Created
August 7, 2015 19:57
-
-
Save TristanCacqueray/955b10f437b649e40c86 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# A demo of Linux namespace to sandbox firefox | |
# | |
set -e | |
echo "[+] Check dependencies" | |
for i in twm firefox Xnest; do | |
which $i | |
done | |
ext_if=$(ip route get 8.8.8.8 | grep 'dev' | awk '{ print $5 }') | |
function finish() { | |
echo "[+] Cleaning..." | |
sudo ip netns delete firefox | |
sudo iptables -D POSTROUTING -t nat -s 192.168.50.2/32 -o ${ext_if} -j MASQUERADE | |
sudo iptables -D FORWARD -i firefox0 -o ${ext_if} -j ACCEPT | |
sudo iptables -D FORWARD -i ${ext_if} -o firefox0 -j ACCEPT | |
killall Xnest | |
} | |
trap finish EXIT | |
echo "[+] Network namespace" | |
# create a new namespace | |
sudo ip netns add firefox | |
# configure loopback | |
sudo ip netns exec firefox ip addr add 127.0.0.1/8 dev lo | |
sudo ip netns exec firefox ip link set lo up | |
# create a device pairs | |
sudo ip link add firefox0 type veth peer name firefox1 | |
# initiate the host side | |
sudo ip link set firefox0 up | |
# initiate the container side | |
sudo ip link set firefox1 netns firefox up | |
sudo ip addr add 192.168.50.1/24 dev firefox0 | |
sudo ip netns exec firefox ip addr add 192.168.50.2/24 dev firefox1 | |
sudo ip netns exec firefox ip route add default via 192.168.50.1 dev firefox1 | |
# configure dedicated resolv.conf | |
[ -d "/etc/netns/firefox" ] || sudo mkdir -p /etc/netns/firefox | |
echo nameserver 8.8.8.8 | sudo tee /etc/netns/firefox/resolv.conf | |
# enable routing | |
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward | |
sudo iptables -A POSTROUTING -t nat -s 192.168.50.2/32 -o ${ext_if} -j MASQUERADE | |
sudo iptables -A FORWARD -i firefox0 -o ${ext_if} -j ACCEPT | |
sudo iptables -A FORWARD -i ${ext_if} -o firefox0 -j ACCEPT | |
echo "[+] Filesystem preps" | |
if [ ! -d "/home/sandbox/${USER}" ]; then | |
sudo mkdir -p /home/sandbox/${USER} | |
sudo chown ${USER} /home/sandbox/${USER} | |
chmod 0700 /home/sandbox/${USER} | |
fi | |
if [ ! -d "/tmp/sandbox" ]; then | |
mkdir -m 01777 /tmp/sandbox | |
mkdir /tmp/sandbox/.X11-unix /var/tmp/.X11-unix | |
fi | |
echo "[+] Xnest" | |
echo -n > /home/sandbox/${USER}/.Xauthority | |
xauth -f /home/sandbox/${USER}/.Xauthority add :4 . $(mcookie) | |
Xnest -auth /home/sandbox/${USER}/.Xauthority :4 & | |
sleep 1 | |
sudo ip netns exec firefox unshare -m -u -i -p --mount-proc=/proc -f bash -c " | |
echo '[-] /dev' | |
mount -t tmpfs -o mode=0755 none /dev | |
mkdir /dev/shm | |
mknod -m 0622 /dev/console c 5 1 | |
mknod -m 0666 /dev/null c 1 3 | |
mknod -m 0666 /dev/zero c 1 5 | |
mknod -m 0444 /dev/random c 1 8 | |
mknod -m 0444 /dev/urandom c 1 9 | |
ln -s /proc/self/fd /dev/fd | |
ln -s /proc/self/fd/0 /dev/stdin | |
ln -s /proc/self/fd/1 /dev/stdout | |
ln -s /proc/self/fd/2 /dev/stderr | |
echo '[-] /home' | |
mount -o bind /home/sandbox /home | |
echo '[-] /tmp' | |
mount -o bind /tmp/.X11-unix /var/tmp/.X11-unix | |
mount -o bind /tmp/sandbox /tmp | |
mount -o bind /var/tmp/.X11-unix /tmp/.X11-unix | |
echo '[-] /var/log' | |
mount -t tmpfs none /var/log | |
echo '[-] /sys' | |
mount -t tmpfs none /sys | |
echo '[-] test shell' | |
echo 'use DISPLAY=:4 XAUTHORITY=${HOME}/.Xauthority xeyes' | |
env - su -l ${SUDO_USER} -s /bin/sh | |
echo '[-] init...' | |
exec env - su -l ${SUDO_USER} -s /bin/sh -c 'export DISPLAY=:4; export XAUTHORITY=${HOME}/.Xauthority; twm & firefox' | |
" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment