David McGuffey
2012-Dec-07 02:05 UTC
[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
Moat of the advanced persistent threats (APT) are initiated via e-mail. Opening an attachment or clicking on a web link starts the process. Why isn't Firefox and Evolution confined with SELinux policy in a way that APT can't damage the rest of the system? Why are we not sandboxing these two apps with SELinux? I've discovered some guidance for sandboxing Firefox using the 'sandbox' command. Once I test it a bit, I'll post the results back here. Seems to me that if this works, it should be the default. DaveM
Daniel J Walsh
2012-Dec-07 11:49 UTC
[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/06/2012 09:05 PM, David McGuffey wrote:> Moat of the advanced persistent threats (APT) are initiated via e-mail. > Opening an attachment or clicking on a web link starts the process. > > Why isn't Firefox and Evolution confined with SELinux policy in a way that > APT can't damage the rest of the system? Why are we not sandboxing these > two apps with SELinux? > > I've discovered some guidance for sandboxing Firefox using the 'sandbox' > command. Once I test it a bit, I'll post the results back here. Seems to > me that if this works, it should be the default. > > DaveM > > > _______________________________________________ CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >Very difficult to sandbox thunderbird and firefox. But sandbox tool actually works well for sandboxing viewers of downloaded data. I sandbox all content that will be viewed by evince and libreoffice. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDB19QACgkQrlYvE4MpobPbugCfZfbdFXIDLwSk1/hXvXaHvVDS cPcAoOGg4eOtAPYVZvqcMmpB8fke1Q0d =krFW -----END PGP SIGNATURE-----
Rob Townley
2012-Dec-07 22:05 UTC
[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
Let us know how it goes. i thought i followed one of Daniel Walsh's blog posts to sandbox firefox and don't remember it being that bad, but that was well over a year ago. Since he maintained selinux for RedHat for a number of years, ... he probably knows what he is talking about. He was always on top of selinux reported bugs. You may want to check out Qubes-OS. Qubes-OS is based on Fedora by the creator of bluepill guestOS to hypervisor code. On Thu, Dec 6, 2012 at 8:05 PM, David McGuffey <davidmcguffey at verizon.net>wrote:> Moat of the advanced persistent threats (APT) are initiated via e-mail. > Opening an attachment or clicking on a web link starts the process. > > Why isn't Firefox and Evolution confined with SELinux policy in a way > that APT can't damage the rest of the system? Why are we not sandboxing > these two apps with SELinux? > > I've discovered some guidance for sandboxing Firefox using the 'sandbox' > command. Once I test it a bit, I'll post the results back here. Seems > to me that if this works, it should be the default. > > DaveM > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Gordon Messmer
2012-Dec-07 23:49 UTC
[CentOS] Advanced Persistent Threats; Why aren't we confining Firefox and Evolution?
On 12/06/2012 06:05 PM, David McGuffey wrote:> Why isn't Firefox and Evolution confined with SELinux policy in a way > that APT can't damage the rest of the system? Why are we not sandboxing > these two apps with SELinux?Probably mostly because when you sandbox an X11 application, you can't copy and paste in or out of the application. Most users want to do that.