Skip to content

Commit

Permalink
Enable ptrace protection for browser sandbox
Browse files Browse the repository at this point in the history
Only allow ptrace from a parent process to its children or via
CAP_SYS_PTRACE.

To verify sandbox status for Brave, Chrome, Firefox see
brave://sandbox, chrome://sandbox, about:support, respectively.

Also describe disadvantages of enabling unprivileged user namespaces.
Distributions like Debian currently disable unprivileged user namespaces
by default to decrease the kernel attack surface for local privilege
escalation. See Debian bug #898446. If kept disabled, Brave 1.2+ and
Chrome will still enforce namespace sandboxing via their setuid-root
helper executable. See brave/brave-browser#3420 and
brave/brave-browser#6247. Firefox does not include a setuid-root binary,
however, so unprivileged user namespaces are useful to have for
defence-in-depth, but not critical. See
<https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html>.
  • Loading branch information
daradib committed Jul 14, 2020
1 parent 3f82d9e commit a53c04b
Show file tree
Hide file tree
Showing 5 changed files with 26 additions and 11 deletions.
22 changes: 22 additions & 0 deletions modules/ocf/manifests/browser_sandbox.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
class ocf::browser_sandbox {
# Change kernel settings for the sandbox used by Brave, Chrome, and Firefox.
# Verify sandbox status at brave://sandbox, chrome://sandbox, about:support,
# respectively.
sysctl {
# Distributions like Debian currently disable unprivileged user namespaces
# by default to decrease the kernel attack surface for local privilege
# escalation. See Debian bug #898446. If kept disabled, Brave 1.2+ and
# Chrome will still enforce namespace sandboxing via their setuid-root
# helper executable. See brave/brave-browser#3420 and
# brave/brave-browser#6247. Firefox does not include a setuid-root binary,
# however, so unprivileged user namespaces are useful to have for
# defense in depth, but not critical. See
# <https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html>.
'kernel.unprivileged_userns_clone':
value => '1';
# Enable ptrace protection. Only allow ptrace from a parent process to its
# children or via CAP_SYS_PTRACE.
'kernel.yama.ptrace_scope':
value => '1';
}
}
2 changes: 1 addition & 1 deletion modules/ocf/manifests/packages/brave.pp
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
class ocf::packages::brave {
include ocf::userns
include ocf::browser_sandbox

$browser_homepage = lookup('browser_homepage')

Expand Down
2 changes: 1 addition & 1 deletion modules/ocf/manifests/packages/chrome.pp
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
class ocf::packages::chrome {
include ocf::userns
include ocf::browser_sandbox

$browser_homepage = lookup('browser_homepage')

Expand Down
2 changes: 2 additions & 0 deletions modules/ocf/manifests/packages/firefox.pp
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
class ocf::packages::firefox {
include ocf::browser_sandbox

$browser_homepage = lookup('browser_homepage')

package { 'firefox-esr':; }
Expand Down
9 changes: 0 additions & 9 deletions modules/ocf/manifests/userns.pp

This file was deleted.

0 comments on commit a53c04b

Please sign in to comment.