[tuto][security][browser] Here's how to properly operate the sandbox in chromium (and chromium based too)!

[K-mik@Z]

from this >> to this

WARNING:

A trick is given everywhere on the web, set kernel.unprivileged_userns_clone = 1.
https://brave-browser.readthedocs.io/en ... html#linux
https://github.com/brave/brave-browser/ ... -permalink

DO NOT SET kernel.unprivileged_userns_clone = 1. NEVER.

Enabling unprivileged user namespaces opens up severe vulnerabilities in the Linux kernel. If you did not intend to enable it, you should ensure it is disabled. Numerous vulnerabilities that are found regularly are often only exploitable if unprivileged user namespaces are supported and enabled by the kernel.
BREAK also "Ptrace Protection with Yama LSM (Non-broker)" into chrome://sandbox.

Copy and paste this into your terminal:

Code: Select all

cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sudo sysctl -e -p -

If you see a line contains kernel.unprivileged_userns_clone = 1, please remove it, for security reason.
( Search in those file /etc/sysctl.d/*.conf, /etc/sysctl.conf )


THE BEST WAY:

Copy and paste this into your terminal:

Code: Select all

sudo tee /etc/sysctl.d/10-securized-yama-scope.conf <<EOF
# resolve chrome://sandbox/ errors:
# sudo setcap cap_sys_ptrace=eip /usr/bin/chromium
kernel.yama.ptrace_scope = 1
EOF

Code: Select all

sudo setcap cap_sys_ptrace=eip /usr/bin/chromium

Load configuration stored in specific file:

Code: Select all

sudo sysctl --load /etc/sysctl.d/10-securized-yama-scope.conf

Or load system wide configuration:

Code: Select all

sudo sysctl --system

NOW, WATCH THE MAGIC:

Close and re-open chromium.
Copy and paste (in the address bar):

Code: Select all

chrome://sandbox

Tadam ! You are now adequately sandboxed.


INFO:
driver Nouveau + `--ignore-gpu-blacklist` command line causes in chrome://gpu at "Driver Information" section … "Sandboxed | false"

READ:
https://linux-audit.com/protect-ptrace- ... ace_scope/
https://blog.sleeplessbeastie.eu/2019/0 ... iguration/
https://chromium.googlesource.com/chrom ... sandbox.md
https://www.andreasch.com/2018/01/13/capabilities/

[andyprough]

Couldn't you just

Code: Select all

firejail chromium

??

Just wondering. This how-to looks intriguing, but I'd rather have the functionality of firejail to sandbox numerous apps.

Edit: Sorry, I forgot this is dealing with the whole problem of chromium not starting because of the sandbox issue. Never mind - this is not an issue for firejail I guess.

[K-mik@Z]

Couldn't you just

Code: Select all

firejail chromium

??

Just wondering. This how-to looks intriguing, but I'd rather have the functionality of firejail to sandbox numerous apps.

Edit: Sorry, I forgot this is dealing with the whole problem of chromium not starting because of the sandbox issue. Never mind - this is not an issue for firejail I guess.

Just to clarify a bit more: (from https://github.com/netblue30/firejail/i ... -303374786)

1- For the things that Chromium and friends sandbox, there is actually marginally better security than Firejail provides. THis is because each renderer, plugin, and extension (the bits that matter) is in it's own private sandbox. So, for example, some arbitrary extension X can't interfere with plugin Y unless explicit permission is granted for it to do so. This is done so that it's much harder to fully hijack a browser or effect phishing attacks.

2- For Chromium as a whole, the sandboxing is worse than what Firejail provides by default, since Firejail better isolates things from the rest of the system, as it doesn't sandbox certain components that can be used to access the rest of the system.


I'm using firejail too, this does not preclude good sandboxing.

Code: Select all

BIN=chromium; firejail --dns=2606:4700:4700::1111 --dns=2606:4700:4700::1001 --dns=1.1.1.1 --dns=1.0.0.1 --profile=$BIN-browser --name=$BIN --join-or-start=$BIN chromium

Sorry for my english (I'm french)
I hope to be clear in my remarks

[andyprough]

Very interesting!! Thank you very much.

[K-mik@Z]

Edit: Sorry, I forgot this is dealing with the whole problem of chromium not starting because of the sandbox issue. Never mind - this is not an issue for firejail I guess.

In general, it's best to use the firejail profile as it is, because using -no-sandbox and adding seccomp to the firejail profile actually reduces the internal security of the browser.

