├── live-build
    └── config
    │   ├── archives
    │       ├── experimental.list.chroot
    │       └── experimental.pref.chroot
    │   ├── hooks
    │       └── 0510-root-password.hook.chroot
    │   ├── includes.chroot
    │       ├── etc
    │       │   ├── firejail
    │       │   │   ├── firefox.profile
    │       │   │   └── blacklist-dev.inc
    │       │   ├── rc.local
    │       │   └── iceweasel
    │       │   │   └── profile
    │       │   │       ├── searchplugins
    │       │   │           ├── startpage-ssl.xml
    │       │   │           └── wikipedia-ssl.xml
    │       │   │       └── prefs.js
    │       └── lib
    │       │   └── live
    │       │       └── config
    │       │           └── 1200-setattr
    │   └── package-lists
    │       └── my.list.chroot
├── README.md
└── GUIDE.md


/live-build/config/archives/experimental.list.chroot:
--------------------------------------------------------------------------------
1 | deb http://ftp.debian.org/debian unstable main
2 | deb http://ftp.debian.org/debian experimental main
3 | 


--------------------------------------------------------------------------------
/live-build/config/hooks/0510-root-password.hook.chroot:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | set -e
4 | 
5 | usermod -p '$5$GxpbCxvGOmtudd$uL90C.ZOMY6WxI4.x32kTCv38dGiXYUlfWGzCQuHmr3' root
6 | 
7 | 


--------------------------------------------------------------------------------
/live-build/config/archives/experimental.pref.chroot:
--------------------------------------------------------------------------------
1 | Package: iceweasel
2 | Pin: release a=experimental
3 | Pin-Priority: 995
4 | 
5 | Package: *
6 | Pin: release a=unstable
7 | Pin-Priority: 1
8 | 


--------------------------------------------------------------------------------
/live-build/config/includes.chroot/etc/firejail/firefox.profile:
--------------------------------------------------------------------------------
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
2 | include /etc/firejail/disable-mgmt.inc
3 | include /etc/firejail/disable-secret.inc
4 | include /etc/firejail/blacklist-dev.inc
5 | blacklist ${HOME}/.adobe
6 | blacklist ${HOME}/.macromedia
7 | caps
8 | seccomp
9 | 


--------------------------------------------------------------------------------
/live-build/config/includes.chroot/etc/rc.local:
--------------------------------------------------------------------------------
 1 | #!/bin/sh -e
 2 | #
 3 | # rc.local
 4 | #
 5 | # This script is executed at the end of each multiuser runlevel.
 6 | # Make sure that the script will "exit 0" on success or any other
 7 | # value on error.
 8 | #
 9 | # In order to enable or disable this script just change the execution
10 | # bits.
11 | #
12 | # By default this script does nothing.
13 | 
14 | 


--------------------------------------------------------------------------------
/live-build/config/package-lists/my.list.chroot:
--------------------------------------------------------------------------------
1 | task-english pm-utils alsa-utils unzip screen curl iceweasel spice-vdagent fluxbox attr xserver-xorg-video-modesetting xserver-xorg-video-qxl xserver-xorg-input-evdev xinit x11-apps x11-utils x11-xserver-utils rxvt-unicode iceweasel-noscript iceweasel-perspectives iceweasel-refcontrol iceweasel-requestpolicy iceweasel-openinbrowser iceweasel-https-everywhere
2 | 


--------------------------------------------------------------------------------
/live-build/config/includes.chroot/lib/live/config/1200-setattr:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | Init ()
 4 | {
 5 | 	echo -n " setattr"
 6 | }
 7 | 
 8 | Config ()
 9 | {
10 | 	if [ -f /usr/bin/iceweasel -a -f /usr/bin/setfattr ]; then
11 | 		setfattr -n user.pax.flags -v m /usr/bin/iceweasel
12 | 		setfattr -n user.pax.flags -v m /usr/lib/iceweasel/plugin-container
13 | 	fi
14 | 
15 | 	# Creating state file
16 | 	touch /var/lib/live/config/setattr
17 | }
18 | 
19 | Init
20 | Config
21 | 


--------------------------------------------------------------------------------
/live-build/config/includes.chroot/etc/firejail/blacklist-dev.inc:
--------------------------------------------------------------------------------
 1 | seccomp mknod
 2 | 
 3 | blacklist /dev/autofs
 4 | blacklist /dev/block
 5 | blacklist /dev/btrfs-control
 6 | blacklist /dev/bus
 7 | blacklist /dev/char
 8 | blacklist /dev/console
 9 | blacklist /dev/cpu
10 | blacklist /dev/cpu_dma_latency
11 | blacklist /dev/disk
12 | blacklist /dev/dri
13 | blacklist /dev/fb0
14 | blacklist /dev/fd
15 | blacklist /dev/full
16 | blacklist /dev/fuse
17 | blacklist /dev/grsec
18 | blacklist /dev/hpet
19 | blacklist /dev/hugepages
20 | blacklist /dev/initctl
21 | blacklist /dev/input
22 | blacklist /dev/kmsg
23 | blacklist /dev/log
24 | blacklist /dev/loop*
25 | blacklist /dev/mapper
26 | blacklist /dev/mcelog
27 | blacklist /dev/mem
28 | blacklist /dev/memory_bandwidth
29 | blacklist /dev/mqueue
30 | blacklist /dev/psaux
31 | blacklist /dev/ptmx
32 | blacklist /dev/pts
33 | blacklist /dev/rtc
34 | blacklist /dev/rtc0
35 | blacklist /dev/shm
36 | blacklist /dev/tty*
37 | blacklist /dev/uinput
38 | blacklist /dev/vcs*
39 | blacklist /dev/vda*
40 | blacklist /dev/vga_arbiter
41 | blacklist /dev/vhost-net
42 | blacklist /dev/virtio*
43 | blacklist /dev/vport*
44 | blacklist /dev/xconsole
45 | 


--------------------------------------------------------------------------------
/live-build/config/includes.chroot/etc/iceweasel/profile/searchplugins/startpage-ssl.xml:
--------------------------------------------------------------------------------
 1 | <SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/" xmlns:os="http://a9.com/-/spec/opensearch/1.1/">
 2 | <os:ShortName>Startpage (SSL)</os:ShortName>
 3 | <os:Description>Startpage is a search engine that does not collect or share personally identifiable information. This search bar extension utilizes SSL to protect transmissions between You and Startpage.</os:Description>
 4 | <os:InputEncoding>UTF-8</os:InputEncoding>
 5 | <os:Image width="16" height="16">data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD2jkj+9YtD/vWLQ/71i0P+9otD/vaLRP72i0T+9YtE/vWLRP72i0T+9otD/vaNRP72jUT+9otF/vaLRf73kkv+9Yc///WJP//1iT//9Yk///rAmf/94Mz/+sCa//aRTv/1iUH/9ok///aJP//2i0H/9otB//aJQv/2iUL/9otC//aNRP/2jUT/9o1E//aNRP/6wpv////////////96dr/95dQ//aNRP/2kET/9pBG//aQRv/2kEb/9pBG//aRR//3lEz/95BH//mueP/7xJ3/959g//efYf/4p23//vDm//3p2//3kEr/95FJ//aRSf/niFH/95FK//aRSv/2mE//95hS/vq4iP/////////////////81bj/95xZ//q4iP//////+bF+//eZT//njFT/PSqi/2xGjv/2mVD/951V/vedVv783cX///////vQrf/++PP///////748//+8uj///////m3gf/olFr/PSuj/w8Pt/9sSJD/951V//eeWf73oVv++8ul///////5sXf/+KRi//vRsf////////////3r3v/olF//Piyk/w8Pt/9sSJH/+J5Z//ieWv/3oV/++KZf/vihXP/97N7//vn0//zTs//6wJP/+bBy//q6iP/onW//Piyl/w8Pt/8fGbH/m2iB/+icY//4pGD/96hl/viqZf74pmD/+Kxr//3iy/////////n1//ivbP/onGj/Pi2m/w8Pt/8uJKz/fFeQ/x8Zsf8+Lqb/6J9r//ivbP74rm3++Klm//mpZv/5q2f/+bR9//m0e//poW7/Pi6n/w8Pt/9sTZj/+Ktp//ira/+rd4P/Dw+3/4xijv/5snH++LN1/vmvbf/5r23/+a5t//mvb//4r2//TTuk/w8Pt/8fGrL/6ah1//ivcP/4r3P/q3yI/w8Pt/+MZpP/+bN5/vm4ev75t3X/+bV1//m1df/5t3X/+Ld3/8qUhP98XZn/Hxqz/+mse//5t3f/2p+B/x8as/8PD7f/u4qK//m7fv76u4D++bl7//m3fP/5uXz/+bl8//m5fP/5t3z/+bl//x8as/9NPKf/fWCb/x8as/8PD7f/bVOh//q5f//6v4X++sGI/vm9g//5voX/+b6F//m9hf/6vYX/+r6F//nCh/+bepr/Hxu0/w8Pt/8PD7f/fWOh//q+hf/6wof/+saN/vrGjf75xIv/+ceL//nEi//5xIv/+sSL//rHi//6x43/+ceN/+m7kP+7lpj/6ruQ//rHkP/6x43/+seQ//rLlf76ypT++seR//rJkf/6yZH/+seR//rJkf/6yZH/+8mR//vJlP/7yZT/+smU//rJlP/6yZT/+8yV//rJlf/6zpn+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==</os:Image>
 6 | <SearchForm>https://startpage.com/</SearchForm>
 7 | <os:Url type="text/html" method="POST" template="https://startpage.com/do/metasearch.pl" resultDomain="startpage.com">
 8 |   <os:Param name="query" value="{searchTerms}"/>
 9 |   <os:Param name="cat" value="web"/>
10 |   <os:Param name="language" value="english"/>
11 | </os:Url>
12 | </SearchPlugin>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Live-Armor
 2 | 
 3 | This repository contains the
 4 | [Live-Armor Guide](https://fatemachine.github.io/live-armor/), a guide
 5 | to building custom Linux
 6 | [live images](https://en.wikipedia.org/wiki/Live_CD) for security
 7 | sandboxing using tools from the [Debian](https://www.debian.org)
 8 | [Live Systems](http://www.live-systems.org/) project and
 9 | [Grsecurity](https://www.grsecurity.net/).
