system_ky.go:154 cannot determine cgroup version
thanks in advance for the help…
oh, and it needs 3 files to run it
sudo apt install xnest sudo apt install twm sudo apt install iptables
#!/bin/sh
A demo of Linux namespace to sandbox firefox
set -e
echo “[+] Check dependencies” for i in twm firefox Xnest; do which $i done
ext_if=$(ip route get 8.8.8.8 | grep ‘dev’ | awk ‘{ print $5 }’) function finish() { echo “[+] Cleaning…” sudo ip netns delete firefox sudo iptables -D POSTROUTING -t nat -s 192.168.50.2/32 -o ${ext_if} -j MASQUERADE sudo iptables -D FORWARD -i firefox0 -o ${ext_if} -j ACCEPT sudo iptables -D FORWARD -i ${ext_if} -o firefox0 -j ACCEPT killall Xnest }
trap finish EXIT
echo “[+] Network namespace”
create a new namespace
sudo ip netns add firefox
configure loopback
sudo ip netns exec firefox ip addr add 127.0.0.1/8 dev lo sudo ip netns exec firefox ip link set lo up
create a device pairs
sudo ip link add firefox0 type veth peer name firefox1
initiate the host side
sudo ip link set firefox0 up
initiate the container side
sudo ip link set firefox1 netns firefox up
sudo ip addr add 192.168.50.1/24 dev firefox0
sudo ip netns exec firefox ip addr add 192.168.50.2/24 dev firefox1 sudo ip netns exec firefox ip route add default via 192.168.50.1 dev firefox1
configure dedicated resolv.conf
[ -d “/etc/netns/firefox” ] || sudo mkdir -p /etc/netns/firefox echo nameserver 8.8.8.8 | sudo tee /etc/netns/firefox/resolv.conf
enable routing
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward sudo iptables -A POSTROUTING -t nat -s 192.168.50.2/32 -o ${ext_if} -j MASQUERADE sudo iptables -A FORWARD -i firefox0 -o ${ext_if} -j ACCEPT sudo iptables -A FORWARD -i ${ext_if} -o firefox0 -j ACCEPT
echo “[+] Filesystem preps” if [ ! -d “/home/sandbox/${USER}” ]; then sudo mkdir -p /home/sandbox/${USER} sudo chown ${USER} /home/sandbox/${USER} chmod 0700 /home/sandbox/${USER} fi if [ ! -d “/tmp/sandbox” ]; then mkdir -m 01777 /tmp/sandbox mkdir /tmp/sandbox/.X11-unix /var/tmp/.X11-unix fi
echo “[+] Xnest” echo -n > /home/sandbox/${USER}/.Xauthority xauth -f /home/sandbox/${USER}/.Xauthority add :4 . $(mcookie) Xnest -auth /home/sandbox/${USER}/.Xauthority :4 & sleep 1 sudo ip netns exec firefox unshare -m -u -i -p --mount-proc=/proc -f bash -c " echo ‘[-] /dev’ mount -t tmpfs -o mode=0755 none /dev mkdir /dev/shm
mknod -m 0622 /dev/console c 5 1 mknod -m 0666 /dev/null c 1 3 mknod -m 0666 /dev/zero c 1 5 mknod -m 0444 /dev/random c 1 8 mknod -m 0444 /dev/urandom c 1 9
ln -s /proc/self/fd /dev/fd ln -s /proc/self/fd/0 /dev/stdin ln -s /proc/self/fd/1 /dev/stdout ln -s /proc/self/fd/2 /dev/stderr
echo ‘[-] /home’ mount -o bind /home/sandbox /home
echo ‘[-] /tmp’ mount -o bind /tmp/.X11-unix /var/tmp/.X11-unix mount -o bind /tmp/sandbox /tmp mount -o bind /var/tmp/.X11-unix /tmp/.X11-unix
echo ‘[-] /var/log’ mount -t tmpfs none /var/log
echo ‘[-] /sys’ mount -t tmpfs none /sys
echo ‘[-] test shell’ echo ‘use DISPLAY=:4 XAUTHORITY=${HOME}/.Xauthority xeyes’ env - su -l ${SUDO_USER} -s /bin/sh echo ‘[-] init…’ exec env - su -l ${SUDO_USER} -s /bin/sh -c ‘export DISPLAY=:4; export XAUTHORITY=${HOME}/.Xauthority; twm & firefox’ "