Chrooting proxy services

Today there are many process isolation techniques. Most of them are based on virtualization or containers. Some are focused on security, which is what we want for this.

Kernel options
To create a hardened jail we need hardened-sources to be installed (it is wise to use one of hardened profiles). So emerge it: Then set the necessary hardened chroot options:

Chroot
As an example, of building chroot services, lets take a look at home proxy server. A home proxy can look something like: +-+                 | Chrooted sockd or torsocks <-> Other Internet applications  | |     ^                                                      |                  |      |                                                      |                  |                                Chrooted          HTTP*      | +--+    |  Chrooted  <->  Chrooted  <->    HAVP    <->    Internet    | | Internet | <-> | <-> Tor        Privoxy            +          applications  | +--+    |                    ^           libClamAV                    | |                   |                                        |                  |                                                             |                  |                 Chrooted                                    | |                FreshClam                                   | +-+ From a users perspective the best way would be to write an ebuild to build the chroot of the service!!! So generally for a chrooted tor service the Gentoo user wants to run:

and that is all... Except developers don't want to support such a complicated ebuild. Therefore, here we will show examples of chrooted init scripts for all services shown above and examples of bash scripts to build the chroots (these should be hooked into the pkg_config function of the respective ebuilds).

First build and install binary packages for the services ClamAV, tor, [//packages.gentoo.org/packages/net-proxy/dante Dante], [//packages.gentoo.org/packages/net-proxy/havp HAVP] and privoxy:

Then configure all of them, which is beyond the scope of this how-to, though. However, for this setup to work we need USE=clamav on HAVP.

The next scripts build chrooted services even when all file-systems with executables are mounted readonly and all writeable file-systems are mounted with noexec. Make sure you have write-access to the and  partitions when you execute these!

You must manually run the chroot build scripts any time you update or reconfigure the service or update this library!

Post install tasks

 * properly configure, so only service can output packets to the internet;
 * properly setup proxy variables to all your internet applications and torify them;
 * install and properly configure some privacy addons to you browser.