10.1 Customizing the live user 10.2 Customizing locale and language 10.3 Persistence 10.3.1 The persistence.conf file 10.3.2 Using more than one persistence store 10.4 Using persistence with encryption Customizing the binary image 11. Customizing the binary image 11.1 Bootloaders 11.2 ISO metadata Customizing Debian Installer 12. The Debian GNU/Linux FAQ Chapter 11 - Customizing your Debian GNU/Linux system. For details, see the manual page papersize(5). 11.2 How can I provide access to hardware peripherals, without compromising security? Many device files in the /dev directory belong to some predefined groups.
- Debian Live Manual Section 10.1 Customizing The Live User Review
- Debian Live Manual Section 10.1 Customizing The Live User Portal
- Debian Live Manual Section 10.1 Customizing The Live User List
- Debian Live Manual Section 10.1 Customizing The Live User Page
![The The](https://dflinux.frama.io/thebeginnershandbook/img/deb9-isntall-en-03.png)
Downloading and creating boot media:
There are 4 file formats available at the download site:.
1) 'iso-hybrid': .iso format, 'hybrid' means that you can use the same .iso file either to burn to dvd or to dd to USB flash drive.
2) 'usb-hdd': .img format, dd to flash media
3) 'web': initrd, vmlinuz, and squashfs as separately downloadable files, no bootloader, no boot codes
4) 'net': .tar.gz format, for network (pxe) booting
You can also create your own distros in any of these formats, with whatever software packages you choose, using an online tool found on the debian-live home page (http://live.debian.net/) under 'web images builder.'
If you don't have a working Linux handy, there is a dd for Windows (http://www.chrysocome.net/dd). The dd in Cygwin is slow but can be used.
Persistence:
For this I found the debian-live manual suitable even for a beginner (http://live.debian.net/manual).
Wireless connection:
Wireless is easier than one would think from the debian wiki. The simplest explanation I found was in the aptosid online manual (http://manual.aptosid.com/).
You must often obtain and install 'nonfree' drivers and firmware, but there are debian packages for this so you don't have to start with the files from the hardware vendor. For my Intel chipset, all it took was
'dpkg -i firmware-linux-free_2.6.32-21_all.deb'
which led me through a brief Windows-style EULA (navigate with tab key). After rebooting, everything worked. To find the right .deb, I thought the aptosid manual was easier to use than the debian wiki (http://wiki.debian.org/WiFi;http://wiki.debian.org/Firmware).
For the GUI versions of debian-live, installing the wireless firmware as described above was all that was required. For the debian-live rescue disk (no GUI), I had to install wpasupplicant (now installed by default, I think) and then connect as follows (replace eth1 with the appropriate device name):
wpa_passphrase $ESSID $PASSWORD >> /etc/wpa_supplicant.conf
iwconfig ieth1 up
wpa_supplicant -B -Dwext -c/etc/wpa_supplicant.conf -ieth1
dhclient eth1
The debian-live 'rescue' disk is really neat. It will look like a complete full-featured unix system, compilers and all, to anyone who has ever used unix from a dumb terminal.
![Debian live manual section 10.1 customizing the live user list Debian live manual section 10.1 customizing the live user list](https://averagelinuxuser.com/assets/images/posts/2019-08-23-debian-10-install/7-computer-name-domain.jpg)
Addenda:
Entering boot parameters manually: to append bootcode, e.g. 'persistent', mark menu option (e.g. 'debian-live') and then hit tab (not enter!) to edit the parameter list.
Reclaiming unused space on bootable thumb drive: http://lists.debian.org/debian-live/201 .. 00000.html
Booting from USB without BIOS support: http://lists.debian.org/debian-live/201 .. 00050.html
Relevant man pages: live-initramfs.7, live-snapshot.1
Building Custom Live Images with Debian and Grsecurity
This guide explains how to build custom live system images for securitysandboxing using tools from the DebianLive Systems project andGrsecurity.
For concreteness we will focus on building a custom live image forsandboxing the Firefox web browser (also known as Iceweasel in the Debianworld). However, the same tools and procedures will allow you to build anykind of Debian-based live image you want.
Motivation
The browser problem
If you're alive and technically aware in 2015, you know that Internet,operating system, and applications software are security disaster areas.End-user systems such as workstations and laptops are especially hard toprotect against the growing tide of malware, most of it delivered via theInternet.