10 | 
11 | The `live-build` directory contains an example configuration for Debian
12 | [live-build](http://live-systems.org/manual/current/html/live-manual/installation.en.html#118)
13 | that can be used as a starting point for building a custom live image.
14 | This configuration is based on the one covered in the Guide.
15 | 
16 | ## Quick Start
17 | 
18 | 1. Install [live-build
19 | 5.0](https://packages.debian.org/experimental/live-build).
20 | 
21 | 1. Create an empty directory that will contain your live image
22 |    configuration and build data.
23 | 
24 | 1. Change to your live image directory and run: `lb config`
25 | 
26 | 1. Copy the `live-build/config` tree of this repository into the
27 |    `config` subdirectory that `lb config` just created, for example by
28 |    using `cp -r`.
29 | 
30 | 1. Edit `config/binary` and add the `union=overlay` and optionally
31 |    `live-config.noroot` kernel boot parameters to the
32 |    `LB_BOOTAPPEND_LIVE` and `LB_BOOTAPPEND_LIVE_FAILSAFE` variables.
33 | 
34 |    If you added `live-config.noroot` to disable sudo, choose your root
35 |    password by running `mkpasswd` (part of the
36 |    [whois](https://packages.debian.org/whois) package) and replace the
37 |    argument to `usermod -p` in
38 |    `config/hooks/0510-root-password.hook.chroot` with the output of
39 |    `mkpasswd`.
40 | 
41 |    If you did not add `live-config.noroot` and are therefore using the
42 |    default unprotected sudo access method, delete
43 |    `config/hooks/0510-root-password.hook.chroot`.
44 | 
45 |    Note: The default login credentials are username `user` and password
46 |    `live`.
47 | 
48 | 1. Edit `config/chroot` and change `LB_UNION_FILESYSTEM="aufs"` to
49 |    `LB_UNION_FILESYSTEM="overlay"`.
50 | 
51 | 1. Inspect the list of custom packages in
52 |    `config/package-lists/my.list.chroot` and make any desired changes.
53 | 
54 | 1. Add `.deb` package files to the `config/packages.chroot` directory:
55 | 
56 |    * Your custom live system kernel package, with a name that begins
57 |      with `linux-image`.  See the Guide for instructions on configuring
58 |      and building a custom kernel.
59 |    * `live-boot` and `live-boot-initramfs-tools` packages patched for
60 |      OverlayFS support.  See the Guide for instructions.
61 |    * `live-config` and `live-config-systemd` package versions that match
62 |      the `live-boot` version, for example from Debian `experimental`.
63 | 
64 | 1. Re-run `lb config`.
65 | 
66 | 1. Build your live image: `lb build 2>&1 | tee build.log`
67 | 
68 | This configuration has been tested with the following software versions:
69 | 
70 | - Debian [jessie](https://www.debian.org/releases/jessie/)
71 | - Linux [kernel](https://www.kernel.org/) version 3.18.x
72 | - [live-build](https://packages.debian.org/live-build) 5.0a3
73 | - [live-boot](https://packages.debian.org/live-boot) and
74 |   [live-config](https://packages.debian.org/live-config) 5.0a1, with
75 |   live-boot patched for OverlayFS support
76 | - [QEMU](https://packages.debian.org/qemu-system-x86) 2.1
77 | 


--------------------------------------------------------------------------------
/live-build/config/includes.chroot/etc/iceweasel/profile/searchplugins/wikipedia-ssl.xml:
--------------------------------------------------------------------------------
 1 | <SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/" xmlns:os="http://a9.com/-/spec/opensearch/1.1/">
 2 | <os:ShortName>Wikipedia (SSL)</os:ShortName>
 3 | <os:Description>Wikipedia is an openly-editable, free content internet encyclopedia. This search bar add-on utilizes SSL to protect searches between You and Wikipedia.</os:Description>
 4 | <os:InputEncoding>UTF-8</os:InputEncoding>
 5 | <os:Image width="16" height="16">data:image/x-icon;base64,AAABAAMAMDAQAAEABABoBgAANgAAACAgEAABAAQA6AIAAJ4GAAAQEBAAAQAEACgBAACGCQAAKAAAADAAAABgAAAAAQAEAAAAAAAABgAAAAAAAAAAAAAQAAAAAAAAAAEBAQAXFxcAMDAwAEdHRwBYWFgAZ2dnAHZ2dgCHh4cAlZWVAKmpqQC3t7cAx8fHANfX1wDo6OgA/v7+AAAAAAD////+7u7u7u7u7u7u7u7u7u7u7u///////+7u7u7u7u7u7u7u7u7u7u7u7u7u/////u7u7u7u7u7u7u7u7u7u7u7u7u7u7///7u7u7u7u7u7u7u7u7u7u7u7u7u7u7v/+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u/+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u/+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u/u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7sa+7u7u7u1b7u7u7u7u7u7u7u7u7u7u7p9u7u7u7ugG7u7u7u7u7u7u7u7u7u7u7TAa7u7u7tQBzu7u7u7u7u7u7u7u7u7u6wAF7u7u7pAAju7u7u7u7u7u7u7u7u7u1AAAru7u7U//Le7u7u7u7u7u7u7u7u7uz/8RPe7u6gAB+e7u7u7u7u7u7u7u7u7ubw94Ce7u1QAIIu7u7u7u7u7u7u7u7u7tH/G+Mt7usAAtcL7u7u7u7u7u7u7u7u7n8ATun47uQACO0T7u7u7u7u7u7u7u7u7hDxnu4x3sAPLO5Qzu7u7u7u7u7u7u7u6P/z7u6wXk/wfu7ATu7u7u7u7u7u7u7u4QAY7u7kCQADzu7kDO7u7u7u7u7u7u7uoA8u7u7sAAAG7u7r9e7u7u7u7u7u7u7uIPB+7u7uUAAs7u7uMd7u7u7u7u7u7u7rEAHe7u7uQABu7u7un37u7u7u7u7u7u7kAAXu7u7sAPHe7u7u4S3u7u7u7u7u7u7BAA3u7u7k8AHO7u7u6Aju7u7u7u7u7u5g/07u7u7B8BBe7u7u7RLu7u7u7u7u7u0v/87u7u5QAGQa7u7u7nCe7u7u7u7u7ugAA+7u7uwQ8dsE7u7u7rBO7u7u7u7u7tP/++7u7uYAB+5Qnu7u7tQa7u7u7u7u7pH/Lu7u7sLwHe6xPe7u7ur27u7u7u7u7V//ru7u7mAAju7n+e7u7u0yvu7u7u7u6h8C3u7u6yAB3u7rEs7u7u6Pfu7u7u7u1AAE7u7u5g/27u7tQG3u7u6QHO7u7u7tbwAB3u7ukfAH7u7sIAju7u5wA97u7utiAAAAF76lAA/wWeyDAA84zqUAABfO7uMiNERDIm4iNERDIrkiNEQybiI0RDJO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u/+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u/+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u//7u7u7u7u7u7u7u7u7u7u7u7u7u7u7v///u7u7u7u7u7u7u7u7u7u7u7u7u7u7////+7u7u7u7u7u7u7u7u7u7u7u7u7u///////+7u7u7u7u7u7u7u7u7u7u7u/////+AAAAAH8AAPAAAAAADwAA4AAAAAAHAADAAAAAAAMAAIAAAAAAAQAAgAAAAAABAACAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAABAACAAAAAAAEAAIAAAAAAAQAAwAAAAAADAADgAAAAAAcAAPAAAAAADwAA/gAAAAB/AAAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAAAAAAABAAAAAAAAAAAQEBABYWFgAnJycANTU1AEdHRwBZWVkAZWVlAHh4eACIiIgAmZmZAK6urgDMzMwA19fXAOnp6QD+/v4AAAAAAP//7u7u7u7u7u7u7u7u////7u7u7u7u7u7u7u7u7u7//u7u7u7u7u7u7u7u7u7u7/7u7u7u7u7u7u7u7u7u7u/u7u7u7u7u7u7u7u7u7u7u7u7u7u7X3u7u7I7u7u7u7u7u7u7uYF7u7uIK7u7u7u7u7u7u7QAM7u6vBO7u7u7u7u7u7ucABe7uMA/O7u7u7u7u7u7R8q/O6gCEbu7u7u7u7u7ukAnibuTx6g3u7u7u7u7u7hAe6gzP+O4Y7u7u7u7u7urwju4mXx7uge7u7u7u7u7jAd7uoACO7tCe7u7u7u7uoPfu7uEB3u7mPu7u7u7u7k8N7u7QBu7u6wru7u7u7uwAXu7ufwbu7u407u7u7u7lAM7u7RBQzu7ur87u7u7u0ATu7ucA0l7u7uFu7u7u7n/67u7RB+oL7u7nHe7u7u0fPu7ucA3uJO7u7Qju7u7o/67u7Q9u7q+u7u5R3u7u0Q/e7ub/vu7PLO7uX13u4w//Be4v/xnoH/+ekv//Xu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7+7u7u7u7u7u7u7u7u7u7v/u7u7u7u7u7u7u7u7u7u7//u7u7u7u7u7u7u7u7u7v///+7u7u7u7u7u7u7u7v//8AAAD8AAAAOAAAABgAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAGAAAABwAAAA/AAAA8oAAAAEAAAACAAAAABAAQAAAAAAMAAAAAAAAAAAAAAABAAAAAAAAAAAQEBABcXFwAnJycAOzs7AElJSQBpaWkAeXl5AIaGhgCVlZUApqamALOzswDMzMwA2dnZAObm5gD+/v4AAAAAAP/u7u7u7u7//u7u7u7u7u/u7uzu7t7u7u7u4Y7lTu7u7u6QTtA77u7u7iaoctXu7u7qDOQZ5d7u7uRO5R7rbu7uv77iLu5O7u5D7pGn7pju7QrtKOTe4+6z+OT40z2RTO7u7u7u7u7u7u7u7u7u7u7+7u7u7u7u7//u7u7u7u7/wAMAD4ABAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA+AAQAPwAMADw==</os:Image>
 6 | <SearchForm>https://en.wikipedia.org/wiki/Special:Search</SearchForm>
 7 | <os:Url type="text/html" method="GET" template="https://en.wikipedia.org/wiki/Special:Search" resultDomain="en.wikipedia.org">
 8 |   <os:Param name="search" value="{searchTerms}"/>
 9 | </os:Url><os:Url type="application/x-suggestions+json" method="GET" template="https://en.wikipedia.org/w/api.php" resultDomain="en.wikipedia.org">
10 |   <os:Param name="action" value="opensearch"/>
11 |   <os:Param name="search" value="{searchTerms}"/>
12 | </os:Url>
13 | </SearchPlugin>


--------------------------------------------------------------------------------
/live-build/config/includes.chroot/etc/iceweasel/profile/prefs.js:
--------------------------------------------------------------------------------
  1 | # Mozilla User Preferences
  2 | 
  3 | /* Don't start finding text when any input is typed */
  4 | user_pref("accessibility.typeaheadfind.autostart", false);
  5 | 
  6 | /* Start with a simple blank page */
