Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Sandboxing on Debian
Sandboxing on Debian
Hi.
I'm about to install Debian, after doing some research I saw it was the best.
But I still need to know one thing!
Is there a kind of technology which does sandboxing on Debian?
I want something like QubesOS, but with a smaller 'impact' on my system.
Example:
I have some documents who need to stay secret. But I also need to be able to use the internet.
So I want two sandboxes.
One to work on the project and that sandbox shouldn't have internet access; nor should other processes on my system be able to view or modifier them.
And a second sandbox to use Firefox. So that if my browser gets exploited or I download malware my system isn't compromised and my special docs in the other sandbox not for sure.
I already looked it up and found things like SELinux, but that's only for applications. Not for files.
Thanks!
I'm about to install Debian, after doing some research I saw it was the best.
But I still need to know one thing!
Is there a kind of technology which does sandboxing on Debian?
I want something like QubesOS, but with a smaller 'impact' on my system.
Example:
I have some documents who need to stay secret. But I also need to be able to use the internet.
So I want two sandboxes.
One to work on the project and that sandbox shouldn't have internet access; nor should other processes on my system be able to view or modifier them.
And a second sandbox to use Firefox. So that if my browser gets exploited or I download malware my system isn't compromised and my special docs in the other sandbox not for sure.
I already looked it up and found things like SELinux, but that's only for applications. Not for files.
Thanks!
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Sandboxing on Debian
For Firefox:
https://packages.debian.org/jessie-backports/firejail
For your "project" system, use an encrypted filesystem tree as a container.
https://packages.debian.org/jessie-backports/firejail
For your "project" system, use an encrypted filesystem tree as a container.
deadbang
Re: Sandboxing on Debian
Thanks for your reply.Head_on_a_Stick wrote:For Firefox:
https://packages.debian.org/jessie-backports/firejail
For your "project" system, use an encrypted filesystem tree as a container.
But when I decrypt that filesystem to edit the files myself,
would than malware or whatever not be able to read those files since they're decrypted?
Or when someone who controls my PC with malware can keylog the key for the encrypted files?
I'd actually need an encrypted sandbox filesystem.
Edit:
What about Mbox?
https://pdos.csail.mit.edu/archive/mbox/
Last edited by O'Niel on 2017-01-14 21:48, edited 1 time in total.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Sandboxing on Debian
Only if the malware has the privileges needed to view the non-encrypted filesystem.O'Niel wrote:But when I decrypt that filesystem to edit the files myself,
would than malware or whatever not be able to read those files since they're decrypted?
Convention would place containers under /var/lib/machines and this is *not* readable by normal users
deadbang
Re: Sandboxing on Debian
Okay thanks a lot!
But that filesystem tree, should that really be a separated filesystem, or just another tree (directory) in Dolphin which I'll encrypt.
And is there a possibility to make Firefox run in Firejail by default?
But that filesystem tree, should that really be a separated filesystem, or just another tree (directory) in Dolphin which I'll encrypt.
And is there a possibility to make Firefox run in Firejail by default?
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Sandboxing on Debian
I'm not sure, to be honest, I was just floating some suggestions, that's allO'Niel wrote:But that filesystem tree, should that really be a separated filesystem, or just another tree (directory) in Dolphin which I'll encrypt.
I use https://forums.bunsenlabs.org/viewtopic ... 355#p42355is there a possibility to make Firefox run in Firejail by default?
deadbang
Re: Sandboxing on Debian
Your hypotheticals aren't nearly paranoid enough...O'Niel wrote:But when I decrypt that filesystem to edit the files myself,
would than malware or whatever not be able to read those files since they're decrypted?
Or when someone who controls my PC with malware can keylog the key for the encrypted files?
I'd actually need an encrypted sandbox filesystem.
"What if" your HDD is compromised at the firmware level?
"What if" your CPU is undetectably compromised?
"What if" your USB ports are rigged with a built-in keylogger?
None of these is fantasy. Every single one is an existing, credible threat.
Last edited by dasein on 2017-01-15 03:05, edited 1 time in total.
Re: Sandboxing on Debian
And thanks for the Firejail suggestion.
But is it really secure? I tried to keylog myself when using Firefox with Firejail and it worked.
But is it really secure? I tried to keylog myself when using Firefox with Firejail and it worked.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Sandboxing on Debian
Not really, the X server itself is fundamentally insecure; as is Wayland.O'Niel wrote:But is it really secure?
Also, what dasein said
deadbang
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Sandboxing on Debian
Your question is far too vague
Perhaps spend some time reading through http://www.cvedetails.com/product/3264/ ... dor_id=452?
EDIT: and https://firejail.wordpress.com/
Perhaps spend some time reading through http://www.cvedetails.com/product/3264/ ... dor_id=452?
EDIT: and https://firejail.wordpress.com/
deadbang
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Sandboxing on Debian
The best way to avoid getting malware via your browser is to not visit the sites that
distribute the mal ware,... Do you need or want intructions on how to do that ?
There is a lot of information on that if you search,...most of them are known and listed.
Data that needs to be really secure, and is important to keep "secret" or secure, should not be kept on a cumputer that goes on line,....especially one being used to browse the sites that distribute malware.
I do not understand why you would want to download mal ware, and that kind of garbage, unless you are some kind of pervert , or running
some sort of "honey pot", and need to down load data to test it for mal-ware, etc.
You could still connect to interenet on the separate computer, if and when need be, just don't use it for downloading your porn, and garbage, mal-ware etc.
This is redicules, I don't know why I am even responding.. Good night,
distribute the mal ware,... Do you need or want intructions on how to do that ?
There is a lot of information on that if you search,...most of them are known and listed.
Data that needs to be really secure, and is important to keep "secret" or secure, should not be kept on a cumputer that goes on line,....especially one being used to browse the sites that distribute malware.
That is just plain foolish to use the same computer , to browse porn-sites and other crap sites known to distribute male -ware and garbage.Example:
I have some documents who need to stay secret.
I do not understand why you would want to download mal ware, and that kind of garbage, unless you are some kind of pervert , or running
some sort of "honey pot", and need to down load data to test it for mal-ware, etc.
You could still connect to interenet on the separate computer, if and when need be, just don't use it for downloading your porn, and garbage, mal-ware etc.
This is redicules, I don't know why I am even responding.. Good night,
Re: Sandboxing on Debian
Mdr you almost killed me.
It's not that I'll be downloading malware on purpose.
But advertisements, drive-by exploits, DNS-spoofing to malicious websites,... can all get you malware while you're browsing at MF google.com.
So 'not visiting websites who distribute malware' is not really a valid advice, because you can't know which do and which not.
I'm only asking for something like SELinux sandbox (on which I can't find anything), or Firejail, and something like that for a filesystem.
@HeadOnAStick:
Thanks for the links.
It's not that I'll be downloading malware on purpose.
But advertisements, drive-by exploits, DNS-spoofing to malicious websites,... can all get you malware while you're browsing at MF google.com.
So 'not visiting websites who distribute malware' is not really a valid advice, because you can't know which do and which not.
I'm only asking for something like SELinux sandbox (on which I can't find anything), or Firejail, and something like that for a filesystem.
@HeadOnAStick:
Thanks for the links.