After basic security measures have been taken, such as disabling unnecessaryoperating system services and firewalling network access, the largest attacksurface on a typical end-user system today is the web browser. Popularbrowsers are large and complex pieces of software, invariably written inunsafe languages forperformance (although this may slowly bechanging).Criticalvulnerabilitiesare discovered in popular browsers every month, any one of which can allow aremote attacker to take complete control over the computer running thebrowser. While this problem is now well known and recognized by browservendors and efforts are being made to improve the status quo, building asecure browser has turned out to be a long and difficult road. Meanwhile,users are left adrift and vulnerable, and even the technically skilled havefew good options for securing web browser installations.
Live images
A live image is a complete operating system image file (usually inISO format) that can be loaded atsystem boot time from CD/DVD/USB media and that runs completely from RAM.No hard disk or any other form of persistent media is required. Changes canbe made normally to the running system, but all changes are lost when thesystem is powered down or reset. (Some live images support an optionalpersistence partition that allows the user to store data that persistsacross restarts.)
Live images are a powerful tool forsandboxing.Even if the live operating system or applications are compromised duringruntime, the next reboot will restore the system to its original cleanstate. Simply using a live system is no guarantee of security, but it canmake long-term compromise of a system significantly more difficult,especially when combined with other countermeasures as part of atop-to-bottom architecture that takes into account each layer from thelowest (physical setting) through the highest (user applications).
Prerequisites
This guide assumes you are an experienced systems administrator who iscomfortable with Debian and with configuring and building theLinux kernel.
Limitations and Alternatives
The live image method is a relatively heavyweight approach to browsersecurity. Configuring and building a custom live image takes time andskill, and using one is harder than using a browser directly. All browsercustomization must be done as part of live system configuration, which meansthat making even simple persistent changes to the browser requires updatingthe live configuration and rebuilding the live image. This is more workthan most users are willing to put up with.
There are a few alternatives:
- Use a pre-built live system. This obviates the need to configure andbuild the live image yourself, and is ideal if you can find such an imagethat you trust and that closely matches your needs. Unfortunately, fewsuch images seem to be available today that are built with security inmind. An exception is Tails, but it may not besuitable unless you want to route all data through Tor.
- Use a chroot jail. Setting up asecure chroot environment is a difficult task, and should only beattempted if you are fully aware of the security weaknesses of vanillachroot environments and employ kernel hardening measures to guard againstthem, such as the chroot restrictions available inGrsecurity kernels. A chroot jail providesa relatively thin barrier between the guest and host environments and doesnot in itself provide the 'clean boot' property of a live image.
- Use a namespace/cgroups jail.Newer Linux kernels provide a range of other features that can be used tocreate container or jail environments. As with chroot, such environmentsare difficult to configure securely, although tools such asFirejail can make thiseasier. And as with chroot jails, programs running in a namespace jailcan still make system calls directly into the host kernel, and thus are ina position to exploit kernel-level security flaws.
- Use a kernel security framework likeAppArmor,SELinux, or GrsecurityRBAC torestrict the areas of the system that the application can access. Theseframeworks serve mainly to prevent a compromised program from affectingthe rest of the system. They are best used along with other exploitprevention and sandboxing measures.
Architecture
In this guide we will assume a four-layer architecture that comprises:
- A host system, such as a workstation or laptop
- A guest live system, running as a virtual machine on the host system
- A container jail environment, running inside the guest system
- A Firefox/Iceweasel browser, running inside the jail
We could consider variations, such as booting and running the live image onbare metal. In fact, most of this guide concerns setting up the live imageand applies equally well regardless of how and where the live system is run.One of the advantages of a live image is that it can be carried around onbootable read-only media and run from any system you happen to have accessto, provided the image was built with the drivers needed to drive the hosthardware.
A word on virtual machines. A virtual machine can never be more secure thanthe host it's running on. Even if your guest operating system andapplications are completely secure, all is lost if the host has beencompromised. The purpose of building a live image sandbox is to protect thehost from the guest and its applications. There is no way to protect theguest from the host.
Running applications like web browsers within a virtual machine provides arelatively high degree of isolation between them and the host. If theapplication is compromised, the attacker may gain control over the guestsystem, but attacking the host from the guest is a difficult task as long asbasic host security precautions have been taken. Although guest-to-hostexploits that attack the hypervisor interface arepossible, such hypervisor flaws are rarecompared to browser flaws and the hypervisor attack surface is much smaller.The risk can be mitigated further throughkernel hardening on both the host andguest systems, and by using a kernel security framework on the host torestrict the access of hypervisor processes.