  7 | user_pref("browser.startup.page", 1);
  8 | user_pref("browser.startup.homepage", "about:about");
  9 | 
 10 | /* Don't send every URL we visit to Google */
 11 | user_pref("browser.safebrowsing.enabled", false);
 12 | user_pref("browser.safebrowsing.malware.enabled", false);
 13 | 
 14 | /* Don't save information entered in web forms and search bars */
 15 | user_pref("browser.formfill.enable", false);
 16 | 
 17 | /* Backspace goes back one page in history */
 18 | user_pref("browser.backspace_action", 0);
 19 | 
 20 | /* Ask where to save downloads */
 21 | user_pref("browser.download.useDownloadDir", false);
 22 | 
 23 | /* When JavaScript wants to open a new window, open a tab instead */
 24 | user_pref("browser.link.open_newwindow.restriction", 0);
 25 | 
 26 | /* Always use Private Browsing Mode */
 27 | user_pref("browser.privatebrowsing.autostart", true);
 28 | 
 29 | /* Disable search suggestions */
 30 | user_pref("browser.search.suggest.enabled", false);
 31 | 
 32 | /* Limit state information saved between sessions */
 33 | user_pref("browser.sessionstore.max_tabs_undo", 5);
 34 | user_pref("browser.sessionstore.resume_from_crash", false);
 35 | 
 36 | /* Turn off tab animations */
 37 | user_pref("browser.tabs.animate", false);
 38 | 
 39 | /* Turn off URL bar funny business */
 40 | user_pref("browser.urlbar.autocomplete.enabled", false);
 41 | user_pref("browser.urlbar.trimURLs", false);
 42 | 
 43 | /* Disallow JavaScript access to potentially dangerous APIs */
 44 | user_pref("dom.event.clipboardevents.enabled", false);
 45 | user_pref("dom.battery.enabled", false);
 46 | user_pref("dom.disable_window_open_feature.menubar", true);
 47 | user_pref("dom.disable_window_open_feature.personalbar", true);
 48 | user_pref("dom.disable_window_open_feature.scrollbars", true);
 49 | user_pref("dom.disable_window_open_feature.toolbar", true);
 50 | user_pref("dom.popup_maximum", 10);
 51 | user_pref("dom.storage.default_quota", 0);
 52 | 
 53 | /* Override User-Agent data to mitigate browser fingerprinting.
 54 |  * See https://panopticlick.eff.org/
 55 |  */
 56 | user_pref("general.appname.override", "Netscape");
 57 | user_pref("general.appversion.override", "5.0 (Windows)");
 58 | user_pref("general.buildID.override", 0);
 59 | user_pref("general.oscpu.override", "Windows NT 6.2");
 60 | user_pref("general.platform.override", "Win32");
 61 | user_pref("general.productSub.override", "20100101");
 62 | user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.2; rv:36.0) Gecko/20100101 Firefox/36.0");
 63 | user_pref("general.useragent.vendor", "");
 64 | user_pref("general.useragent.vendorSub", "");
 65 | user_pref("general.warnOnAboutConfig", false);
 66 | user_pref("intl.accept_languages", "en-us,en;q=0.5");
 67 | 
 68 | /* Turn off "location aware browsing" */
 69 | user_pref("geo.enabled", false);
 70 | 
 71 | /* Turn off sending non-URL words entered in the URL bar to Google */
 72 | user_pref("keyword.enabled", false);
 73 | 
 74 | /* Turn off spell-checking */
 75 | user_pref("layout.spellcheckDefault", 0);
 76 | 
 77 | /* Disable cookies by default. Use an extension for site-specific
 78 |  * whitelisting.
 79 |  */
 80 | user_pref("network.cookie.cookieBehavior", 2);
 81 | user_pref("network.cookie.thirdparty.sessionOnly", true);
 82 | 
 83 | /* Disable IPv6 unless you want to use it. */
 84 | user_pref("network.dns.disableIPv6", true);
 85 | 
 86 | /* Don't "proactively" perform DNS resolution */
 87 | user_pref("network.dns.disablePrefetch", true);
 88 | 
 89 | /* Unneeded unless we're using v6 */
 90 | user_pref("network.http.fast-fallback-to-IPv4", false);
 91 | 
 92 | /* Enable pipelining for better performance */
 93 | user_pref("network.http.pipelining", true);
 94 | user_pref("network.http.pipelining.maxrequests", 15);
 95 | user_pref("network.http.pipelining.ssl", true);
 96 | user_pref("network.http.proxy.pipelining", true);
 97 | user_pref("network.http.redirection-limit", 5);
 98 | 
 99 | /* Don't "proactively" fetch pages that haven't been requested */
100 | user_pref("network.prefetch-next", false);
101 | 
102 | /* Disable Websockets by default */
103 | user_pref("network.websocket.enabled", false);
104 | 
105 | /* Enable the Do-Not-Track header in HTTP requests */
106 | user_pref("privacy.donottrackheader.enabled", true);
107 | 
108 | /* Clear Private Data when closing the browser */
109 | user_pref("privacy.sanitize.sanitizeOnShutdown", true);
110 | 
111 | /* Disable unsafe RC4 ciphers */
112 | user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
113 | user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
114 | user_pref("security.ssl3.rsa_rc4_128_md5", false);
115 | user_pref("security.ssl3.rsa_rc4_128_sha", false);
116 | 
117 | /* Disable WebGL by default */
118 | user_pref("webgl.disabled", true);
119 | 


--------------------------------------------------------------------------------
/GUIDE.md:
--------------------------------------------------------------------------------
   1 | # The Live-Armor Guide
   2 | ## Building Custom Live Images with Debian and Grsecurity
   3 | 
   4 | This guide explains how to build custom live system images for security
   5 | sandboxing using tools from the [Debian](https://www.debian.org)
   6 | [Live Systems](http://www.live-systems.org/) project and
   7 | [Grsecurity](https://www.grsecurity.net).
   8 | 
   9 | For concreteness we will focus on building a custom live image for
  10 | sandboxing the Firefox web browser (also known as Iceweasel in the Debian
  11 | world).  However, the same tools and procedures will allow you to build any
  12 | kind of Debian-based live image you want.
  13 | 
  14 | - [Motivation](#motivation)
  15 | - [Prerequisites](#prerequisites)
  16 | - [Limitations and Alternatives](#limitations-and-alternatives)
  17 | - [Architecture](#architecture)
  18 | - [Layer 1: The Host System](#layer-1-the-host-system)
  19 | - [Layer 2: The Guest Image](#layer-2-the-guest-image)
  20 | - [Layer 3: Firejail](#layer-3-firejail)
  21 | - [Layer 4: Firefox/Iceweasel Customization](#layer-4-firefoxiceweasel-customization)
  22 | 
  23 | ## Motivation
  24 | 
  25 | ### The browser problem
  26 | 
  27 | If you're alive and technically aware in 2015, you know that Internet,
  28 | operating system, and applications software are security disaster areas.
  29 | End-user systems such as workstations and laptops are especially hard to
  30 | protect against the growing tide of malware, most of it delivered via the
  31 | Internet.
  32 | 
  33 | After basic security measures have been taken, such as disabling unnecessary
  34 | operating system services and firewalling network access, the largest attack
  35 | surface on a typical end-user system today is the web browser.  Popular
  36 | browsers are large and complex pieces of software, invariably written in
  37 | [unsafe](https://en.wikipedia.org/wiki/Memory_safety) languages for
  38 | performance (although this may slowly be
  39 | [changing](https://github.com/servo/servo)).
  40 | [Critical](https://www.mozilla.org/en-US/security/advisories/)
  41 | [vulnerabilities](http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/opec-1/Google-Chrome.html)
  42 | are discovered in popular browsers every month, any one of which can allow a
  43 | remote attacker to take complete control over the computer running the
  44 | browser.  While this problem is now well known and recognized by browser
  45 | vendors and efforts are being made to improve the status quo, building a
  46 | secure browser has turned out to be a long and difficult road.  Meanwhile,
  47 | users are left adrift and vulnerable, and even the technically skilled have
  48 | few good options for securing web browser installations.
  49 | 
  50 | ### Live images
  51 | 
  52 | A *live image* is a complete operating system image file (usually in
  53 | [ISO format](https://en.wikipedia.org/wiki/ISO_image)) that can be loaded at
  54 | system boot time from CD/DVD/USB media and that runs completely from RAM.
