Multi-bridge Oz-daemon and Clearnet Sandboxed Chromium


This is a guide to configuring a clearnet browser using the newest multi-bridge support in Oz-daemon.

We haven't yet packaged this for users, so there are a number of steps one needs to do. This may leave your system in a state where apt later complains about local changes, so be wary of this.

If you are reading these instructions in Subgraph OS, Tor Browser will go away at some point because the Oz daemon is restarted. We recommend you keep the instructions available on another device such as another computer or mobile browser.

Packages that perform all of the below automatically will be deployed to users in the very near future.

Getting started

The commands in this guide will need to be run as root. To escalate to root, type the following:

$ sudo -i

Or you can open the "Root Terminal" from the applications list. The root prompt will be a hash: #, rather than a $.

System update

First you will need to update and upgrade your Subgraph OS system:

# apt-get update

# apt-get upgrade

Local system changes

You need to turn off caching in ferm (our firewall rule manager). Use your favorite editor to to modify the file /etc/default/ferm. The line:

CACHE=yes

Should be changed to:

CACHE=no

Downloads

You then need to download some files from us. In the near future we will be delivering all of this as a system update, but for now it is a manual process:

# cd ~

# wget https://support.subgraph.com/multibridge-test/ferm-multibridge.tgz

# wget https://support.subgraph.com/multibridge-test/oz-daemon_0.2.0-1_amd64.deb

# wget https://support.subgraph.com/multibridge-test/chromium.json

# wget https://support.subgraph.com/multibridge-test/10-hinting-slight.conf

Setup new firewall rules to support bridges in Oz

Uncompress ferm-multibridge.tgz:

# tar xvfz ferm-multibridge.tgz

As root, enter this directory:

# cd /etc/ferm/

# cp ferm.conf ferm.old

# cp ~/ferm/ferm.conf .

# cp ~/ferm/ferm.d/30-oz-bridges.conf ferm.d/

You should have only two files in ferm.d/

# ls ferm.d/

-rw-r--r-- 1 root adm   345 Jan 21  2016 20-fw-daemon.conf
-rw-r--r-- 1 root root  910 Feb  6 19:15 30-oz-bridges.conf

If you have a 30-clear-bridge.conf, remove it, as this version supersedes it.

Install the Chromium clearnet Oz profile:

# cp ~/chromium.json /var/lib/oz/cells.d/chromium.json

Return to home directory:

# cd ~

Fix the ugly font situation

Note that this change will only take effect after you start a new session:

# cp ~/10-hinting-slight.conf /etc/fonts/conf.d/

Add support for extensions

Debian Chromium disables extensions by default. To change this, create the file /etc/chromium.d/allow_extensions with contents:

export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --enable-remote-extensions"

Warning: Upgrading oz-daemon here is a fragile step

Installing a new oz-daemon this way does not run paxrat, which is needed to set a required PaX exception on its executables. Paxrat will need to be run manually immediately after the package is installed, and the oz-daemon service will need to be restarted.

If you are reading these instructions in Tor Browser in Subgraph OS, Tor Browser will go away. Before it can come back you will need to restart oz-daemon, which will require the PaX exception. Here are all three commands on the same line that must be run:

# dpkg -i ~/oz-daemon_0.2.0-1_amd64.deb; paxrat; systemctl restart oz-daemon

Restart ferm:

# systemctl restart ferm

Install Chromium:

# apt-get install chromium

Important

Don't run 'chromium' as root. Close your root terminal, or drop privileges back to regular user. Then, to start Chromium, type the following:

$ chromium
ok received

Alternatively, you can select Chromium from Subgraph OS list of applications (click "Activities", then search for Chromium).

Chromium should now be your clearnet browser.

Notes

  • Chromium is configured here to persist Chromium state (though it is started in incognito mode). If you do not want this, and want a "stateless" Chromium (excl. Downloads), edit and remove the following line (as root) from the profile /var/lib/oz/cells.d/chromium.json:


`, {"path": "${HOME}/.config/chromium", "can_create": true}`

  • Then save it, and either send a HUP signal to the oz-daemon process or just restart it via:

    # systemctl restart oz-daemon.service
  • Chromium in Oz has Oz seccomp-bpf disabled. Chromium has its own seccomp-bpf restricted rendering sandbox. We could add supplementary filters for the whole process tree, and may, we just haven't looked into that yet.

  • Downloads should be saved in Downloads/Chromium inside the sandbox if you want to retrieve them from the outside filesystem.

  • Chromium has a new flag in its profile: reject_user_args. This means that it cannot be invoked to automatically open a specific website at the command-line. For example, chromium https://somesite/got-u shouldn't cause a browser to open and access that site over clearnet. Chromium when run in the sandbox (i.e. over clearnet) should always open to the static page on your filesytem that is defined in the profile.