium.
In addition to the devfs rules for jail
I added for gpu (Intel HD Graphics) rendering:
and
for sound
Chromium is running only by the user with UID=1666, added to the group 'video'
/etc/ipfw.conf guided by the rule "All that is not permitted is forbidden"
(allow only out HTTP/HTTPS, DNS for special user)
To this work, I had to create a user with the same uid in the parent system:
I have a question.
Does the all of the above make sense? Or is it the imaginary security?
I'm using FreeBSD 11.0(now beta) on laptop.
I would like to isolate applications that have access to the Internet in a separate jail.
Xorg installed in base system.
Jailed applications connected to Xorg via unix socket in this way:
Code:
mount_nullfs /tmp/.X11-unix/ /usr/jails/jail1/mnt/
jexec -l jail1 ln -s /mnt/X0 /tmp/.X11-unix/X0
Instead of browser I am using Chromium.
In addition to the devfs rules for jail
Code:
[devfsrules_unhide_jail=8]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
Code:
add path dri unhide
add path 'dri/card0' unhide
Code:
add path 'dsp*' unhide
Chromium is running only by the user with UID=1666, added to the group 'video'
/etc/ipfw.conf guided by the rule "All that is not permitted is forbidden"
(allow only out HTTP/HTTPS, DNS for special user)
Code:
ipfw -q -f flush
pif="wlan0"
dns="192.168.1.1"
cmd="ipfw -q add"
ks="keep-state"
$cmd 1100 check-state
$cmd 1201 allow tcp from any to any 80 out via $pif setup $ks uid 1666
$cmd 1202 allow tcp from any to any 443 out via $pif setup $ks uid 1666
$cmd 1203 allow udp from any to $dns 53 out via $pif $ks uid 1666
$cmd 1999 deny all from any to any
To this work, I had to create a user with the same uid in the parent system:
Code:
cat /etc/master.passwd
...
wwwuser:*LOCKED**:1666:1666::0:0:User &:/nonexistent:/usr/sbin/nologin
I have a question.
Does the all of the above make sense? Or is it the imaginary security?