Chrooting proxy services

Today there are many process isolation techniques. Most of therm are based on virtualization or containers. And less of them are focused on security... We will use hardened chroot to isolate Internet services.

Kernel options
To create a hardened jail we need hardened-sources to be installed (it is wise to use one of hardened profiles). So emerge it: Then set necessary hardened chroot options:

Chroot
As en example, of building chroot services, lets take a look at home proxy server. A home proxy can look something like: +-+                 | Chrooted sockd or torsocks <-> Other Internet applications  | |     ^                                                      |                  |      |                                                      |                  |                                Chrooted          HTTP*      | +--+    |  Chrooted  <->  Chrooted  <->    HAVP    <->    Internet    | | Internet | <-> | <-> Tor        Privoxy            +          applications  | +--+    |                    ^           libClamAV                    | |                   |                                        |                  |                                                             |                  |                 Chrooted                                    | |                FreshClam                                   | +-+ The best way is to write an ebuild to build the chroot of the service!!! So generally for a chrooted tor service the Gentoo user wants to run:

and that is all... But developers don't want support such a complicate ebuild. ;) So here we will show an example of bash scripts to build a chroot (should be hooked into the pkg_config function of the ebuild) and examples of chrooted init scripts for all services shown above.

First of all install services and build binary packages for them:

Then configure all of them, configuration is not a part of this how to... ;)

The next scripts build chrooted services even when all file-systems with executables are mounted readonly and all writeable file-systems are mounted with noexec. Make sure you have write-access to the / and /usr partitions when you execute these!

You must manually run build chroot scripts any time when you update or reconfigure the service or update his library!

Chrooted HAVP + libClamAV
{{FileBox|filename=havp-chroot.sh|title=Build chrooted havp|1=
 * 1) !/bin/bash
 * 2) 20150922  havp-chroot.sh
 * 3) GPL-3

PKGDIR="/usr/portage/packages" CATEGORY="net-proxy" PN="havp" CHROOT="/usr/chroot/${PN}" WORKD=`pwd`

umount "${CHROOT}"/var/lib/clamav "${CHROOT}/var/log/${PN}" "${CHROOT}"/var/run "${CHROOT}"/var/tmp "${CHROOT}"/dev 1>/dev/null 2>&1 rm -rf "${CHROOT}"
 * 1) Cleaning chroot directory.

mkdir -p "${CHROOT}"/{dev,etc} if [ -d /lib64 ] then mkdir -p "${CHROOT}"/{lib64,usr/lib64} cd "${CHROOT}" && ln -s lib64 lib cd "${CHROOT}/usr" && ln -s lib64 lib else mkdir -p "${CHROOT}"/{lib,usr/lib} fi mkdir -p /var/log/"${PN}" "/var/tmp/${PN}" "${CHROOT}"/var/lib/clamav "${CHROOT}/var/log/${PN}" "${CHROOT}"/var/tmp/ "${CHROOT}"/var/run chown -R ${PN}:${PN} /var/log/${PN} /var/tmp/${PN} "${CHROOT}/var/log/${PN}" chmod -R o-rwx /var/log/${PN} /var/tmp/${PN} "${CHROOT}/var/log/${PN}" chmod -R g-rwx /var/log/${PN} "${CHROOT}"/var/log/${PN}
 * 1) Make comon directory and symlinks.

tar -xjphf `ls ${PKGDIR}/${CATEGORY}/${PN}* {{!} tail -n 1` -C "${CHROOT}"
 * 1) Extract package.

cp -pRPd /lib/ld-* "${CHROOT}/lib" cp `ldd "${CHROOT}/usr/sbin/${PN}" {{!}} awk '{print $3}' {{!} grep "^/lib"` "${CHROOT}/lib" cp `ldd "${CHROOT}/usr/sbin/${PN}" {{!}} awk '{print $3}' {{!}} grep "^/usr/lib"` "${CHROOT}/usr/lib" cp -pRPd /usr/lib/libclam* "${CHROOT}/usr/lib" cp `ldd "${CHROOT}/usr/lib/libclamav.so" {{!}} awk '{print $3}' {{!}} grep "^/lib"` "${CHROOT}/lib" cp `ldd "${CHROOT}/usr/lib/libclamav.so" {{!}} awk '{print $3}' {{!}} grep "^/usr/lib"` "${CHROOT}/usr/lib" cp `ldd "${CHROOT}/usr/lib/libclamunrar_iface.so" {{!}} awk '{print $3}' {{!}} grep "^/lib"` "${CHROOT}/lib" cp `ldd "${CHROOT}/usr/lib/libclamunrar_iface.so" {{!} awk '{print $3}' {{!}} grep "^/usr/lib"` "${CHROOT}/usr/lib" cp `ldd "${CHROOT}/usr/lib/libclamunrar.so" {{!}} awk '{print $3}' {{!}} grep "^/lib"` "${CHROOT}/lib"
 * 1) Copy nessesury libriary.

cp -pRPd /lib/libnss* /lib/libnsl* /lib/libresolv* "${CHROOT}/lib" cp /usr/lib/libnss3.so "${CHROOT}/usr/lib" grep "^${PN}" "/etc/passwd" > "${CHROOT}/etc/passwd" grep "^${PN}" "/etc/group" > "${CHROOT}/etc/group"
 * 1) Copy user information and nessesury libriary for it.

if `grep "HAVP chroot stuff." /etc/fstab` == '' then cat >> /etc/fstab << EOF
 * 1) fstab stuff.

/var/lib/clamav                ${CHROOT}/var/lib/clamav                        none    bind,nodev,noexec,nosuid,rw                                     0 0 /var/log/${PN}                 ${CHROOT}/var/log/${PN}                 none    bind,nodev,noexec,nosuid,rw                                     0 0 /var/tmp/${PN}                 ${CHROOT}/var/tmp                       none    bind,nodev,noexec,nosuid,rw                                     0 0 none                           ${CHROOT}/var/run                       tmpfs   rw,nodev,noexec,nosuid,relatime,size=1024k,mode=755             0 0 none                           ${CHROOT}/dev                           tmpfs   rw,noexec,nosuid,relatime,size=1024k,nr_inodes=384443,mode=755          0 0 EOF fi mount -a
 * 1) HAVP chroot stuff.

cp -fpRPd /etc/${PN}/* ${CHROOT}/etc/${PN}/ cd ${WORKD} cp -f ${PN} /etc/init.d/ cp -f ${PN} ${CHROOT}/etc/init.d/
 * 1) Configuration.

exit 0 }}

Reminder
Also you must:
 * properly configure iptables, so only tor service can output packets to the internet;
 * properly setup proxy variables to all your internet applications and torify them;
 * install and properly configure some privacy addons to you browser.