danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
How do I use sandbox -X
danwalsh
A couple of days ago I blogged about a cool new feature in Fedora 12 called sandbox -X.

Today I want to write about how I can use it within Firefox.

You should not trust any data that I download from the internet.  Even trustworthy sites have been hacked with acroread vulnerabilities.

How do you setup firefox to run sandbox -X evince on pdf files?

My first attempt failed.  Firefox does not allow you to specify a full command string to run downloaded content in, I needed to create a simple shell script.

cat ~/bin/sandboxevince
#!/bin/sh
/usr/bin/sandbox -X evince "$@"


When you create this, remember to

chmod +x ~/bin/sandboxevince

In Firefox:

  • Select the Edit->Preferences menu item, which brings up the "Firefox Preferences" dialog.

  • Select "Applications" and entered pdf into the search dialog.  This brought up evince as the default.

  • Select  the "use evince" menu and select other.

  • Select ~/bin/sandboxevince

  • Save


Now I go to my favorite site,  and select a presentation

sandbox -X evince runs great !!!

You can go back and change all your acroread settings to use sandboxevince.

You can do the same for OpenOffice

cat ~/bin/sandboxooffice
#!/bin/sh
/usr/bin/sandbox -X ooffice "$@"

chmod +x ~/bin/sandboxooffice


I searched for doc and changed that to use sandboxooffice

I did notice that some extensions were not in the list.  I had to go to a page with a odf file on it and tell firefox to  use sandboxooffice for this type for now on.

BTW,   Firefox leaks open file descriptors like a sieve, so I will need to add dontaudit policy to cover these up. Firefox developers know about the leaks but say "they can not do much about the leaks,  since plugins get added with leaks all the time."

Now I can feel a little safer as I browse the web.

It would be really great if firefox gave the ability to run all helper apps within a single command.

Now off to do the same with thunderbird.

Please explain how I would do this?

If you run xdg-open on a file it will open it with whatever the default app is (according to gconf). If you sandbox xdg-open you'll only have to do it once instead of for each file type.

(I think)

Well I don't want to sandbox every app. I want the user to be able to run firefox outside of the sandbox. I just want the content that it downloads to be run within the sandbox, so it can not get the "filter" programs to do evil.

BTW the content is till downloaded and available on the users disk to run with the filters external to the sandbox.

Now if you are saying that firefox running xdg_oben could some how be hacked to run helper apps with the sandbox, that might be interesting, same with Thunderbird or any other web browser or mail reader that launches helpers on downloaded data.

That's precisely the point

eraeee

2009-10-06 11:45 am (UTC)

That's precisely what he is saying. Instead of "sandbox acroread", "sandbox openoffice", "sandbox whatever" you create a single "sandbox xdg-open" script and it will run the (sandboxed) default application for the relevant content type.

Because of the way Firefox sets up these things, this is less attractive than it seems, because you will need to set up separate sandbox commands for many hard-coded (or at least default-installed) content types. Perhaps the list of "known" content types could be pruned so you only need one instance of the sandbox command.

See also http://portland.freedesktop.org/xdg-utils-1.0/xdg-open.html

xdg-open exits immediatly which causes the sandbox a problem

danwalsh

2009-10-06 08:07 pm (UTC)

Sandbox will exit when the app it is running exits.

Is there a way to get xdg-open to not exit but wait for the app that it is starting to exit?

You are viewing danwalsh