[andyprough]

I'm using firejail too, this does not preclude good sandboxing.

Code: Select all

BIN=chromium; firejail --dns=2606:4700:4700::1111 --dns=2606:4700:4700::1001 --dns=1.1.1.1 --dns=1.0.0.1 --profile=$BIN-browser --name=$BIN --join-or-start=$BIN chromium

If you get time, and it's not too much trouble to do in English (or French is fine, I can use a translator) - could you give a description of what you are doing with this command? What are the four different dns servers that you are pointing to here? They look like they are all Cloudflare related. Is Cloudflare the safest dns servers? I'm not familiar with Cloudflare dns servers - what is your criteria for choosing these four?

[K-mik@Z]

If you get time, and it's not too much trouble to do in English (or French is fine, I can use a translator) - could you give a description of what you are doing with this command? What are the four different dns servers that you are pointing to here? They look like they are all Cloudflare related. Is Cloudflare the safest dns servers? I'm not familiar with Cloudflare dns servers

What is 1.1.1.1?
1.1.1.1 is a public DNS resolver that makes DNS queries faster and more secure.

My cmd `BIN=chromium; firejail --dns=2606:4700:4700::1111 --dns=2606:4700:4700::1001 --dns=1.1.1.1 --dns=1.0.0.1 --profile=$BIN-browser --name=$BIN --join-or-start=$BIN chromium` is for the temporary launch of chrome with the cloudflare DNS (bypassing those built into the browser).

what is your criteria for choosing these four?

It's for the illustration.

You can choose other DNS resolver here (who respect privacy and DNSSEC).
https://dnscrypt.info/public-servers/

And test here:
https://www.dnsleaktest.com


See even install a local DNS server and encrypt (with DnsCrypt).

I would try to do a tutorial on DNS, if I find a moment.

DNS was not designed with security in mind, and there are many types of attacks created to exploit vulnerabilities in the DNS system.

Changing your DNS servers is always a good idea, as it:

• Improves your Internet speed and page load-time

• Stabilizes your connection

• Provides greater online security and privacy

• Removes geo-restrictions

READ:
https://securitytrails.com/blog/most-po ... ns-attacks

[Stevo]

Seems to be OK on the Liquorix kernel without any tweaks necessary:

Code: Select all

Sandbox Status
Layer 1 Sandbox	Namespace
PID namespaces	Yes
Network namespaces	Yes
Seccomp-BPF sandbox	Yes
Seccomp-BPF sandbox supports TSYNC	Yes
Ptrace Protection with Yama LSM (Broker)	Yes
Ptrace Protection with Yama LSM (Non-broker)	No
You are adequately sandboxed.

[K-mik@Z]

Seems to be OK on the Liquorix kernel without any tweaks necessary:

Code: Select all

Sandbox Status
Layer 1 Sandbox	Namespace
PID namespaces	Yes
Network namespaces	Yes
Seccomp-BPF sandbox	Yes
Seccomp-BPF sandbox supports TSYNC	Yes
Ptrace Protection with Yama LSM (Broker)	Yes
Ptrace Protection with Yama LSM (Non-broker)	No
You are adequately sandboxed.

Not for Ptrace Protection with Yama LSM (Non-broker) No

You can do:

Code: Select all

sudo setcap cap_sys_ptrace=eip /usr/bin/chromium

EXPLANATION:

CAP_SYS_PTRACE - Allows to trace process
There are 3 modes for Capabilities:

• e: Effective - This indicates that the capability is "activated."

• p: Permitted - This indicates that the capability can be used.

• i: Inherited - This indicates that the capability is inherited by child elements/subprocesses and defines which capabilities stay permitted across an exec().

READ
https://www.andreasch.com/2018/01/13/capabilities/

[Buck Fankers]

A trick is given everywhere on the web, set kernel.unprivileged_userns_clone = 1.

DO NOT SET kernel.unprivileged_userns_clone = 1. NEVER.

Copy and paste this into your terminal:

Code: Select all

cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sudo sysctl -e -p -

If you see a line contains kernel.unprivileged_userns_clone = 1, please remove it, for security reason.
( Search in those file /etc/sysctl.d/*.conf, /etc/sysctl.conf )

I had it, since I used that trick/fix once posted. I only had one entry in: /etc/sysctl.d/00-local-userns.conf
Thanks for sharing, I wouldn't have a clue where to look for it!