The architecture described in this guide is an example of the principle ofdefense in depth.Multiple independent security layers are employed simultaneously, eachproviding a qualitatively different containment barrier around thevulnerable application. These security layers are:
- A host system with a kernel hardened using PaX/Grsecurity, andrestriction of hypervisor processes using Grsecurity Role Based AccessControl (RBAC)
- A guest system built as a read-only live image with a PaX kernel
- A container jail environment inside the guest, created withFirejail
- Security-oriented application-level configuration of a Firefox browser,including default settings and extensions
Layer 1: The Host System
For our purposes, the only role of the host system is to provide anenvironment for building and running a live image. We will assume that thehost is a Linux system and that KVM will be used torun the live image.
Step 1.1: Configure PaX/Grsecurity
This step is optional, but recommended. Running a Linux kernel patched withPaX/Grsecurity on the host provides a significantly better security baselinethan vanilla Linux. The Grsecurity RBAC system also provides a way torestrict the access privileges of hypervisor (QEMU/KVM) processes and otherprograms running on the host.
Setting up Grsecurity requires downloading the Linux kernelsource, applying theGrsecurity patch that matches the kernelversion, configuring the kernel (including PaX/Grsecurity parameters),building the kernel, and finally installing and booting it. Assumingyou have downloaded the kernel source as a file with a name like
linux-x.y.z.tar.xz
and the corresponding Grsecuritypatch as grsecurity.patch
(the actual patch filename contains version and date information), thebasic steps are:If all goes well, this will produce a
linux-image
Debian package filealong with related package files for kernel headers, firmware,etc. according to Debian kernel-packaging conventions. These .deb
files can be installed directly with dpkg -i
. Another way to buildDebian packages from kernel source is to usekernel-package.Refer to theGrsecurity documentation forinstructions on applying the Grsecurity patch and configuring thePaX/Grsecurity kernel settings. When configuring the kernel, try toeliminate any drivers and features that you don't need on the host system,and enable other important security options such asmodule signing,stack protection, andseccomp. Consult theUbuntuKernel Hardeningfeature checklist for other important kernel security features andparameters.
Step 1.2: Configure the hypervisor
Ensure QEMU/KVM is installed on the host:
For QEMU/KVM, hypervisor configuration takes the form of passing a set ofcommand-line options to
kvm
(which itself is just a wrapper aroundqemu-system-x86_64
). Here is an example script that can be used to bootan image with some useful QEMU options:To use this script, pass the image you wish to boot as an argument.
-cpu host
tells QEMU to emulate the precise CPU that the host uses,rather than some different or more generic CPU. This provides the bestperformance.-m 2048
allocates 2GB of RAM to the guest (the default is 128MB).-drive file=$1,if=virtio,media=cdrom
says to use the filename passed asthe argument$1
as the virtual boot drive, to treat it as CDROM media,and to represent it as a Virtiodevice rather than emulating some form of disk hardware. This requiresVirtio driver support in the guest kernel. Use Virtio interfaces anddrivers whenever possible for best performance and feature support.-balloon virtio
enablesballoon support,allowing the guest to dynamically grow and release memory back to thehost. This requires memory balloon support in the guest kernel.-usbdevice tablet
is necessary to prevent mismatched host/guest mousepointers when using VNC.-soundhw hda
instructs QEMU to emulate HDA PCI sound hardware. Combinedwith theexport QEMU_AUDIO_DRV=alsa
line, this should provide workingguest-to-host sound. If you don't need sound, you can remove these twolines. This requires HDA sound driver support in the guest kernel.-vga std
enables high-resolution video mode support.-netdev user,id=network0 -device virtio-net,netdev=network0
enablesbasic networking support, placing the guest on a private virtual networkthat can access the Internet via the host.-virtfs local,path=/tmp/guest_share,mount_tag=share,security_model=mapped-xattr
sets up a shared directory between the host and the guest so that filescan easily be moved back and forth. The directory/tmp/guest_share
onthe host is made accessible to the guest using9p. This requires 9p Virtiosupport in the guest kernel.
