Changes between Version 13 and Version 14 of doc/TorBrowser/SmartOS_Sandboxing


Ignore:
Timestamp:
Mar 16, 2016, 12:02:08 PM (3 years ago)
Author:
dawuud
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorBrowser/SmartOS_Sandboxing

    v13 v14  
    346346
    347347
    348 === onion vnc server ===
     348== onion vnc server ==
    349349
    350350This zone will run the noVNC http server which acts as a VNC client.
     
    445445}}}
    446446
     447Save this URL... we'll need it later after we've configured our VNC server.
     448
     449
     450== setup Tor zone that TBB will use ==
     451
     452create the tor zone
     453
     454lx-client-tor.json:
     455{{{
     456{
     457  "alias": "lx-client-tor",
     458  "brand": "lx",
     459  "kernel_version": "3.13.0",
     460  "max_physical_memory": 300,
     461  "quota": 10,
     462  "image_uuid": "445d04f4-cad6-11e5-a1a0-9f6c0ce02707",
     463  "resolvers": ["8.8.8.8","8.8.4.4"],
     464  "nics": [
     465    {
     466      "nic_tag": "switch0",
     467      "ip": "10.0.0.12",
     468      "netmask": "255.255.255.0",
     469      "gateway": "10.0.0.1"
     470    }
     471  ]
     472}
     473}}}
     474
     475{{{
     476vmadm create -f lx-client-tor.json
     477}}}
     478
     479login and install tor
     480
     481{{{
     482  zlogin <UUID>
     483  apt-get update; update upgrade;
     484  apt-get install tor
     485}}}
     486
     487configure tor to listen on our LAN IPv4 address.
     488list our interface addresses
     489{{{
     490  # ip a
     491  1: lo: <LOOPBACK,MULTICAST,UP> mtu 8232
     492    link/loopback 00:00:00:00:00:00
     493    inet 127.0.0.1/8 scope host dynamic
     494    inet6 ::1/128 scope host dynamic
     495  2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qlen 1
     496    link/ether f2:93:94:f4:a4:40
     497    inet 10.0.0.12/24 scope site dynamic
     498    inet6 fe80::f093:94ff:fef4:a440/10 scope link dynamic
     499}}}
     500
     501then add the following line to ``/etc/tor/torrc``
     502{{{
     503SocksPort 10.0.0.12:9050
     504}}}
     505
     506
     507
     508== setup Tor Browser zone ==
     509
     510Actually, this zone could be used to sandbox any Linux or Solaris binaries.
     511
     512In this zone we'll run vnc4server along with the tor browser.
     513This is so that tbb will simply be able to use the X server provided
     514locally by vnc4server via the '''DISPLAY''' environment variable.
     515
     516firstly we create the native linux zone, we login and upgrade
     517
     518lx-tbb-tor.json:
     519{{{
     520{
     521  "alias": "lx-tbb",
     522  "brand": "lx",
     523  "kernel_version": "3.13.0",
     524  "max_physical_memory": 1024,
     525  "quota": 10,
     526  "image_uuid": "445d04f4-cad6-11e5-a1a0-9f6c0ce02707",
     527  "resolvers": ["8.8.8.8","8.8.4.4"],
     528  "nics": [
     529    {
     530      "nic_tag": "switch0",
     531      "ip": "10.0.0.13",
     532      "netmask": "255.255.255.0",
     533      "gateway": "10.0.0.1"
     534    }
     535  ]
     536}
     537}}}
     538
     539{{{
     540  vmadm create -f lx-tbb-tor.json
     541  zlogin <UUID>
     542  apt-get update; apt-get upgrade;
     543}}}
     544
     545setup vnc4server. first we install some dependencies
     546{{{
     547  apt-get install binutils libasound-dev libgtk2.0-dev libgtk-3-dev vnc4server fluxbox xterm
     548}}}
     549
     550set a vnc password
     551{{{
     552  vnc4passwd
     553}}}
     554
     555start the vnc server
     556{{{
     557  vnc4server :1
     558}}}
     559
     560here's my netstat output
     561{{{
     562  human@lx-tbb:~/tor-browser_en-US$ netstat -tlpn
     563  (Not all processes could be identified, non-owned process info
     564   will not be shown, you would have to be root to see it all.)
     565  Active Internet connections (only servers)
     566  Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
     567  tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
     568  tcp        0      0 0.0.0.0:6001            0.0.0.0:*               LISTEN      16503/Xvnc4     
     569  tcp6       0      0 :::22                   :::*                    LISTEN      -               
     570  tcp6       0      0 :::5901                 :::*                    LISTEN      16503/Xvnc4     
     571}}}
     572
     573 
     574setup tor browser with dtrace.
     575using the above information, the tor Socks address and port we can now configure our
     576tbb to use that tor instead of the default launched tor.
     577
     578login to the tbb zone and start tbb!
     579{{{
     580  zlogin -l human <UUID>
     581  TOR_SOCKS_HOST=10.0.0.12 TOR_SOCKS_PORT=9050 TOR_SKIP_LAUNCH=1 DISPLAY=:1 LX_DTRACE=1 ./start-tor-browser.desktop
     582}}}
     583
     584
     585=== firewall the tor browser zone ===
     586
     587the tor browser zone should not be able to access the Internet directly.
     588it should only be able to access another zone's socks port where tor is running.
     589therefore we login to the firewall zone and add a firewall rule to block
     590the tbb zone's access to the Internet.
     591
     592add these lines to ``/etc/ipf/ipf.conf``
     593{{{
     594  block out from 10.0.0.13/32
     595  block in from 10.0.0.13/32
     596}}}
     597
     598then activate the rules like this
     599{{{
     600  ipf -Fa -f /etc/ipf/ipf.conf
     601}}}
     602