Page 1 of 1
[tuto][security][browser] Here's how to properly operate the sandbox in chromium (and chromium based too)!
Posted: Fri Dec 06, 2019 9:19 am
by K-mik@Z
from this
>> to this
:
A trick is given everywhere on the web, set kernel.unprivileged_userns_clone = 1.
https://brave-browser.readthedocs.io/en ... html#linux
https://github.com/brave/brave-browser/ ... -permalink
DO NOT SET kernel.unprivileged_userns_clone = 1.
NEVER.
Enabling unprivileged user namespaces opens up severe vulnerabilities in the Linux kernel. If you did not intend to enable it, you should ensure it is disabled. Numerous vulnerabilities that are found regularly are often only exploitable if unprivileged user namespaces are supported and enabled by the kernel.
BREAK also "Ptrace Protection with Yama LSM (Non-broker)" into
chrome://sandbox.
Copy and paste this into your terminal:
Code: Select all
cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sudo sysctl -e -p -
If you see a line contains kernel.unprivileged_userns_clone = 1, please
remove it, for security reason.
( Search in those file /etc/sysctl.d/*.conf, /etc/sysctl.conf )
THE BEST WAY:
Copy and paste this into your terminal:
Code: Select all
sudo tee /etc/sysctl.d/10-securized-yama-scope.conf <<EOF
# resolve chrome://sandbox/ errors:
# sudo setcap cap_sys_ptrace=eip /usr/bin/chromium
kernel.yama.ptrace_scope = 1
EOF
Code: Select all
sudo setcap cap_sys_ptrace=eip /usr/bin/chromium
Load configuration stored in specific file:
Code: Select all
sudo sysctl --load /etc/sysctl.d/10-securized-yama-scope.conf
Or load system wide configuration:
NOW, WATCH THE MAGIC:
Close and re-open chromium.
Copy and paste (in the address bar):
Tadam ! You are
now adequately sandboxed.
INFO:
driver Nouveau + `--ignore-gpu-blacklist` command line causes in
chrome://gpu at "Driver Information" section … "Sandboxed | false"
READ:
https://linux-audit.com/protect-ptrace- ... ace_scope/
https://blog.sleeplessbeastie.eu/2019/0 ... iguration/
https://chromium.googlesource.com/chrom ... sandbox.md
https://www.andreasch.com/2018/01/13/capabilities/
Re: Here's how to properly operate the sandbox in chromium!
Posted: Fri Dec 06, 2019 9:37 am
by andyprough
Couldn't you just
??
Just wondering. This how-to looks intriguing, but I'd rather have the functionality of firejail to sandbox numerous apps.
Edit: Sorry, I forgot this is dealing with the whole problem of chromium not starting because of the sandbox issue. Never mind - this is not an issue for firejail I guess.
Re: Here's how to properly operate the sandbox in chromium!
Posted: Fri Dec 06, 2019 10:02 am
by K-mik@Z
andyprough wrote: Fri Dec 06, 2019 9:37 am
Couldn't you just
??
Just wondering. This how-to looks intriguing, but I'd rather have the functionality of firejail to sandbox numerous apps.
Edit: Sorry, I forgot this is dealing with the whole problem of chromium not starting because of the sandbox issue. Never mind - this is not an issue for firejail I guess.
Just to clarify a bit more: (from
https://github.com/netblue30/firejail/i ... -303374786)
1- For the things that Chromium and friends sandbox, there is actually marginally better security than Firejail provides. THis is because each renderer, plugin, and extension (the bits that matter) is in it's own private sandbox. So, for example, some arbitrary extension X can't interfere with plugin Y unless explicit permission is granted for it to do so. This is done so that it's much harder to fully hijack a browser or effect phishing attacks.
2- For Chromium as a whole, the sandboxing is worse than what Firejail provides by default, since Firejail better isolates things from the rest of the system, as it doesn't sandbox certain components that can be used to access the rest of the system.
I'm using firejail too, this does not preclude good sandboxing.