You should verify that you can use a script like the above to boot a vanillalive ISO image on the host. Standard Debianlive imagesare available from the Live Systems project.
To use a VNC display rather than QEMU's default SDL display, you can add anoption like
-vnc 127.0.0.1:0
and use a VNC client to connect to QEMU onport 5900.There is a newer display technology for QEMU calledSPICE/QXL. In theory, this shouldprovide better graphics capabilities and performance, and also provides amechanism for copy/paste clipboard transfer between the guest and host. Intesting on a Linux 3.18 host/guest with QEMU 2.1, however, using QXL led toguest hangs with the QEMU host process consuming 100% CPU when doing evenbasic browsing. To enable SPICE/QXL you can use options like:
You will need a SPICE client onthe host to connect to the guest display. You will also need to enable QXLin the guest kernel and install theQXL Xorg driver in theguest. For copy/paste clipboard support, you will also need thespice-vdagent package in theguest. See the SPICE documentation for details.
Another option to consider is
-sandbox on
. This enablesseccomp sandboxing ofthe QEMU process. Unfortunately, in testing with Linux 3.18 and QEMU 2.1this led to instability of QEMU, so use this option with care.Step 1.3: Secure the Hypervisor
The purpose of this step is to lock down the access that the hypervisorprocess has to the rest of the system. Apart from read/write access to
/dev/kvm
, QEMU has no special access requirements and can safely beprevented from reading, writing, or executing most filesystem paths.Its network access can also be restricted to whatever is required forthe applications you run within the VM.The procedure for enforcing access control depends on the securityframework you're using on the host. Most frameworks have a learningmode that allows you to run an application and exercise itsfunctionality, and that then generates a whitelist policy that permitsaccess to only those resources actually used by the application duringthe learning process. Usually some degree of manual review and tuningof the generated access policy is needed. Arriving at a good policyusually requires several tweaks and iterations.
For example, if you're using the Grsecurity RBAC system and QEMU-x86_64,you can start with a stub entry in your policy file under theappropriate user role that looks like this:
The
l
flag places the policy for this program in learning mode. Youcan then use gradm
as usual to enable RBAC in learning mode, exercisethe program, and then generate an initial policy. See theRBAC documentationfor details.Although Grsecurity RBAC is powerful, it uses a whole-system whitelistmodel, meaning that using it requires having a policy that covers allusers and programs on the system. In spite of its 'full systemlearning' mode, generating a working full-system poilcy is a difficultand time-consuming exercise, especially for desktop-oriented systems andthose that depend on invasive multi-function services such as systemd.A far simpler, though less comprehensive, alternative isAppArmor, which only restrictsprograms that have policies defined and has no concept of users orroles.
Layer 2: The Guest Image
Now that the host system has been prepared and QEMU is working, we areready to configure and build the live image.
Step 2.1: Configuring and Building the Guest Kernel
Follow the same procedure used to configure and build thehost kernel. When configuring theguest kernel, note the following points:
- Remove all hardware drivers except for devices that QEMU can emulateand that you require. For example, if you want sound support in theVM, configure the guest kernel to support Intel PCI HDAudio and startQEMU with the sound options given above. You do not needhardware-specific drivers for disk, network, or graphics as these willbe handled by Virtio — see below.
- Enable basic virtualization options such as:
CONFIG_PARAVIRT
CONFIG_HYPERVISOR_GUEST
CONFIG_KVM_GUEST
- Many core devices such as block and network devices have optimizedVirtio drivers designed specifically for virtual machines. Wheneverpossible, use a Virtio driver instead of a hardware driver for adevice that QEMU will have to emulate. Ensure the following optionsare enabled:
CONFIG_VIRTIO_PCI
CONFIG_VIRTIO_BLK
CONFIG_VIRTIO_NET
CONFIG_HW_RANDOM_VIRTIO
CONFIG_VIRTIO_BALLOON
- Enable virtualized graphics options:
CONFIG_DRM_CIRRUS_QEMU
CONFIG_DRM_QXL
CONFIG_DRM_BOCHS
- Enable OverlayFS support. This is required for a working liveimage:
CONFIG_OVERLAY_FS
- If you want to be able to share host directories with the guest toeasily move files back and forth, enable 9p support:
CONFIG_NET_9P
CONFIG_NET_9P_VIRTIO
CONFIG_9P_FS
Step 2.2: Installing the Live-Build Tools on the Host
The only package you need to build live images islive-build. Several otherpackages such as live-boot andlive-config will be installedautomatically into the live image during the build process. Fulldocumentation on these packages is available from theLive Systems project.
