wiki:doc/TorBrowser/SmartOS_Sandboxing

Version 4 (modified by dawuud, 20 months ago) (diff)

--

The Tor Browser SmartOS Sandboxing Guide

This page is meant to give you an overview of how to properly sandbox the Linux Tor Browser Bundle using the SmartOS hypervisor with the IllumOS kernel. We make use of native Solaris and Linux zones for isolating components of the Tor Browser Bundle sandbox environment. This means we can run x86 32-bit and 64-bit Linux binaries in a Linux Zone on Solaris which emulates Linux system calls. The Linux Tor Browser binary runs just fine in a Linux zone on Solaris/SmartOS.

Our sandbox environment will have several components which will each be in their own zone. The Tor Browser will run with a X server created by vnc4server. A stealth authenticated onion service will expose an HTTP service via noVNC which will serve an HTML5 VNC client to the browser and it will connect to the zone running the Tor Browser vnc4server.

5 zones:

  • firewall which performs filtering and NAT
  • tor for tbb
  • tor for our onion service
  • tor browser bundle tbb vnc4server
  • the webserver component of noVNC

why?

  • use of dtrace
  • use of ZFS to take snapshots and rollback to previous snapshots
  • superior isolation than Linux containers
  • remote execution vulnerability not likely to exploit kernel since we aren't running the Linux kernel

creation of zones

Read the SmartOS documentation on zone image management. We create Solaris and Linux zones using the latest SmartOS zone images available:

imgadm avail | grep debian-8 | grep lx-dataset | tail -n 1
445d04f4-cad6-11e5-a1a0-9f6c0ce02707  debian-8                20160204    linux    lx-dataset    2016-02-04

imgadm avail |grep base-64-lts | tail -n 1
96bcddda-beb7-11e5-af20-a3fb54c8ae29  base-64-lts             15.4.0      smartos  zone-dataset  2016-01-19

imgadm import 445d04f4-cad6-11e5-a1a0-9f6c0ce02707
imgadm import 96bcddda-beb7-11e5-af20-a3fb54c8ae29

These two image IDs will be specified in our zone manifests. Refer to creating zones with SmartOS for more information.

firewall zone

create a firewall.json file where public IPv4 address is XXX.XXX.XXX.XXX and the gateway is YYY.YYY.YYY.YYY :

{
  "alias": "firewall",
  "hostname": "firewall",
  "brand": "joyent",
  "max_physical_memory": 500,
  "dataset_uuid": "96bcddda-beb7-11e5-af20-a3fb54c8ae29",
  "default_gateway": "YYY.YYY.YYY.YYY",
  "nics": [
    {
      "nic_tag": "admin",
      "ip": "XXX.XXX.XXX.XXX",
      "netmask": "255.255.254.0",
      "allow_ip_spoofing": "1",
      "gateway": "YYY.YYY.YYY.YYY",
      "primary": "1"
    },
    {
      "nic_tag": "switch0",
      "ip": "10.0.0.1",
      "netmask": "255.255.255.0",
      "allow_ip_spoofing": "1",
      "gateway": "10.0.0.1"
    }
  ]
}

create the zone:

vmadm create -f firewall.json

login

vmadm list
UUID                                  TYPE  RAM      STATE             ALIAS
5d9ab9da-8aae-4a48-b73a-b7ae574a5dd3  OS    500      running           firewall

zlogizlogin 5d9ab9da-8aae-4a48-b73a-b7ae574a5dd3
[Connected to zone '5d9ab9da-8aae-4a48-b73a-b7ae574a5dd3' pts/13]
Last login: Fri Mar  4 10:33:05 on pts/13
   __        .                   .
 _|  |_      | .-. .  . .-. :--. |-
|_    _|     ;|   ||  |(.-' |  | |
  |__|   `--'  `-' `;-| `-' '  ' `-'
                   /  ; Instance (base-64-lts 15.4.0)
                   `-'  https://docs.joyent.com/images/smartos/base

[root@firewall ~]#