  55 | No hard disk or any other form of persistent media is required.  Changes can
  56 | be made normally to the running system, but all changes are lost when the
  57 | system is powered down or reset. (Some live images support an optional
  58 | persistence partition that allows the user to store data that persists
  59 | across restarts.)
  60 | 
  61 | Live images are a powerful tool for
  62 | [sandboxing](https://en.wikipedia.org/wiki/Sandbox_(computer_security)).
  63 | Even if the live operating system or applications are compromised during
  64 | runtime, the next reboot will restore the system to its original clean
  65 | state.  Simply using a live system is no guarantee of security, but it can
  66 | make long-term compromise of a system significantly more difficult,
  67 | especially when combined with other countermeasures as part of a
  68 | top-to-bottom architecture that takes into account each layer from the
  69 | lowest (physical setting) through the highest (user applications).
  70 | 
  71 | ## Prerequisites
  72 | 
  73 | This guide assumes you are an experienced systems administrator who is
  74 | comfortable with Debian and with configuring and building the
  75 | [Linux kernel](https://www.kernel.org/).
  76 | 
  77 | ## Limitations and Alternatives
  78 | 
  79 | The live image method is a relatively heavyweight approach to browser
  80 | security.  Configuring and building a custom live image takes time and
  81 | skill, and using one is harder than using a browser directly.  All
  82 | browser customization must be done as part of live system configuration,
  83 | which means that making even simple persistent changes to the browser
  84 | requires updating the live configuration and rebuilding the live image.
  85 | This is more work than most users are willing to put up with.
  86 | 
  87 | There are a few alternatives:
  88 | 
  89 | - Use a pre-built live system.  This obviates the need to configure and
  90 |   build the live image yourself, and is ideal if you can find such an image
  91 |   that you trust and that closely matches your needs.  Unfortunately, few
  92 |   such images seem to be available today that are built with security in
  93 |   mind.  An exception is [Tails](https://tails.boum.org/), but it may not be
  94 |   suitable unless you want to route all data through Tor.
  95 | 
  96 | - Use a [chroot](https://en.wikipedia.org/wiki/Chroot) jail.  Setting up a
  97 |   secure chroot environment is a difficult task, and should only be
  98 |   attempted if you are fully aware of the security weaknesses of vanilla
  99 |   chroot environments and employ kernel hardening measures to guard against
 100 |   them, such as the chroot restrictions available in
 101 |   [Grsecurity](https://www.grsecurity.net/) kernels.  A chroot jail provides
 102 |   a relatively thin barrier between the guest and host environments and does
 103 |   not in itself provide the "clean boot" property of a live image.
 104 | 
 105 | - Use a [namespace/cgroups](https://en.wikipedia.org/wiki/Cgroups) jail.
 106 |   Newer Linux kernels provide a range of other features that can be used to
 107 |   create container or jail environments.  As with chroot, such environments
 108 |   are difficult to configure securely, although tools such as
 109 |   [Firejail](https://l3net.wordpress.com/projects/firejail/) can make this
 110 |   easier.  And as with chroot jails, programs running in a namespace jail
 111 |   can still make system calls directly into the host kernel, and thus are in
 112 |   a position to exploit kernel-level security flaws.
 113 | 
 114 | - Use a kernel security framework like
 115 |   [AppArmor](https://en.wikipedia.org/wiki/AppArmor),
 116 |   [SELinux](https://en.wikipedia.org/wiki/SELinux), or Grsecurity
 117 |   [RBAC](https://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System) to
 118 |   restrict the areas of the system that the application can access.  These
 119 |   frameworks serve mainly to prevent a compromised program from affecting
 120 |   the rest of the system.  They are best used along with other exploit
 121 |   prevention and sandboxing measures.
 122 | 
 123 | ## Architecture
 124 | 
 125 | In this guide we will assume a four-layer architecture that comprises:
 126 | 
 127 | 1. A host system, such as a workstation or laptop
 128 | 1. A guest live system, running as a virtual machine on the host system
 129 | 1. A container jail environment, running inside the guest system
 130 | 1. A Firefox/Iceweasel browser, running inside the jail
 131 | 
 132 | We could consider variations, such as booting and running the live image on
 133 | bare metal.  In fact, most of this guide concerns setting up the live image
 134 | and applies equally well regardless of how and where the live system is run.
 135 | One of the advantages of a live image is that it can be carried around on
 136 | bootable read-only media and run from any system you happen to have access
 137 | to, provided the image was built with the drivers needed to drive the host
 138 | hardware.
 139 | 
 140 | A word on virtual machines.  A virtual machine can never be more secure than
 141 | the host it's running on.  Even if your guest operating system and
 142 | applications are completely secure, all is lost if the host has been
 143 | compromised.  The purpose of building a live image sandbox is to protect the
 144 | host from the guest and its applications.  There is no way to protect the
 145 | guest from the host.
 146 | 
 147 | Running applications like web browsers within a virtual machine provides a
 148 | relatively high degree of isolation between them and the host.  If the
 149 | application is compromised, the attacker may gain control over the guest
 150 | system, but attacking the host from the guest is a difficult task as long as
 151 | basic host security precautions have been taken.  Although guest-to-host
 152 | exploits that attack the hypervisor interface are
 153 | [possible](https://lwn.net/Articles/619376/), such hypervisor flaws are rare
 154 | compared to browser flaws and the hypervisor attack surface is much smaller.
 155 | The risk can be mitigated further through
 156 | [kernel hardening](https://en.wikipedia.org/wiki/PaX) on both the host and
 157 | guest systems, and by using a kernel security framework on the host to
 158 | restrict the access of hypervisor processes.
 159 | 
 160 | The architecture described in this guide is an example of the principle of
 161 | [defense in depth](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)).
 162 | Multiple independent security layers are employed simultaneously, each
 163 | providing a qualitatively different containment barrier around the
 164 | vulnerable application.  These security layers are:
 165 | 
 166 | 1. A host system with a kernel hardened using PaX/Grsecurity, and
 167 |    restriction of hypervisor processes using Grsecurity Role Based Access
 168 |    Control (RBAC)
 169 | 1. A guest system built as a read-only live image with a PaX kernel
 170 | 1. A container jail environment inside the guest, created with
 171 |    [Firejail](https://l3net.wordpress.com/projects/firejail/)
 172 | 1. Security-oriented application-level configuration of a Firefox browser,
 173 |    including default settings and extensions
 174 | 
 175 | ## Layer 1: The Host System
 176 | 
 177 | For our purposes, the only role of the host system is to provide an
 178 | environment for building and running a live image.  We will assume that the
 179 | host is a Linux system and that [KVM](http://linux-kvm.org/) will be used to
 180 | run the live image.
 181 | 
 182 | ### Step 1.1: Configure PaX/Grsecurity
 183 | 
 184 | This step is optional, but recommended.  Running a Linux kernel patched with
 185 | PaX/Grsecurity on the host provides a significantly better security baseline
 186 | than vanilla Linux.  The Grsecurity RBAC system also provides a way to
 187 | restrict the access privileges of hypervisor (QEMU/KVM) processes and other
 188 | programs running on the host.
 189 | 
 190 | Setting up Grsecurity requires downloading the Linux kernel
 191 | [source](https://www.kernel.org/), applying the
 192 | [Grsecurity patch](https://www.grsecurity.net/) that matches the kernel
 193 | version, configuring the kernel (including PaX/Grsecurity parameters),
 194 | building the kernel, and finally installing and booting it.  Assuming
 195 | you have downloaded the kernel source as a file with a name like
 196 | `linux-x.y.z.tar.xz` and the corresponding Grsecurity
 197 | [patch](https://www.grsecurity.net/download.php) as `grsecurity.patch`
 198 | (the actual patch filename contains version and date information), the
 199 | basic steps are:
 200 | 
 201 | ```
 202 | $ tar axf linux-x.y.z.tar.xz
 203 | $ cd linux-x.y.z
 204 | $ patch -p1 < ../grsecurity.patch
 205 | $ make nconfig
 206 | [edit and save kernel configuration]
 207 | $ make deb-pkg
 208 | ```
 209 | 
 210 | If all goes well, this will produce a `linux-image` Debian package file
 211 | along with related package files for kernel headers, firmware,
 212 | etc. according to Debian kernel-packaging conventions.  These `.deb`
 213 | files can be installed directly with `dpkg -i`. Another way to build
 214 | Debian packages from kernel source is to use
 215 | [kernel-package](https://packages.debian.org/kernel-package).
 216 | 
 217 | Refer to the
 218 | [Grsecurity documentation](https://en.wikibooks.org/wiki/Grsecurity) for
 219 | instructions on applying the Grsecurity patch and configuring the
 220 | PaX/Grsecurity kernel settings.  When configuring the kernel, try to
 221 | eliminate any drivers and features that you don't need on the host system,
 222 | and enable other important security options such as
 223 | [module signing](https://www.kernel.org/doc/Documentation/module-signing.txt),
 224 | [stack protection](https://lwn.net/Articles/584225/), and
 225 | [seccomp](https://wiki.mozilla.org/Security/Sandbox/Seccomp).  Consult the
 226 | Ubuntu
 227 | [Kernel Hardening](https://wiki.ubuntu.com/Security/Features#Kernel_Hardening)
 228 | feature checklist for other important kernel security features and
 229 | parameters.