To get started with
live-build
, create a directory that will be usedto store your live image configuration and build data (it should have atleast 1 GB of free space available), and then run lb config
to createa default live image configuration:This creates a configuration directory tree that live-build uses todetermine how to build the live image. If you don't make any changes tothis tree, you will end up with a default Debian Live image. You shouldtry to build this default image now to ensure your system is set upcorrectly:
This command will run for some time and generate a lot of output as itdownloads packages, builds the system in a chroot environment, andfinally freezes the chroot tree as asquashfs image and combines itwith a bootloader and kernel into a bootable binary
.iso
image file.This final file will be placed in the directory where you ran lbbuild
.Note:
lb build
expects to be run as root. If the build system isrunning a Grsecurity kernel, you will also have to temporarilydeactivate some Grsecurity chroot restrictions for the build to succeed,e.g. withOverlayFS Support
Live images require some form ofUnion filesystemsupport in the guest kernel. Traditionally the Debian Live System toolshave used AuFS for this. Unfortunately,AuFS is an out-of-tree kernel patch that does not play nicely withGrsecurity. There is now an in-tree alternative called OverlayFS,enabled with the
CONFIG_OVERLAY_FS
option in the guest kernel.However, at the time of writing, the Debian live-boot
package does notproperly support OverlayFS. Debianbug 773881 has been opened for this.In the bug comments, a link is provided to a Git repository and branchthat contains a patched version of live-boot 5.0a1. Until the officiallive-boot package is updated, a working live-boot that supportsOverlayFS can be built from this branch using dpkg-buildpackage -b
.This will produce the files live-boot_5.0~a1-1_all.deb
andlive-boot-initramfs-tools_5.0~a1-1_all.deb
. These packages should beplaced in the config/packages.chroot
directory when configuring thelive image (see next step) along with version 5.0a1 of live-config,overriding the default live-boot and live-config packages that wouldotherwise be installed when building the live image.Step 2.3: Customizing the Live Image
You have now used
lb build
to successfully build a default Debian LiveISO image. This image should be bootable and functional on virtualmachines or real hardware. This step covers how to customize the liveimage.The general procedure for making changes to your live image is to modifysome files in your live configuration tree (the directory where you ran
lb config
) and then rebuild the live image by running the followingsequence of commands:The
lb clean
command cleans up data from the last build, the lbconfig
command updates the live image configuration based on yourchanges, and the lb build
command actually builds the new image.From now on, we will assume that you are in your live-build rootdirectory (the directory where you ran
lb config
). Unless otherwisenoted, path names will be given relative to this directory. Most filesand directories used for customization live under the config/
subdirectory.Overview of Live Image Configuration
See theManaging a configurationsection of the Live Systems manual for an overview of live imageconfiguration. Briefly, many basic options, like the target Debiandistribution and architecture, can be specified as options to
lbconfig
— see lb config --help
and man lb_config
for details.Passing options to lb config
results in modifications to one or moreconfig files located in the config
subdirectory of your build root.Although the manual recommends using auto scripts to manage a live imageconfiguration, and for good reason, for simplicity we will make changesby editing configuration files directly. These changes will bepreserved on subsequent runs of
lb config
. Be aware of the caveats ofthis approach as described in the manual and consider using auto scriptsinstead where possible.Choosing Packages to Install
There are two ways to add packages of your choice to your live image.
Adding standard Debian packages
For standard Debian packages, create a file with a name ending in
.list.chroot
in the config/package-lists
directory. This file maycontain a space-separated list of Debian package names. The namedpackages will be retrieved and installed in the chroot during thebuild/bootstrap process.Here is an example package list for a Firefox/Iceweasel image:
Remarks on some of these packages:
attr
is required to set PaX flags on executables, assuming theCONFIG_PAX_XATTR_PAX_FLAGS
kernel option was chosen (recommended).pm-utils
is included forpm-suspend
which can be used to put thesystem to sleep temporarily. Sometimes suspending the VM isnecessary before suspending the host to avoid a frozen VM when thehost resumes.alsa-utils
is included for basic sound utilities such asalsamixer
.spice-vdagent
is required for copy/paste support via QEMU SPICE,discussed earlier.fluxbox
is a lightweight window manager for X. You can choose anyother window manager or desktop environment you like.- The
xserver-xorg
packages select X drivers important for QEMU,corresponding to the kernel drivers selected earlier. - The
iceweasel-*
packages select some useful Firefox extensions thathappen to be packaged for Debian. We will look at other ways tocustomize extensions later.
