Users can remove basic privileges from applications by using extended privilege policy. The policy prevents access to directories that the applications should not access.
This example illustrates how users can run the Firefox browser in a protected environment. In this configuration, the user's Documents directory is hidden from Firefox.
By using the following command, the user removes basic privileges from the /usr/bin/firefox command. The extended privilege arguments to the ppriv -r command limit the browser to reading and writing in only the directories that the user specifies. The –e option and its arguments open the browser with the extended privilege policy.
$ ppriv -r "\
{file_read}:/dev/*,\
{file_read}:/etc/*,\
{file_read}:/lib/*,\
{file_read}:/usr/*,\
{file_read}:/var/*,\
{file_read}:/proc,\
{file_read}:/proc/*,\
{file_read}:/system/volatile/*,\
{file_write}:$HOME,\
{file_read}:$HOME/.*,\
{file_read,file_write}:$HOME/.mozill*,\
{file_read,file_write}:$HOME/.gnome*,\
{file_read,file_write}:$HOME/Downloa*,\
{file_read,file_write}:/tmp,\
{file_read,file_write}:/tmp/*,\
{file_read,file_write}:/var/tmp,\
{file_read,file_write}:/var/tmp/*,\
{proc_exec}:/usr/*\
" -e /usr/bin/firefox file:///$HOME/Desktop
When the file_read and file_write privileges are used in an extended policy, you must grant explicit access to every file that should be read or written. The use of the wildcard character, *, is essential in such policies.
To handle automounted home directories, the user would add an explicit entry for the automount path, for example:
{file_read,file_write}:/export/home/$USER
If the site is not using the automount facility, the initial list of protected directories is sufficient.
Users can automate this command-line protected browser by creating a shell script. Then, to launch a browser, the user calls the script, not the /usr/bin/firefox command.
Example 40 Protecting Directories on Your System From Application ProcessesIn this example, a regular user creates a sandbox for applications by using a shell script wrapper. The first part of the script limits applications to certain directories. Exceptions, such as Firefox, are handled later in the script. Comments about parts of the script follow the script.
1 #!/bin/bash
2
3 # Using bash because ksh misinterprets extended policy syntax
4
5 PATH=/usr/bin:/usr/sbin:/usr/gnu/bin
6
7 DENY=file_read,file_write,proc_exec,proc_info
8
9 SANDBOX="\
10 {file_read}:/dev/*,\
11 {file_read}:/etc/*,\
12 {file_read}:/lib/*,\
13 {file_read,file_write}:/usr/*,\
14 {file_read}:/proc,\
15 {file_read,file_write}:/proc/*,\
16 {file_read}:/system/volatile/*,\
17 {file_read,file_write}:/tmp,\
18 {file_read,file_write}:/tmp/*,\
19 {file_read,file_write}:/var/*,\
20 {file_write}:$HOME,\
21 {file_read}:$HOME/.*,\
22 {file_read,file_write}:$PWD,\
23 {file_read,file_write}:$PWD/*,\
24 {proc_exec}:/usr/*\
25 "
26
27 # Default program is restricted bash shell
28
29 if [[ ! -n $1 ]]; then
30 program="/usr/bin/bash --login --noprofile
--restricted"
31 else
32 program="$@"
33 fi
34
35
36 # Firefox needs more file and network access
37 if [[ "$program" =~ firefox ]]; then
38 SANDBOX+=",\
39 {file_read,file_write}:$HOME/.gnome*,\
40 {file_read,file_write}:$HOME/.mozill*,\
41 {file_read,file_write}:$HOME/.dbu*,\
42 {file_read,file_write}:$HOME/.puls*\
43 "
44
45 else
46 DENY+=",net_access"
47 fi
48
49 echo Starting $program in sandbox
50 ppriv -s I-$DENY -r $SANDBOX -De $program
The policy can be adjusted to permit specific applications more or less access. One adjustment is in lines 38-42, where Firefox is granted write access to several dot files that maintain session information in the user's home directory. Also, Firefox is not subject to line 46, which removes network access. However, Firefox is still restricted from reading arbitrary files in the user's home directory, and can save files only in its current directory.
As an extra level of protection, the default program, at line 30, is a restricted Bash shell. A restricted shell cannot change its current directory or execute the user's dot files. Therefore, any commands that are started from this shell are similarly locked into the sandbox.
In the final line of the script the ppriv command is passed two privilege sets as shell variables, $DENY and $SANDBOX.
The first set, $DENY, prevents the process from reading or writing any file, executing any subprocess, observing other user's processes, and (conditionally) accessing the network. These restrictions are too severe, so in the second set, $SANDBOX, the policy is refined by enumerating the directories which are available for reading, writing, and executing.
Also, in line 50 the debug option, –D, is specified. Access failures display in the terminal window in real time and include the named object and the corresponding privilege that is required for success. This debugging information can help the user customize the policy for other applications.