 230 | 
 231 | ### Step 1.2: Configure the hypervisor
 232 | 
 233 | Ensure QEMU/KVM is installed on the host:
 234 | 
 235 | ```
 236 | # apt-get install qemu-kvm
 237 | ```
 238 | 
 239 | For QEMU/KVM, hypervisor configuration takes the form of passing a set of
 240 | command-line options to `kvm` (which itself is just a wrapper around
 241 | `qemu-system-x86_64`).  Here is an example script that can be used to boot
 242 | an image with some useful QEMU options:
 243 | 
 244 | ```shell
 245 | #!/bin/sh
 246 | 
 247 | export QEMU_AUDIO_DRV=alsa
 248 | 
 249 | exec /usr/bin/kvm -cpu host -m 2048 -drive file=$1,if=virtio,media=cdrom \
 250 |     -balloon virtio \
 251 |     -usbdevice tablet \
 252 |     -soundhw hda \
 253 |     -vga std \
 254 |     -netdev user,id=network0 -device virtio-net,netdev=network0 \
 255 |     -virtfs local,path=/tmp/guest_share,mount_tag=share,security_model=mapped-xattr
 256 | ```
 257 | 
 258 | To use this script, pass the image you wish to boot as an argument.
 259 | 
 260 | * `-cpu host` tells QEMU to emulate the precise CPU that the host uses,
 261 |   rather than some different or more generic CPU.  This provides the best
 262 |   performance.
 263 | * `-m 2048` allocates 2GB of RAM to the guest (the default is 128MB).
 264 | * `-drive file=$1,if=virtio,media=cdrom` says to use the filename passed as
 265 |   the argument `$1` as the virtual boot drive, to treat it as CDROM media,
 266 |   and to represent it as a [Virtio](http://www.linux-kvm.org/page/Virtio)
 267 |   device rather than emulating some form of disk hardware.  This requires
 268 |   Virtio driver support in the guest kernel.  Use Virtio interfaces and
 269 |   drivers whenever possible for best performance and feature support.
 270 | * `-balloon virtio` enables
 271 |   [balloon](http://www.linux-kvm.org/page/Projects/auto-ballooning) support,
 272 |   allowing the guest to dynamically grow and release memory back to the
 273 |   host.  This requires memory balloon support in the guest kernel.
 274 | * `-usbdevice tablet` is necessary to prevent mismatched host/guest mouse
 275 |   pointers when using VNC.
 276 | * `-soundhw hda` instructs QEMU to emulate HDA PCI sound hardware.  Combined
 277 |   with the `export QEMU_AUDIO_DRV=alsa` line, this should provide working
 278 |   guest-to-host sound.  If you don't need sound, you can remove these two
 279 |   lines.  This requires HDA sound driver support in the guest kernel.
 280 | * `-vga std` enables high-resolution video mode support.
 281 | * `-netdev user,id=network0 -device virtio-net,netdev=network0` enables
 282 |   basic networking support, placing the guest on a private virtual network
 283 |   that can access the Internet via the host.
 284 | * `-virtfs local,path=/tmp/guest_share,mount_tag=share,security_model=mapped-xattr`
 285 |   sets up a shared directory between the host and the guest so that files
 286 |   can easily be moved back and forth.  The directory `/tmp/guest_share` on
 287 |   the host is made accessible to the guest using
 288 |   [9p](http://www.linux-kvm.org/page/9p_virtio).  This requires 9p Virtio
 289 |   support in the guest kernel.
 290 | 
 291 | You should verify that you can use a script like the above to boot a vanilla
 292 | live ISO image on the host.  Standard Debian
 293 | [live images](http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/)
 294 | are available from the [Live Systems project](http://live-systems.org/).
 295 | 
 296 | To use a VNC display rather than QEMU's default SDL display, you can add an
 297 | option like `-vnc 127.0.0.1:0` and use a VNC client to connect to QEMU on
 298 | port 5900.
 299 | 
 300 | There is a newer display technology for QEMU called
 301 | [SPICE/QXL](http://www.linux-kvm.org/page/SPICE).  In theory, this should
 302 | provide better graphics capabilities and performance, and also provides a
 303 | mechanism for copy/paste clipboard transfer between the guest and host.  In
 304 | testing on a Linux 3.18 host/guest with QEMU 2.1, however, using QXL led to
 305 | guest hangs with the QEMU host process consuming 100% CPU when doing even
 306 | basic browsing.  To enable SPICE/QXL you can use options like:
 307 | 
 308 | ```
 309 | -vga qxl \
 310 | -spice addr=127.0.0.1,port=5910,disable-ticketing,image-compression=off
 311 | ```
 312 | 
 313 | You will need a [SPICE client](https://packages.debian.org/spice-client) on
 314 | the host to connect to the guest display.  You will also need to enable QXL
 315 | in the guest kernel and install the
 316 | [QXL Xorg driver](https://packages.debian.org/xserver-xorg-video-qxl) in the
 317 | guest.  For copy/paste clipboard support, you will also need the
 318 | [spice-vdagent](https://packages.debian.org/spice-vdagent) package in the
 319 | guest.  See the SPICE documentation for details.
 320 | 
 321 | Another option to consider is `-sandbox on`.  This enables
 322 | [seccomp](https://wiki.mozilla.org/Security/Sandbox/Seccomp) sandboxing of
 323 | the QEMU process.  Unfortunately, in testing with Linux 3.18 and QEMU 2.1
 324 | this led to instability of QEMU, so use this option with care.
 325 | 
 326 | ### Step 1.3: Secure the Hypervisor
 327 | 
 328 | The purpose of this step is to lock down the access that the hypervisor
 329 | process has to the rest of the system.  Apart from read/write access to
 330 | `/dev/kvm`, QEMU has no special access requirements and can safely be
 331 | prevented from reading, writing, or executing most filesystem paths.
 332 | Its network access can also be restricted to whatever is required for
 333 | the applications you run within the VM.
 334 | 
 335 | The procedure for enforcing access control depends on the security
 336 | framework you're using on the host.  Most frameworks have a *learning
 337 | mode* that allows you to run an application and exercise its
 338 | functionality, and that then generates a whitelist policy that permits
 339 | access to only those resources actually used by the application during
 340 | the learning process.  Usually some degree of manual review and tuning
 341 | of the generated access policy is needed.  Arriving at a good policy
 342 | usually requires several tweaks and iterations.
 343 | 
 344 | For example, if you're using the Grsecurity RBAC system and QEMU-x86_64,
 345 | you can start with a stub entry in your policy file under the
 346 | appropriate user role that looks like this:
 347 | 
 348 | ```
 349 | subject /usr/bin/qemu-system-x86_64 lo {
 350 | 	/
 351 | }
 352 | ```
 353 | 
 354 | The `l` flag places the policy for this program in learning mode.  You
 355 | can then use `gradm` as usual to enable RBAC in learning mode, exercise
 356 | the program, and then generate an initial policy.  See the
 357 | [RBAC documentation](https://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System)
 358 | for details.
 359 | 
 360 | Although Grsecurity RBAC is powerful, it uses a whole-system whitelist
 361 | model, meaning that using it requires having a policy that covers all
 362 | users and programs on the system.  In spite of its 'full system
 363 | learning' mode, generating a working full-system poilcy is a difficult
 364 | and time-consuming exercise, especially for desktop-oriented systems and
 365 | those that depend on invasive multi-function services such as systemd.
 366 | A far simpler, though less comprehensive, alternative is
 367 | [AppArmor](https://en.wikipedia.org/wiki/AppArmor), which only restricts
 368 | programs that have policies defined and has no concept of users or
 369 | roles.
 370 | 
 371 | ## Layer 2: The Guest Image
 372 | 
 373 | Now that the host system has been prepared and QEMU is working, we are
 374 | ready to configure and build the live image.
 375 | 
 376 | ### Step 2.1: Configuring and Building the Guest Kernel
 377 | 
 378 | Follow the same procedure used to configure and build the
 379 | [host kernel](#step-11-configure-paxgrsecurity).  When configuring the
 380 | guest kernel, note the following points:
 381 | 
 382 | - Remove all hardware drivers except for devices that QEMU can emulate
 383 |   and that you require.  For example, if you want sound support in the
 384 |   VM, configure the guest kernel to support Intel PCI HDAudio and start
 385 |   QEMU with the sound options given above.  You do not need
 386 |   hardware-specific drivers for disk, network, or graphics as these will
 387 |   be handled by Virtio &mdash; see below.
 388 | - Enable basic virtualization options such as:
 389 |   * `CONFIG_PARAVIRT`
 390 |   * `CONFIG_HYPERVISOR_GUEST`
 391 |   * `CONFIG_KVM_GUEST`
 392 | - Many core devices such as block and network devices have optimized
 393 |   *Virtio* drivers designed specifically for virtual machines.  Whenever
 394 |   possible, use a Virtio driver instead of a hardware driver for a
 395 |   device that QEMU will have to emulate.  Ensure the following options
 396 |   are enabled:
 397 |   * `CONFIG_VIRTIO_PCI`
 398 |   * `CONFIG_VIRTIO_BLK`
 399 |   * `CONFIG_VIRTIO_NET`
 400 |   * `CONFIG_HW_RANDOM_VIRTIO`
 401 |   * `CONFIG_VIRTIO_BALLOON`
 402 | - Enable virtualized graphics options:
 403 |   * `CONFIG_DRM_CIRRUS_QEMU`
 404 |   * `CONFIG_DRM_QXL`
 405 |   * `CONFIG_DRM_BOCHS`
 406 | - Enable OverlayFS support.  This is **required** for a working live
 407 |   image:
 408 |   * `CONFIG_OVERLAY_FS`
 409 | - If you want to be able to share host directories with the guest to
 410 |   easily move files back and forth, enable 9p support:
 411 |   * `CONFIG_NET_9P`
 412 |   * `CONFIG_NET_9P_VIRTIO`
 413 |   * `CONFIG_9P_FS`
 414 | 
 415 | ### Step 2.2: Installing the Live-Build Tools on the Host
 416 | 
 417 | The only package you need to build live images is
 418 | [live-build](https://packages.debian.org/live-build).  Several other
 419 | packages such as [live-boot](https://packages.debian.org/live-boot) and
 420 | [live-config](https://packages.debian.org/live-config) will be installed
 421 | automatically into the live image during the build process.  Full
 422 | documentation on these packages is available from the
 423 | [Live Systems project](http://live-systems.org/).
