Multi-bridge Oz-daemon and Clearnet Sandboxed Chromium
This is a guide to configuring a clearnet browser using the newest multi-bridge support in Oz-daemon.
We haven't yet packaged this for users, so there are a number of steps one needs to do. This may leave your system in a state where apt later complains about local changes, so be wary of this.
If you are reading these instructions in Subgraph OS, Tor Browser will go away at some point because the Oz daemon is restarted. We recommend you keep the instructions available on another device such as another computer or mobile browser.
Packages that perform all of the below automatically will be deployed to users in the very near future.
Getting started
The commands in this guide will need to be run as root. To escalate to root, type the following:
$ sudo -i
Or you can open the "Root Terminal" from the applications list. The root prompt will be a hash: #
, rather than a $
.
System update
First you will need to update and upgrade your Subgraph OS system:
# apt-get update
# apt-get upgrade
Local system changes
You need to turn off caching in ferm (our firewall rule manager). Use your favorite editor to to modify the file /etc/default/ferm
. The line:
CACHE=yes
Should be changed to:
CACHE=no
Downloads
You then need to download some files from us. In the near future we will be delivering all of this as a system update, but for now it is a manual process:
# cd ~
# wget https://support.subgraph.com/multibridge-test/ferm-multibridge.tgz
# wget https://support.subgraph.com/multibridge-test/oz-daemon_0.2.0-1_amd64.deb
# wget https://support.subgraph.com/multibridge-test/chromium.json
# wget https://support.subgraph.com/multibridge-test/10-hinting-slight.conf
Setup new firewall rules to support bridges in Oz
Uncompress ferm-multibridge.tgz:
# tar xvfz ferm-multibridge.tgz
As root, enter this directory:
# cd /etc/ferm/
# cp ferm.conf ferm.old
# cp ~/ferm/ferm.conf .
# cp ~/ferm/ferm.d/30-oz-bridges.conf ferm.d/
You should have only two files in ferm.d/
# ls ferm.d/
-rw-r--r-- 1 root adm 345 Jan 21 2016 20-fw-daemon.conf
-rw-r--r-- 1 root root 910 Feb 6 19:15 30-oz-bridges.conf
If you have a 30-clear-bridge.conf
, remove it, as this version supersedes it.
Install the Chromium clearnet Oz profile:
# cp ~/chromium.json /var/lib/oz/cells.d/chromium.json
Return to home directory:
# cd ~
Fix the ugly font situation
Note that this change will only take effect after you start a new session:
# cp ~/10-hinting-slight.conf /etc/fonts/conf.d/
Add support for extensions
Debian Chromium disables extensions by default. To change this, create the file /etc/chromium.d/allow_extensions
with contents:
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --enable-remote-extensions"
Warning: Upgrading oz-daemon here is a fragile step
Installing a new oz-daemon this way does not run paxrat
, which is needed to set a required PaX exception on its executables. Paxrat will need to be run manually immediately after the package is installed, and the oz-daemon service will need to be restarted.
If you are reading these instructions in Tor Browser in Subgraph OS, Tor Browser will go away. Before it can come back you will need to restart oz-daemon, which will require the PaX exception. Here are all three commands on the same line that must be run:
# dpkg -i ~/oz-daemon_0.2.0-1_amd64.deb; paxrat; systemctl restart oz-daemon
Restart ferm:
# systemctl restart ferm
Install Chromium:
# apt-get install chromium
Important
Don't run 'chromium' as root. Close your root terminal, or drop privileges back to regular user. Then, to start Chromium, type the following:
$ chromium
ok received
Alternatively, you can select Chromium from Subgraph OS list of applications (click "Activities", then search for Chromium).
Chromium should now be your clearnet browser.
Notes
- Chromium is configured here to persist Chromium state (though it is started in incognito mode). If you do not want this,
and want a "stateless" Chromium (excl. Downloads), edit and remove the following line (as root) from the profile
/var/lib/oz/cells.d/chromium.json
:
`, {"path": "${HOME}/.config/chromium", "can_create": true}`
- Then save it, and either send a HUP signal to the oz-daemon process or just restart it via:
# systemctl restart oz-daemon.service
Chromium in Oz has Oz seccomp-bpf disabled. Chromium has its own seccomp-bpf restricted rendering sandbox. We could add supplementary filters for the whole process tree, and may, we just haven't looked into that yet.
Downloads should be saved in
Downloads/Chromium
inside the sandbox if you want to retrieve them from the outside filesystem.Chromium has a new flag in its profile:
reject_user_args
. This means that it cannot be invoked to automatically open a specific website at the command-line. For example,chromium https://somesite/got-u
shouldn't cause a browser to open and access that site over clearnet. Chromium when run in the sandbox (i.e. over clearnet) should always open to the static page on your filesytem that is defined in the profile.