Chrooting proxy services

Today there are many process isolation techniques. Most of therm are based on virtualization or containers. And less of them are focus on security... We will use hardened chroot to isolate Internet services.

Kernel options
To create hardened jail we need hardened-sources to be installed (it is wise to use one of hardened profiles). So emerge it:

Then set necessary hardened chroot options:

Chroot
As en example, of building chroot services, take a look at home proxy server. Usual home proxy looks like: +-+                 | Chrooted sockd or torsocks <-> Other Internet applications  | |     ^                                                      |                  |      |                                                      |                  |                                Chrooted          HTTP*      | +--+    |  Chrooted  <->  Chrooted  <->    HAVP    <->    Internet    | | Internet | <-> | <-> Tor        Privoxy            +          applications  | +--+    |                    ^           libClamAV                    | |                   |                                        |                  |                                                             |                  |                 Chrooted                                    | |                FreshClam                                   | +-+ Best way is write ebuild to do build chroot of the service!!! So generally for chroot tor service Gentoo user want run:

and that is all... But developers don't want support so complicate ebuild. ;) So hire we show example of bash scripts to build chroot (shoold be in pkg_config function in ebuild) and examples of chrooted init scripts for all shown above services.

First of all install services and build binary packages for them:

Then configure all of them, configuration is not a part of this how to... ;)

Next scripts build chroot services even if all executeble file system mounted as readonly and all writeable file system mounted as noexecutable. But you must allow write to / and /usr file system when execute it!

You must manually run build chroot scripts any time when you update or reconfigure the service or update his library!

Chrooted HAVP + libClamAV
{{FileBox|filename=havp-chroot.sh|title=Build chrooted havp|1=
 * 1) !/bin/bash
 * 2) 20150922  havp-chroot.sh
 * 3) GPL-3

PKGDIR="/usr/portage/packages" CATEGORY="net-proxy" PN="havp" CHROOT="/usr/chroot/${PN}" WORKD=`pwd`

umount "${CHROOT}"/var/lib/clamav "${CHROOT}/var/log/${PN}" "${CHROOT}"/var/run "${CHROOT}"/var/tmp "${CHROOT}"/dev 1>/dev/null 2>&1 rm -rf "${CHROOT}"
 * 1) Cleaning chroot directory.

mkdir -p "${CHROOT}"/{dev,etc} if [ -d /lib64 ] then mkdir -p "${CHROOT}"/{lib64,usr/lib64} cd "${CHROOT}" && ln -s lib64 lib cd "${CHROOT}/usr" && ln -s lib64 lib else mkdir -p "${CHROOT}"/{lib,usr/lib} fi mkdir -p /var/log/"${PN}" "/var/tmp/${PN}" "${CHROOT}"/var/lib/clamav "${CHROOT}/var/log/${PN}" "${CHROOT}"/var/tmp/ "${CHROOT}"/var/run chown -R ${PN}:${PN} /var/log/${PN} /var/tmp/${PN} "${CHROOT}/var/log/${PN}" chmod -R o-rwx /var/log/${PN} /var/tmp/${PN} "${CHROOT}/var/log/${PN}" chmod -R g-rwx /var/log/${PN} "${CHROOT}"/var/log/${PN}
 * 1) Make comon directory and symlinks.

tar -xjphf `ls ${PKGDIR}/${CATEGORY}/${PN}* {{!} tail -n 1` -C "${CHROOT}"
 * 1) Extract package.

cp -pRPd /lib/ld-* "${CHROOT}/lib" cp `ldd "${CHROOT}/usr/sbin/${PN}" {{!}} awk '{print $3}' {{!} grep "^/lib"` "${CHROOT}/lib" cp `ldd "${CHROOT}/usr/sbin/${PN}" {{!}} awk '{print $3}' {{!}} grep "^/usr/lib"` "${CHROOT}/usr/lib" cp -pRPd /usr/lib/libclam* "${CHROOT}/usr/lib" cp `ldd "${CHROOT}/usr/lib/libclamav.so" {{!}} awk '{print $3}' {{!}} grep "^/lib"` "${CHROOT}/lib" cp `ldd "${CHROOT}/usr/lib/libclamav.so" {{!}} awk '{print $3}' {{!}} grep "^/usr/lib"` "${CHROOT}/usr/lib" cp `ldd "${CHROOT}/usr/lib/libclamunrar_iface.so" {{!}} awk '{print $3}' {{!}} grep "^/lib"` "${CHROOT}/lib" cp `ldd "${CHROOT}/usr/lib/libclamunrar_iface.so" {{!} awk '{print $3}' {{!}} grep "^/usr/lib"` "${CHROOT}/usr/lib" cp `ldd "${CHROOT}/usr/lib/libclamunrar.so" {{!}} awk '{print $3}' {{!}} grep "^/lib"` "${CHROOT}/lib"
 * 1) Copy nessesury libriary.

cp -pRPd /lib/libnss* /lib/libnsl* /lib/libresolv* "${CHROOT}/lib" cp /usr/lib/libnss3.so "${CHROOT}/usr/lib" grep "^${PN}" "/etc/passwd" > "${CHROOT}/etc/passwd" grep "^${PN}" "/etc/group" > "${CHROOT}/etc/group"
 * 1) Copy user information and nessesury libriary for it.

if `grep "HAVP chroot stuff." /etc/fstab` == '' then cat >> /etc/fstab << EOF
 * 1) fstab stuff.

/var/lib/clamav                ${CHROOT}/var/lib/clamav                        none    bind,nodev,noexec,nosuid,rw                                     0 0 /var/log/${PN}                 ${CHROOT}/var/log/${PN}                 none    bind,nodev,noexec,nosuid,rw                                     0 0 /var/tmp/${PN}                 ${CHROOT}/var/tmp                       none    bind,nodev,noexec,nosuid,rw                                     0 0 none                           ${CHROOT}/var/run                       tmpfs   rw,nodev,noexec,nosuid,relatime,size=1024k,mode=755             0 0 none                           ${CHROOT}/dev                           tmpfs   rw,noexec,nosuid,relatime,size=1024k,nr_inodes=384443,mode=755          0 0 EOF fi mount -a
 * 1) HAVP chroot stuff.

cp -fpRPd /etc/${PN}/* ${CHROOT}/etc/${PN}/ cd ${WORKD} cp -f ${PN} /etc/init.d/ cp -f ${PN} ${CHROOT}/etc/init.d/
 * 1) Configuration.

exit 0 }}

Reminder
Also you must:
 * proper configure iptables, so only tor service can output packets to Internet;
 * proper setup proxy variables to all you internet applications and torify them;
 * install and proper configure some privacy addons to you browser.