 424 | 
 425 | To get started with `live-build`, create a directory that will be used
 426 | to store your live image configuration and build data (it should have at
 427 | least 1 GB of free space available), and then run `lb config` to create
 428 | a default live image configuration:
 429 | 
 430 | ```
 431 | $ mkdir my_live_image
 432 | $ cd my_live_image
 433 | $ lb config
 434 | [2015-03-02 14:41:16] lb config 
 435 | P: Creating config tree for a debian/jessie/amd64 system
 436 | P: Symlinking hooks...
 437 | ```
 438 | 
 439 | This creates a configuration directory tree that live-build uses to
 440 | determine how to build the live image.  If you don't make any changes to
 441 | this tree, you will end up with a default Debian Live image.  You should
 442 | try to build this default image now to ensure your system is set up
 443 | correctly:
 444 | 
 445 | ```
 446 | # lb build 2>&1 | tee build.log
 447 | ```
 448 | 
 449 | This command will run for some time and generate a lot of output as it
 450 | downloads packages, builds the system in a chroot environment, and
 451 | finally freezes the chroot tree as a
 452 | [squashfs](https://en.wikipedia.org/wiki/SquashFS) image and combines it
 453 | with a bootloader and kernel into a bootable binary `.iso` image file.
 454 | This final file will be placed in the directory where you ran `lb
 455 | build`.
 456 | 
 457 | Note: `lb build` expects to be run as root.  If the build system is
 458 | running a Grsecurity kernel, you will also have to temporarily
 459 | deactivate some Grsecurity chroot restrictions for the build to succeed,
 460 | e.g. with
 461 | 
 462 | ```
 463 | # echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
 464 | # echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
 465 | # echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
 466 | # echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
 467 | ```
 468 | 
 469 | #### OverlayFS Support
 470 | 
 471 | Live images require some form of
 472 | [Union filesystem](https://en.wikipedia.org/wiki/Union_filesystem)
 473 | support in the guest kernel.  Traditionally the Debian Live System tools
 474 | have used [AuFS](http://aufs.sourceforge.net/) for this.  Unfortunately,
 475 | AuFS is an out-of-tree kernel patch that does not play nicely with
 476 | Grsecurity.  There is now an in-tree alternative called OverlayFS,
 477 | enabled with the `CONFIG_OVERLAY_FS` option in the guest kernel.
 478 | However, at the time of writing, the Debian `live-boot` package does not
 479 | properly support OverlayFS.  Debian
 480 | [bug 773881](https://bugs.debian.org/773881) has been opened for this.
 481 | In the bug comments, a link is provided to a Git repository and branch
 482 | that contains a patched version of live-boot 5.0a1.  Until the official
 483 | live-boot package is updated, a working live-boot that supports
 484 | OverlayFS can be built from this branch using `dpkg-buildpackage -b`.
 485 | This will produce the files `live-boot_5.0~a1-1_all.deb` and
 486 | `live-boot-initramfs-tools_5.0~a1-1_all.deb`.  These packages should be
 487 | placed in the `config/packages.chroot` directory when configuring the
 488 | live image (see next step) along with version 5.0a1 of live-config,
 489 | overriding the default live-boot and live-config packages that would
 490 | otherwise be installed when building the live image.
 491 | 
 492 | ### Step 2.3: Customizing the Live Image
 493 | 
 494 | You have now used `lb build` to successfully build a default Debian Live
 495 | ISO image.  This image should be bootable and functional on virtual
 496 | machines or real hardware.  This step covers how to customize the live
 497 | image.
 498 | 
 499 | The general procedure for making changes to your live image is to modify
 500 | some files in your live configuration tree (the directory where you ran
 501 | `lb config`) and then rebuild the live image by running the following
 502 | sequence of commands:
 503 | 
 504 | ```
 505 | # lb clean
 506 | # lb config
 507 | # lb build
 508 | ```
 509 | 
 510 | The `lb clean` command cleans up data from the last build, the `lb
 511 | config` command updates the live image configuration based on your
 512 | changes, and the `lb build` command actually builds the new image.
 513 | 
 514 | From now on, we will assume that you are in your live-build root
 515 | directory (the directory where you ran `lb config`).  Unless otherwise
 516 | noted, path names will be given relative to this directory.  Most files
 517 | and directories used for customization live under the `config/`
 518 | subdirectory.
 519 | 
 520 | #### Overview of Live Image Configuration
 521 | 
 522 | See the
 523 | [Managing a configuration](http://live-systems.org/manual/current/html/live-manual/managing-a-configuration.en.html)
 524 | section of the Live Systems manual for an overview of live image
 525 | configuration.  Briefly, many basic options, like the target Debian
 526 | distribution and architecture, can be specified as options to `lb
 527 | config` &mdash; see `lb config --help` and `man lb_config` for details.
 528 | Passing options to `lb config` results in modifications to one or more
 529 | config files located in the `config` subdirectory of your build root.
 530 | 
 531 | Although the manual recommends using auto scripts to manage a live image
 532 | configuration, and for good reason, for simplicity we will make changes
 533 | by editing configuration files directly.  These changes will be
 534 | preserved on subsequent runs of `lb config`.  Be aware of the caveats of
 535 | this approach as described in the manual and consider using auto scripts
 536 | instead where possible.
 537 | 
 538 | #### Choosing Packages to Install
 539 | 
 540 | There are two ways to add packages of your choice to your live image.
 541 | 
 542 | ##### Adding standard Debian packages
 543 | 
 544 | For standard Debian packages, create a file with a name ending in
 545 | `.list.chroot` in the `config/package-lists` directory.  This file may
 546 | contain a space-separated list of Debian package names.  The named
 547 | packages will be retrieved and installed in the chroot during the
 548 | build/bootstrap process.
 549 | 
 550 | Here is an example package list for a Firefox/Iceweasel image:
 551 | 
 552 | ```
 553 | $ cat config/package-lists/my.list.chroot
 554 | task-english pm-utils alsa-utils unzip screen curl iceweasel
 555 | spice-vdagent fluxbox attr xserver-xorg-video-modesetting
 556 | xserver-xorg-video-qxl xserver-xorg-input-evdev xserver-xorg-input-mouse
 557 | xinit x11-apps x11-utils x11-xserver-utils rxvt-unicode
 558 | iceweasel-noscript iceweasel-perspectives iceweasel-refcontrol
 559 | iceweasel-requestpolicy iceweasel-openinbrowser
 560 | iceweasel-https-everywhere
 561 | ```
 562 | 
 563 | Remarks on some of these packages:
 564 | 
 565 | - `attr` is required to set PaX flags on executables, assuming the
 566 |   `CONFIG_PAX_XATTR_PAX_FLAGS` kernel option was chosen (recommended).
 567 | - `pm-utils` is included for `pm-suspend` which can be used to put the
 568 |    system to sleep temporarily.  Sometimes suspending the VM is
 569 |    necessary before suspending the host to avoid a frozen VM when the
 570 |    host resumes.
 571 | - `alsa-utils` is included for basic sound utilities such as
 572 |   `alsamixer`.
 573 | - `spice-vdagent` is required for copy/paste support via QEMU SPICE,
 574 |   discussed earlier.
 575 | - `fluxbox` is a lightweight window manager for X.  You can choose any
 576 |   other window manager or desktop environment you like.
 577 | - The `xserver-xorg` packages select X drivers important for QEMU,
 578 |   corresponding to the kernel drivers selected earlier.
 579 | - The `iceweasel-*` packages select some useful Firefox extensions that
 580 |   happen to be packaged for Debian.  We will look at other ways to
 581 |   customize extensions later.
 582 | 
 583 | ##### Adding custom packages (including the guest kernel)
 584 | 
 585 | For packages in the form of `.deb` files that are not part of your
 586 | chosen Debian distribution (or that you want to override those in the
 587 | distribution), simply place the files in the `config/packages.chroot`
 588 | directory.  This is how we provide the guest kernel package we built
 589 | earlier.  For example:
 590 | 
 591 | ```
 592 | $ ls config/packages.chroot
 593 | firejail_0.9.22_1_amd64.deb
 594 | linux-image-3.19.1-grsec1_3.19.1-grsec1-1_amd64.deb
 595 | live-boot_5.0~a1-1_all.deb
 596 | live-boot-initramfs-tools_5.0~a1-1_all.deb
 597 | live-config_5.0~a1-1_all.deb
 598 | live-config-systemd_5.0~a1-1_all.deb
 599 | ```
 600 | 
 601 | - A [Firejail](https://l3net.wordpress.com/projects/firejail/) package
 602 |   is included since it is not yet part of Debian.
 603 | - The `linux-image` package is the guest kernel built earlier.
 604 | - The `live-boot` packages are included here if they were custom-built
 605 |   for OverlayFS support as discussed earlier.
 606 | - The `live-config` packages are included here from `experimental` so
 607 |   that they match the `live-boot` package versions.
 608 | 
 609 | #### Enabling OverlayFS
 610 | 
 611 | In order to use OverlayFS, you must edit the file `config/chroot` and
 612 | change
 613 | 
 614 | ```
 615 | LB_UNION_FILESYSTEM="aufs"
 616 | ```
 617 | 
 618 | to
 619 | 
 620 | ```
 621 | LB_UNION_FILESYSTEM="overlay"
 622 | ```
 623 | 
 624 | You must also pass a boot parameter to the kernel; see below.
 625 | 
 626 | #### Customizing Kernel Boot Parameters
 627 | 
 628 | In some cases it is necessary to modify the boot parameters passed to
 629 | the live image kernel.  This is done by modifying the
 630 | `LB_BOOTAPPEND_LIVE` option in `config/binary`, which defaults to:
 631 | 
 632 | ```
 633 | LB_BOOTAPPEND_LIVE="boot=live components quiet splash"
 634 | ```
 635 | 
 636 | Adding `union=overlay` is **required** for OverlayFS to work:
 637 | 
 638 | ```
 639 | LB_BOOTAPPEND_LIVE="boot=live components quiet splash union=overlay"
 640 | ```
 641 | 
 642 | Many runtime live image configuration options can also be passed in the
 643 | form of kernel options; see
 644 | [man live-config](http://live-systems.org/manpages/4.x/en/html/live-config.7.html)
 645 | for details.