Code: Select all
BIN=chromium; firejail --dns=2606:4700:4700::1111 --dns=2606:4700:4700::1001 --dns=1.1.1.1 --dns=1.0.0.1 --profile=$BIN-browser --name=$BIN --join-or-start=$BIN chromium
Sorry for my english (I'm french)
I hope to be clear in my remarks
Re: Here's how to properly operate the sandbox in chromium!
Posted: Fri Dec 06, 2019 10:04 am
by andyprough
Very interesting!! Thank you very much.
Re: Here's how to properly operate the sandbox in chromium!
Posted: Fri Dec 06, 2019 10:05 am
by K-mik@Z
andyprough wrote: Fri Dec 06, 2019 9:37 am
Edit: Sorry, I forgot this is dealing with the whole problem of chromium not starting because of the sandbox issue. Never mind - this is not an issue for firejail I guess.
In general, it's best to use the firejail profile as it is, because using -no-sandbox and adding seccomp to the firejail profile actually reduces the internal security of the browser.
Re: Here's how to properly operate the sandbox in chromium!
Posted: Fri Dec 06, 2019 10:24 am
by andyprough
K-mik@Z wrote: Fri Dec 06, 2019 10:02 am
I'm using firejail too, this does not preclude good sandboxing.
Code: Select all
BIN=chromium; firejail --dns=2606:4700:4700::1111 --dns=2606:4700:4700::1001 --dns=1.1.1.1 --dns=1.0.0.1 --profile=$BIN-browser --name=$BIN --join-or-start=$BIN chromium
If you get time, and it's not too much trouble to do in English (or French is fine, I can use a translator) - could you give a description of what you are doing with this command? What are the four different dns servers that you are pointing to here? They look like they are all Cloudflare related. Is Cloudflare the safest dns servers? I'm not familiar with Cloudflare dns servers - what is your criteria for choosing these four?
Re: Here's how to properly operate the sandbox in chromium!
Posted: Fri Dec 06, 2019 10:39 am
by K-mik@Z
andyprough wrote: Fri Dec 06, 2019 10:24 am
If you get time, and it's not too much trouble to do in English (or French is fine, I can use a translator) - could you give a description of what you are doing with this command? What are the four different dns servers that you are pointing to here? They look like they are all Cloudflare related. Is Cloudflare the safest dns servers? I'm not familiar with Cloudflare dns servers
What is 1.1.1.1?
1.1.1.1 is a public DNS resolver that makes DNS queries faster and more secure.
My cmd `BIN=chromium; firejail --dns=2606:4700:4700::1111 --dns=2606:4700:4700::1001 --dns=1.1.1.1 --dns=1.0.0.1 --profile=$BIN-browser --name=$BIN --join-or-start=$BIN chromium` is for the temporary launch of chrome with the cloudflare DNS (bypassing those built into the browser).
andyprough wrote: Fri Dec 06, 2019 10:24 am
what is your criteria for choosing these four?
It's for the illustration.
You can choose other DNS resolver here (who respect privacy and DNSSEC).
https://dnscrypt.info/public-servers/
And test here:
https://www.dnsleaktest.com
See even install a local DNS server and encrypt (with DnsCrypt).
I would try to do a tutorial on DNS, if I find a moment.
DNS was not designed with security in mind, and there are many types of attacks created to exploit vulnerabilities in the DNS system.
Changing your DNS servers is always a good idea, as it:
- Improves your Internet speed and page load-time
- Stabilizes your connection
- Provides greater online security and privacy
READ:
https://securitytrails.com/blog/most-po ... ns-attacks
Re: Here's how to properly operate the sandbox in chromium!
Posted: Fri Dec 06, 2019 4:09 pm
by Stevo
Seems to be OK on the Liquorix kernel without any tweaks necessary:
Code: Select all
Sandbox Status
Layer 1 Sandbox Namespace
PID namespaces Yes
Network namespaces Yes
Seccomp-BPF sandbox Yes
Seccomp-BPF sandbox supports TSYNC Yes
Ptrace Protection with Yama LSM (Broker) Yes
Ptrace Protection with Yama LSM (Non-broker) No
You are adequately sandboxed.
