Hi,
I was using firefox within sandboxes for a while without perm. home directory. To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on .mozilla) it is not possible to open multiple websites when specifying the same sandbox homedir, hence I'm looking for a possibility to open new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox instance using: firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario: 1. step: start firefox: sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
2. step: sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox -remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option (#632377) but would the policy allow the 'firefox -remote' command if type and security level matches with the already running sandbox?
kind regards, Christoph
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/12/2010 08:54 AM, Christoph A. wrote:
Hi,
I was using firefox within sandboxes for a while without perm. home directory. To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on .mozilla) it is not possible to open multiple websites when specifying the same sandbox homedir, hence I'm looking for a possibility to open new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox instance using: firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
- step:
start firefox: sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
- step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox -remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option (#632377) but would the policy allow the 'firefox -remote' command if type and security level matches with the already running sandbox?
kind regards, Christoph
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I have gotten this to work, but it is not pretty.
I created a file in homedir called firefox.sh
It looks like
cat homedir/firefox.sh #!/bin/sh DISPLAY=:1.0 /usr/bin/firefox -remote "openurl($1)"
Then
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l s0:c100 /bin/sh ~/firefox.sh http://www.redhat.com
Seems to work.
The key thing is figuring out the DISPLAY.
A possible solution would be to change the /usr/share/sandbox/sandboxX.sh To the attached.
Which creates a ~/seremote application within homedir that looks like
#!/bin/sh -x DISPLAY=:1 $*
:1 will be different for each additional sandbox.
Then you could execute
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l s0:c100 /bin/sh ~/seremote firefox -remote "openurl(http://www.redhat.com)"
And it will work.
I will have to make policy changes to allow
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l s0:c100 ~/seremote firefox -remote "openurl(http://www.redhat.com)"
to work.
On 09/13/2010 06:54 PM, Daniel J Walsh wrote:
On 09/12/2010 08:54 AM, Christoph A. wrote:
Hi,
I was using firefox within sandboxes for a while without perm. home directory. To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on .mozilla) it is not possible to open multiple websites when specifying the same sandbox homedir, hence I'm looking for a possibility to open new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox instance using: firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
- step:
start firefox: sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
- step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox -remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option (#632377) but would the policy allow the 'firefox -remote' command if type and security level matches with the already running sandbox?
kind regards, Christoph
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I have gotten this to work, but it is not pretty.
I created a file in homedir called firefox.sh
It looks like
cat homedir/firefox.sh #!/bin/sh DISPLAY=:1.0 /usr/bin/firefox -remote "openurl($1)"
Then
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l s0:c100 /bin/sh ~/firefox.sh http://www.redhat.com
Seems to work.
The key thing is figuring out the DISPLAY.
A possible solution would be to change the /usr/share/sandbox/sandboxX.sh To the attached.
Which creates a ~/seremote application within homedir that looks like
#!/bin/sh -x DISPLAY=:1 $*
:1 will be different for each additional sandbox.
Then you could execute
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l s0:c100 /bin/sh ~/seremote firefox -remote "openurl(http://www.redhat.com)"
And it will work.
I will have to make policy changes to allow
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l s0:c100 ~/seremote firefox -remote "openurl(http://www.redhat.com)"
to work.
Great! Let me know when these policy changes are available in FC13.
This hole method of opening new urls in an existing sandbox will absolutely kill the argument '..but opening websites in sandboxes takes way more time then without sandbox' :)
thanks, Christoph
On 09/12/2010 02:54 PM, Christoph A. wrote:
Hi,
I was using firefox within sandboxes for a while without perm. home directory. To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on .mozilla) it is not possible to open multiple websites when specifying the same sandbox homedir, hence I'm looking for a possibility to open new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox instance using: firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
- step:
start firefox: sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
- step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox -remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option (#632377) but would the policy allow the 'firefox -remote' command if type and security level matches with the already running sandbox?
For the record:
Josh posted a while ago a simple method for opening a new tab in an existing sandbox: http://www.bress.net/blog/archives/195-Firefox-in-a-sandbox-with-Fedora.html
best regards, Christoph A. PS: nice to see someone else using ones submission (-w) :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/15/2011 09:08 AM, Christoph A. wrote:
On 09/12/2010 02:54 PM, Christoph A. wrote:
Hi,
I was using firefox within sandboxes for a while without perm. home directory. To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on .mozilla) it is not possible to open multiple websites when specifying the same sandbox homedir, hence I'm looking for a possibility to open new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox instance using: firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
- step:
start firefox: sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
- step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox -remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option (#632377) but would the policy allow the 'firefox -remote' command if type and security level matches with the already running sandbox?
For the record:
Josh posted a while ago a simple method for opening a new tab in an existing sandbox: http://www.bress.net/blog/archives/195-Firefox-in-a-sandbox-with-Fedora.html
best regards, Christoph A. PS: nice to see someone else using ones submission (-w) :)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I am trying to come up with a way to make this easier. Maybe allow an admin to specify a name of a sandbox, That would listen for connections.
There is a command seremote in the ~/ of each sandbox.
cat /tmp/.sandbox_home_DqoOT7/seremote #!/bin/sh DISPLAY=:2 "$@"
Then an external application can can seremote to have it connect to the local Xserver, governed by SELinux. This could be used for launching other tabs. Or other apps. I guess a better solution would be to change seremote to also launch the app with the correct label.
Maybe this should look like
cat /tmp/.sandbox_home_DqoOT7/seremote #!/bin/sh DISPLAY=:2 rucon SANDBOXCONTEXT -- "$@"
The ultimate solution would be to get it to use seunshare also so the launched app would run in the same environment that the sandbox is in.
Then we could enhance sandbox so you could have multiple sessions running and a controlling app could launch applications within any of the sandboxes.
I am fooling around with gui app that might be useful here.
selinux@lists.fedoraproject.org