 646 | 
 647 | #### Custom Build Hooks
 648 | 
 649 | Executable scripts can be placed in the `config/hooks` directory.  Their
 650 | filenames should end with `.hook.chroot`.  These scripts will be run
 651 | inside the chroot at the end of the build process, and can be used to
 652 | make changes to the live system before it is frozen into the final
 653 | image.
 654 | 
 655 | For example, this mechanism can be used to set a root password.  Create
 656 | an executable file called `config/hooks/0500-root-password.hook.chroot`
 657 | containing:
 658 | 
 659 | ```shell
 660 | #!/bin/sh
 661 | usermod -p '$5$GxpbCxvGOmtudd$uL90C.ZOMY6WxI4.x32kTCv38dGiXYUlfWGzCQuHmr3' root
 662 | ```
 663 | 
 664 | Replace the argument to the `-p` option with the output of `mkpasswd`
 665 | (available as part of the [whois](https://packages.debian.org/whois)
 666 | package).  See `man mkpasswd`.
 667 | 
 668 | #### Customizing Live Image Contents
 669 | 
 670 | The directory `config/includes.chroot` represents the `/` directory of
 671 | the live image filesystem.  Files placed here will be added directly to
 672 | the final live image, replacing existing ones if necessary.
 673 | 
 674 | For example, to add some custom 'dotfiles' to the live user's home
 675 | directory, put them in `config/includes.chroot/etc/skel`.  They will
 676 | then end up in `/etc/skel` on the live system and will be copied to the
 677 | live user's home directory when it is created during system startup.
 678 | 
 679 | #### Custom Runtime Hooks
 680 | 
 681 | Whereas build hooks are run during the live image build process, runtime
 682 | hooks are run inside the live system during boot.  These hooks are
 683 | processed by `live-config`.  To add a runtime hook, place an executable
 684 | script in `config/includes.chroot/lib/live/config`.  You should examine
 685 | the default hooks (found in `chroot/lib/live/config` after an `lb
 686 | build`) or the live-config examples in
 687 | `/usr/share/doc/live-config/examples/hooks`.
 688 | 
 689 | ### Step 2.4: Specific Customizations
 690 | 
 691 | #### Root Access
 692 | 
 693 | By default, the live system has one user named `user` with password
 694 | `live`.  This user can execute commands as root with `sudo` without
 695 | specifying a password.  A better configuration is to disable sudo and
 696 | set a root password.  We saw how to set a root password with a
 697 | [Custom Build Hook](#custom-build-hooks) above.  To disable sudo, add
 698 | `live-config.noroot` to the kernel boot parameters list
 699 | (`LB_BOOTAPPEND_LIVE` in `config/binary`).
 700 | 
 701 | #### PaX Flags and Iceweasel
 702 | 
 703 | If your guest kernel is configured for PaX and the process memory
 704 | protection feature (`CONFIG_PAX_MPROTECT`) is enabled by default
 705 | (recommended), then you will not be able to run Iceweasel without
 706 | disabling memory protection on the `iceweasel` and `plugin-container`
 707 | binaries in `/usr/lib/iceweasel`. (This suboptimal situation arises
 708 | because Firefox uses JIT compilation for performance, which by its
 709 | nature depends on memory regions that are both writable and executable.
 710 | It is possible to compile Firefox without JIT, but this is not done for
 711 | the standard Debian packages.)  This can be done with a
 712 | [runtime hook](#custom-runtime-hooks).  For example, you can place an
 713 | executable script like the following in
 714 | `config/includes.chroot/lib/live/config/1200-setattr`:
 715 | 
 716 | ```shell
 717 | #!/bin/sh
 718 | 
 719 | Init ()
 720 | {
 721 | 	echo -n " setattr"
 722 | }
 723 | 
 724 | Config ()
 725 | {
 726 | 	if [ -f /usr/bin/iceweasel -a -f /usr/bin/setfattr ]; then
 727 | 		setfattr -n user.pax.flags -v m /usr/bin/iceweasel
 728 | 		setfattr -n user.pax.flags -v m /usr/lib/iceweasel/plugin-container
 729 | 	fi
 730 | 
 731 | 	# Creating state file
 732 | 	touch /var/lib/live/config/setattr
 733 | }
 734 | 
 735 | Init
 736 | Config
 737 | ```
 738 | 
 739 | The `setfattr` method only applies if you selected the
 740 | `CONFIG_PAX_XATTR_PAX_FLAGS` option when configuring the guest kernel
 741 | (recommended).
 742 | 
 743 | #### Default X Resolution
 744 | 
 745 | The X resolution can be changed at runtime with `xrandr`.  To change the
 746 | default resolution, add a
 747 | [kernel boot parameter](#customizing-kernel-boot-parameters) like
 748 | `live-config.xorg-resolution=1600x1200`.  See
 749 | [man live-config](http://live-systems.org/manpages/4.x/en/html/live-config.7.html)
 750 | for details and other options.
 751 | 
 752 | #### Mount a Host Directory with [9p](https://www.kernel.org/doc/Documentation/filesystems/9p.txt)
 753 | 
 754 | If you configured QEMU to share a host directory via 9p and you included
 755 | 9p support in your guest kernel, you may want to mount the share
 756 | automatically at boot.  There are many ways to do this, but a quick hack
 757 | that works is to create `config/includes.chroot/etc/rc.local` as an
 758 | executable shell script and add a line like:
 759 | 
 760 | ```
 761 | mount -t 9p -o trans=virtio,version=9p2000.L share /mnt
 762 | ```
 763 | 
 764 | Here `share` is a tag that must match the tag you passed to QEMU via the
 765 | `-virtfs` option.
 766 | 
 767 | Be warned that 9p support can exhibit some instabilities.  In testing
 768 | with Linux 3.18 and QEMU 2.1, passing `-sandbox on` caused writes to
 769 | files over 9p to hang the writing process unrecoverably.  Even without
 770 | `-sandbox on`, creation of files over 9p fails with 'Operation not
 771 | supported' (but writing to existing files works).  This can be worked
 772 | around by creating the file on the host before trying to write to it
 773 | from the guest.
 774 | 
 775 | Unrecoverable hangs on the guest may also arise with 9p following
 776 | suspend/resume.  To work around this, unload the 9p kernel modules
 777 | (`9p`, `9pnet`, `9pnet_virtio`) using `modprobe -r` before suspend.
 778 | 
 779 | ## Layer 3: Firejail
 780 | 
 781 | [Firejail](https://l3net.wordpress.com/projects/firejail/) can
 782 | optionally be used to provide another sandbox layer inside the live
 783 | system.  Firejail runs a program inside a 'container' environment that
 784 | provides kernel namespace and filesystem isolation, as well as
 785 | [seccomp](https://wiki.mozilla.org/Security/Sandbox/Seccomp) system call
 786 | restriction.  It is easy to use, supports a number of useful features
 787 | and options, and can be used to sandbox any program.
 788 | 
 789 | To install Firejail, simply download the `.deb` file from the Firejail
 790 | project page (it is not yet available in the Debian repositories) and
 791 | place it in `config/packages.chroot`.
 792 | 
 793 | To run Firefox/Iceweasel with Firejail, run a command like:
 794 | 
 795 | ```
 796 | $ firejail --debug iceweasel
 797 | ```
 798 | 
 799 | The `--debug` option causes Firejail to produce verbose messages about
 800 | what it's doing.  Another useful mode is:
 801 | 
 802 | ```
 803 | $ mkdir ~/sandbox
 804 | $ firejail --debug --private=$HOME/sandbox iceweasel
 805 | ```
 806 | 
 807 | The `--private` option starts the program in a clean home directory,
 808 | preventing access to the user's real home directory.  This is a good way
 809 | to start a 'known clean' browser instance.
 810 | 
 811 | ### Restricting Filesystem Access
 812 | 
 813 | Firejail uses a blacklist method for restricting access to parts of
 814 | filesystem.  It achieves this by remounting system directories like
 815 | `/etc`, `/lib`, and `/usr` as read-only within the container by default,
 816 | and fully blocking access to some files and directories by mounting an
 817 | empty tmpfs filesystem on top of them.  (Seccomp filtering prevents
 818 | these mounts from being changed within the container with calls to
 819 | mount(2).)
 820 | 
 821 | One omission in the defaults is that they leave the `/dev` directory
 822 | accessible.  This can be fixed by, for example, creating a file called
 823 | `/etc/firejail/blacklist-dev.inc` with contents like:
 824 | ```
 825 | seccomp mknod
 826 | 
 827 | blacklist /dev/autofs
 828 | blacklist /dev/block
 829 | ...
 830 | ```
 831 | 
 832 | The `seccomp mknod` line instructs Firejail to prevent the use of
 833 | mknod(2) within the container so that new device files can't be created
 834 | (the default in recent versions).  To prevent access to the pre-existing
 835 | device files in `/dev`, each file or subdirectory of `/dev` must be
 836 | listed on a separate `blacklist` line.  It is safe (and recommended) to
 837 | blacklist nearly all device files (other than e.g. `/dev/null` and
 838 | `/dev/urandom`) when running Firefox/Iceweasel.
 839 | 
 840 | To use this file, add a line like
 841 | 
 842 | ```
 843 | include /etc/firejail/blacklist-dev.inc
 844 | ```
 845 | 
 846 | to `/etc/firejail/firefox.profile` or any other profile in `/etc/firejail`.
 847 | 
 848 | ## Layer 4: Firefox/Iceweasel Customization
 849 | 
 850 | If you are building a Firefox live image, you will want to customize
 851 | things like the browser version, preferences, and extensions.