Re: Here's how to properly operate the sandbox in chromium!
Posted: Sat Dec 07, 2019 4:17 am
by K-mik@Z
Stevo wrote: Fri Dec 06, 2019 4:09 pm
Seems to be OK on the Liquorix kernel without any tweaks necessary:
Code: Select all
Sandbox Status
Layer 1 Sandbox Namespace
PID namespaces Yes
Network namespaces Yes
Seccomp-BPF sandbox Yes
Seccomp-BPF sandbox supports TSYNC Yes
Ptrace Protection with Yama LSM (Broker) Yes
Ptrace Protection with Yama LSM (Non-broker) No
You are adequately sandboxed.
Not for
Ptrace Protection with Yama LSM (Non-broker) No
You can do:
Code: Select all
sudo setcap cap_sys_ptrace=eip /usr/bin/chromium
:
CAP_SYS_PTRACE - Allows to trace process
There are 3 modes for Capabilities:
- e: Effective - This indicates that the capability is "activated."
- p: Permitted - This indicates that the capability can be used.
- i: Inherited - This indicates that the capability is inherited by child elements/subprocesses and defines which capabilities stay permitted across an exec().
READ
https://www.andreasch.com/2018/01/13/capabilities/
Re: Here's how to properly operate the sandbox in chromium!
Posted: Sat Dec 07, 2019 9:37 am
by Buck Fankers
K-mik@Z wrote: Fri Dec 06, 2019 9:19 am
A trick is given everywhere on the web, set kernel.unprivileged_userns_clone = 1.
DO NOT SET kernel.unprivileged_userns_clone = 1.
NEVER.
Copy and paste this into your terminal:
Code: Select all
cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sudo sysctl -e -p -
If you see a line contains kernel.unprivileged_userns_clone = 1, please
remove it, for security reason.
( Search in those file /etc/sysctl.d/*.conf, /etc/sysctl.conf )
I had it, since I used that trick/fix once posted. I only had one entry in:
/etc/sysctl.d/00-local-userns.conf
Thanks for sharing, I wouldn't have a clue where to look for it!
Re: Here's how to properly operate the sandbox in chromium!
Posted: Sat Dec 07, 2019 5:01 pm
by K-mik@Z
Buck Fankers wrote: Sat Dec 07, 2019 9:37 am
Thanks for sharing, I wouldn't have a clue where to look for it!
Just for fun:
Code: Select all
grep -H 'kernel.yama.ptrace_scope' /etc/sysctl.{c*,d/*}
return:
/etc/sysctl.d/10-securized-yama-scope.conf
:kernel.yama.ptrace_scope = 1
( CompleteFilePath + : + Parameter=Value )
then:
Code: Select all
grep -H 'kernel.unprivileged_userns_clone' /etc/sysctl.{c*,d/*}
can give you the config file (/etc/sysctl.conf or one of /etc/sysctl.d/*.conf) and the parameters (if exist)
Re: Here's how to properly operate the sandbox in chromium (and chromium based too)!
Posted: Sat Dec 07, 2019 5:03 pm
by K-mik@Z
Buck Fankers wrote: Sat Dec 07, 2019 9:37 am
Thanks for sharing, I wouldn't have a clue where to look for it!
Just for fun:
...
oops, double post, bad handling, sorry
Re: Here's how to properly operate the sandbox in chromium!
Posted: Sat Dec 07, 2019 6:41 pm
by Buck Fankers
K-mik@Z wrote: Sat Dec 07, 2019 5:01 pm
Code: Select all
grep -H 'kernel.unprivileged_userns_clone' /etc/sysctl.{c*,d/*}
can give you the config file (/etc/sysctl.conf or one of /etc/sysctl.d/*.conf) and the parameters (if exist)
Nice!
I'm planing for a while to learn some basic bash/grep commands and your example nicely demonstrates it's power. Oh, and syntax is simple also, even for me! Also reinforces the thought I shouldn't delay with this to-do task much longer
Thank you!