[Desktop] Untrusted applications in jail

[lefink]

Hi All!

I'm using FreeBSD 11.0(now beta) on laptop.
I would like to isolate applications that have access to the Internet in a separate jail.
Xorg installed in base system.
Jailed applications connected to Xorg via unix socket in this way:

mount_nullfs /tmp/.X11-unix/ /usr/jails/jail1/mnt/
jexec -l jail1 ln -s /mnt/X0 /tmp/.X11-unix/X0

I do not know how much the correctly this decision.

Instead of browser I am using Chromium.

In addition to the devfs rules for jail

[devfsrules_unhide_jail=8]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login

I added for gpu (Intel HD Graphics) rendering:

add path dri unhide
add path 'dri/card0' unhide

and

add path 'dsp*' unhide

for sound

Chromium is running only by the user with UID=1666, added to the group 'video'

/etc/ipfw.conf guided by the rule "All that is not permitted is forbidden"
(allow only out HTTP/HTTPS, DNS for special user)

ipfw -q -f flush
pif="wlan0"
dns="192.168.1.1"
cmd="ipfw -q add"
ks="keep-state"
$cmd 1100 check-state
$cmd 1201 allow tcp from any to any 80 out via $pif setup $ks uid 1666
$cmd 1202 allow tcp from any to any 443 out via $pif setup $ks uid 1666
$cmd 1203 allow udp from any to $dns 53 out via $pif $ks uid 1666
$cmd 1999 deny all from any to any

To this work, I had to create a user with the same uid in the parent system:

cat /etc/master.passwd
...
wwwuser:*LOCKED**:1666:1666::0:0:User &:/nonexistent:/usr/sbin/nologin

I have a question.
Does the all of the above make sense? Or is it the imaginary security?

 

[SirDice]

Or is it the imaginary security?

This. As far as I know just X is already a major security headache. Then there's the issue with shared memory, access to devices, and a few more things that come to mind. In my opinion you're just adding a lot of complexity to gain little to no security benefits. And because it's complex there's a high likelyhood you're actually degrading your security instead of increasing it. In short, I wouldn't bother. Just make sure you're always using a 'regular' user account and keep your system up to date. That's pretty much all the security precautions you need to take.

 

[Oko]

Is tmp now encrypted by default on FreeBSD? I am guessing it is not because at least on my server installations there is a /root ZFS pool and /home (data) ZFS pool. In such a case running web browser is very dangerous because sniffing data from tmp is very easy. Setting good firewall would be the first step towards security not putting browser in the Jail.

 

[SirDice]

Is tmp now encrypted by default on FreeBSD?

Not that I know of. Even if it it was it won't help against sniffing data. The encryption will happen on disk level and when the OS is running the files are accessible. You can of course mount /tmp with noexec and/or nosuid set, that should stop some avenues of attack. As anything in /tmp is not expected to be 'permanent' you can also use tmpfs(5). And a lot of software respects/uses TMPDIR. You could point that to a directory within the user's home directory.

Come to think of it, a combination of everything is probably a good idea. Set TMPDIR to /home/${USER}/.tmp or something similar. And mount a tmpfs(5) on it with noexec,nosuid. If you're really paranoid, encrypt it. It probably doesn't have to be world writable, probably not even world or group readable. As the software will be running under the user's credentials, it can't create/edit files belonging to other users (including root) anyway.

Mount it when the user logs on, and unmount it (destroying its contents) when the user logs off.

 

[Oko]

Not that I know of. Even if it it was it won't help against sniffing data. The encryption will happen on disk level and when the OS is running the files are accessible. You can of course mount /tmp with noexec and/or nosuid set, that should stop some avenues of attack.

That is the default setup on OpenBSD which I use for a desktop. (Note this workstation at work runs Red Hat because I need MATLAB)

 

[Maxnix]

Hi All!

I'm using FreeBSD 11.0(now beta) on laptop.
I would like to isolate applications that have access to the Internet in a separate jail.
Xorg installed in base system.
Jailed applications connected to Xorg via unix socket in this way:

mount_nullfs /tmp/.X11-unix/ /usr/jails/jail1/mnt/
jexec -l jail1 ln -s /mnt/X0 /tmp/.X11-unix/X0

I do not know how much the correctly this decision.

Personally, I use the X11 forwarding capability of SSH for jailed graphical programs.
Making your X socket accessible from the jail seems a way to a let an hypothetical intruder to mess with the graphical programs of your host to me.
Also note that, since Xorg do not provide security between clients, you should run your browser in a nested server like x11-servers/xephyr or x11-servers/xnest.

Chromium is running only by the user with UID=1666, added to the group 'video'

/etc/ipfw.conf guided by the rule "All that is not permitted is forbidden"
(allow only out HTTP/HTTPS, DNS for special user)

ipfw -q -f flush
pif="wlan0"
dns="192.168.1.1"
cmd="ipfw -q add"
ks="keep-state"
$cmd 1100 check-state
$cmd 1201 allow tcp from any to any 80 out via $pif setup $ks uid 1666
$cmd 1202 allow tcp from any to any 443 out via $pif setup $ks uid 1666
$cmd 1203 allow udp from any to $dns 53 out via $pif $ks uid 1666
$cmd 1999 deny all from any to any

To this work, I had to create a user with the same uid in the parent system:

cat /etc/master.passwd
...
wwwuser:*LOCKED**:1666:1666::0:0:User &:/nonexistent:/usr/sbin/nologin

IMHO there are no reasons to use a different user from your regular one, since your corresponding jail user is already isolated.