 852 | 
 853 | ### Customizing the Browser Version
 854 | 
 855 | If you want to install a version of Iceweasel other than the one in your
 856 | target live image distribution, you will most likely have to resort to
 857 | [APT pinning](https://wiki.debian.org/AptPreferences).  For instance,
 858 | you may want to install the latest Firefox release version, which is
 859 | usually available in Debian `experimental`.  You can do this by placing
 860 | a couple of files in the `config/archives` directory.
 861 | 
 862 | The `experimental.list.chroot` file:
 863 | 
 864 | ```
 865 | deb http://ftp.debian.org/debian unstable main
 866 | deb http://ftp.debian.org/debian experimental main
 867 | ```
 868 | 
 869 | The `experimental.pref.chroot` file:
 870 | 
 871 | ```
 872 | Package: iceweasel
 873 | Pin: release a=experimental
 874 | Pin-Priority: 995
 875 | 
 876 | Package: *
 877 | Pin: release a=unstable
 878 | Pin-Priority: 1
 879 | ```
 880 | 
 881 | This configuration directs APT to install the `iceweasel` package from
 882 | `experimental` and to meet dependencies from `unstable` when they cannot
 883 | be met from the target distribution.
 884 | 
 885 | ### Customizing Preferences
 886 | 
 887 | Most preferences are customized by placing files in
 888 | `config/includes.chroot/etc/iceweasel/profile`.  When a user first
 889 | launches Iceweasel, it creates a profile directory in
 890 | `~/.mozilla/firefox` based on the contents of `/etc/iceweasel/profile`.
 891 | 
 892 | Some files and directories that are useful for customization:
 893 | 
 894 | - `prefs.js` is the main browser settings and preferences file.
 895 | - `bookmarks.html` is the default bookmarks list.
 896 | - `extension-data` is a directory that some extensions use to store
 897 |   local data.
 898 | - `searchplugins` is the directory where different search engines are
 899 |   defined.  Each has a single `.xml` file in this directory.
 900 | - `search-metadata.json` contains user preferences related to search
 901 |   engines.
 902 | 
 903 | You can easily customize your live image browser by copying files like
 904 | those above from the profile directory of an already-customized Firefox
 905 | installation into `config/includes.chroot/etc/iceweasel/profile`.
 906 | 
 907 | ### Default Preferences for Security and Privacy
 908 | 
 909 | Many of the default Firefox settings are suboptimal for security and
 910 | privacy.  By way of example, this section provides a better set of
 911 | defaults that can be included in your `prefs.js` file.  You should
 912 | understand what each setting does before using it &mdash; see the
 913 | Mozilla [documentation](http://kb.mozillazine.org/About:config_entries)
 914 | for details.
 915 | 
 916 | ```javascript
 917 | /* Don't start finding text when any input is typed */
 918 | user_pref("accessibility.typeaheadfind.autostart", false);
 919 | 
 920 | /* Start with a simple blank page */
 921 | user_pref("browser.startup.page", 1);
 922 | user_pref("browser.startup.homepage", "about:about");
 923 | 
 924 | /* Don't send every URL we visit to Google */
 925 | user_pref("browser.safebrowsing.enabled", false);
 926 | user_pref("browser.safebrowsing.malware.enabled", false);
 927 | 
 928 | /* Don't save information entered in web forms and search bars */
 929 | user_pref("browser.formfill.enable", false);
 930 | 
 931 | /* Backspace goes back one page in history */
 932 | user_pref("browser.backspace_action", 0);
 933 | 
 934 | /* Ask where to save downloads */
 935 | user_pref("browser.download.useDownloadDir", false);
 936 | 
 937 | /* When JavaScript wants to open a new window, open a tab instead */
 938 | user_pref("browser.link.open_newwindow.restriction", 0);
 939 | 
 940 | /* Always use Private Browsing Mode */
 941 | user_pref("browser.privatebrowsing.autostart", true);
 942 | 
 943 | /* Disable search suggestions */
 944 | user_pref("browser.search.suggest.enabled", false);
 945 | 
 946 | /* Limit state information saved between sessions */
 947 | user_pref("browser.sessionstore.max_tabs_undo", 5);
 948 | user_pref("browser.sessionstore.resume_from_crash", false);
 949 | 
 950 | /* Turn off tab animations */
 951 | user_pref("browser.tabs.animate", false);
 952 | 
 953 | /* Turn off URL bar funny business */
 954 | user_pref("browser.urlbar.autocomplete.enabled", false);
 955 | user_pref("browser.urlbar.trimURLs", false);
 956 | 
 957 | /* Disallow JavaScript access to potentially dangerous APIs */
 958 | user_pref("dom.event.clipboardevents.enabled", false);
 959 | user_pref("dom.battery.enabled", false);
 960 | user_pref("dom.disable_window_open_feature.menubar", true);
 961 | user_pref("dom.disable_window_open_feature.personalbar", true);
 962 | user_pref("dom.disable_window_open_feature.scrollbars", true);
 963 | user_pref("dom.disable_window_open_feature.toolbar", true);
 964 | user_pref("dom.popup_maximum", 10);
 965 | user_pref("dom.storage.default_quota", 0);
 966 | 
 967 | /* Override User-Agent data to mitigate browser fingerprinting.
 968 |  * See https://panopticlick.eff.org/
 969 |  */
 970 | user_pref("general.appname.override", "Netscape");
 971 | user_pref("general.appversion.override", "5.0 (Windows)");
 972 | user_pref("general.buildID.override", 0);
 973 | user_pref("general.oscpu.override", "Windows NT 6.2");
 974 | user_pref("general.platform.override", "Win32");
 975 | user_pref("general.productSub.override", "20100101");
 976 | user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.2; rv:36.0) Gecko/20100101 Firefox/36.0");
 977 | user_pref("general.useragent.vendor", "");
 978 | user_pref("general.useragent.vendorSub", "");
 979 | user_pref("general.warnOnAboutConfig", false);
 980 | user_pref("intl.accept_languages", "en-us,en;q=0.5");
 981 | 
 982 | /* Turn off "location aware browsing" */
 983 | user_pref("geo.enabled", false);
 984 | 
 985 | /* Turn off sending non-URL words entered in the URL bar to Google */
 986 | user_pref("keyword.enabled", false);
 987 | 
 988 | /* Turn off spell-checking */
 989 | user_pref("layout.spellcheckDefault", 0);
 990 | 
 991 | /* Disable cookies by default. Use an extension for site-specific
 992 |  * whitelisting.
 993 |  */
 994 | user_pref("network.cookie.cookieBehavior", 2);
 995 | user_pref("network.cookie.thirdparty.sessionOnly", true);
 996 | 
 997 | /* Disable IPv6 unless you want to use it. */
 998 | user_pref("network.dns.disableIPv6", true);
 999 | 
1000 | /* Don't "proactively" perform DNS resolution */
1001 | user_pref("network.dns.disablePrefetch", true);
1002 | 
1003 | /* Unneeded unless we're using v6 */
1004 | user_pref("network.http.fast-fallback-to-IPv4", false);
1005 | 
1006 | /* Enable pipelining for better performance */
1007 | user_pref("network.http.pipelining", true);
1008 | user_pref("network.http.pipelining.maxrequests", 15);
1009 | user_pref("network.http.pipelining.ssl", true);
1010 | user_pref("network.http.proxy.pipelining", true);
1011 | user_pref("network.http.redirection-limit", 5);
1012 | 
1013 | /* Don't "proactively" fetch pages that haven't been requested */
1014 | user_pref("network.prefetch-next", false);
1015 | 
1016 | /* Disable Websockets by default */
1017 | user_pref("network.websocket.enabled", false);
1018 | 
1019 | /* Enable the Do-Not-Track header in HTTP requests */
1020 | user_pref("privacy.donottrackheader.enabled", true);
1021 | 
1022 | /* Clear Private Data when closing the browser */
1023 | user_pref("privacy.sanitize.sanitizeOnShutdown", true);
1024 | 
1025 | /* Disable unsafe RC4 ciphers */
1026 | user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
1027 | user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
1028 | user_pref("security.ssl3.rsa_rc4_128_md5", false);
1029 | user_pref("security.ssl3.rsa_rc4_128_sha", false);
1030 | 
1031 | /* Disable WebGL by default */
1032 | user_pref("webgl.disabled", true);
1033 | ```
1034 | 
1035 | ### Customizing Extensions
1036 | 
1037 | If the extension you want to add to your live image is already packaged
1038 | for Debian (for example, `iceweasel-noscript`), you can install it as
1039 | you would any other package by including its name in a file in
1040 | `config/package-lists`.
1041 | 
1042 | Otherwise, you will have to place either the packed or unpacked
1043 | extension in the following directory:
1044 | 
1045 | ```
1046 | config/includes.chroot/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
1047 | ```
1048 | 
1049 | However, the packed extension (`.xpi`) file or unpacked directory must
1050 | have a specific name.  To find this name, unpack the `install.rdf` file
1051 | and inspect it:
1052 | 
1053 | ```
1054 | $ unzip extension.xpi install.rdf
1055 | ```
1056 | 
1057 | Near the top of this file there will be an `<id>` or `<em:id>` tag that
1058 | looks similar to
1059 | 
1060 | ```
1061 | <id>{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}</id>
1062 | ```
1063 | 
1064 | or
1065 | 
1066 | ```
1067 | <em:id>https-everywhere@eff.org</em:id>
1068 | ```
1069 | 
1070 | To install an extension as a packed file, place it in the above
1071 | directory with the name `${XID}.xpi`, where `${XID}` is the content of
1072 | the `<id>` or `<em:id>` tag in the extension's `install.rdf` file.
1073 | 
1074 | To install an extension as an unpacked directory, create a subdirectory
1075 | in the above directory whose name is `${XID}`, then place the unzipped
1076 | contents of the `.xpi` file in that directory.
1077 | 
1078 | 


--------------------------------------------------------------------------------