Adding custom packages (including the guest kernel)
For packages in the form of
.deb
files that are not part of yourchosen Debian distribution (or that you want to override those in thedistribution), simply place the files in the config/packages.chroot
directory. This is how we provide the guest kernel package we builtearlier. For example:- A Firejail packageis included since it is not yet part of Debian.
- The
linux-image
package is the guest kernel built earlier. - The
live-boot
packages are included here if they were custom-builtfor OverlayFS support as discussed earlier. - The
live-config
packages are included here fromexperimental
sothat they match thelive-boot
package versions.
Enabling OverlayFS
In order to use OverlayFS, you must edit the file
config/chroot
andchangeto
You must also pass a boot parameter to the kernel; see below.
Customizing Kernel Boot Parameters
In some cases it is necessary to modify the boot parameters passed tothe live image kernel. This is done by modifying the
LB_BOOTAPPEND_LIVE
option in config/binary
, which defaults to:Adding
union=overlay
is required for OverlayFS to work:Many runtime live image configuration options can also be passed in theform of kernel options; seeman live-configfor details.
Custom Build Hooks
Executable scripts can be placed in the
config/hooks
directory. Theirfilenames should end with .hook.chroot
. These scripts will be runinside the chroot at the end of the build process, and can be used tomake changes to the live system before it is frozen into the finalimage.For example, this mechanism can be used to set a root password. Createan executable file called
config/hooks/0500-root-password.hook.chroot
containing:Replace the argument to the
-p
option with the output of mkpasswd
(available as part of the whoispackage). See man mkpasswd
.Customizing Live Image Contents
The directory
config/includes.chroot
represents the /
directory ofthe live image filesystem. Files placed here will be added directly tothe final live image, replacing existing ones if necessary.For example, to add some custom 'dotfiles' to the live user's homedirectory, put them in
config/includes.chroot/etc/skel
. They willthen end up in /etc/skel
on the live system and will be copied to thelive user's home directory when it is created during system startup.Custom Runtime Hooks
Whereas build hooks are run during the live image build process, runtimehooks are run inside the live system during boot. These hooks areprocessed by
live-config
. To add a runtime hook, place an executablescript in config/includes.chroot/lib/live/config
. You should examinethe default hooks (found in chroot/lib/live/config
after an lbbuild
) or the live-config examples in/usr/share/doc/live-config/examples/hooks
.Step 2.4: Specific Customizations
Root Access
By default, the live system has one user named
user
with passwordlive
. This user can execute commands as root with sudo
withoutspecifying a password. A better configuration is to disable sudo andset a root password. We saw how to set a root password with aCustom Build Hook above. To disable sudo, addlive-config.noroot
to the kernel boot parameters list(LB_BOOTAPPEND_LIVE
in config/binary
).PaX Flags and Iceweasel
Debian Live Manual Section 10.1 Customizing The Live User Review
If your guest kernel is configured for PaX and the process memoryprotection feature (
CONFIG_PAX_MPROTECT
) is enabled by default(recommended), then you will not be able to run Iceweasel withoutdisabling memory protection on the iceweasel
and plugin-container
binaries in /usr/lib/iceweasel
. (This suboptimal situation arisesbecause Firefox uses JIT compilation for performance, which by itsnature depends on memory regions that are both writable and executable.It is possible to compile Firefox without JIT, but this is not done forthe standard Debian packages.) This can be done with aruntime hook. For example, you can place anexecutable script like the following inconfig/includes.chroot/lib/live/config/1200-setattr
:The
setfattr
method only applies if you selected theCONFIG_PAX_XATTR_PAX_FLAGS
option when configuring the guest kernel(recommended).Default X Resolution
The X resolution can be changed at runtime with
xrandr
. To change thedefault resolution, add akernel boot parameter likelive-config.xorg-resolution=1600x1200
. Seeman live-configfor details and other options.Mount a Host Directory with 9p
If you configured QEMU to share a host directory via 9p and you included9p support in your guest kernel, you may want to mount the shareautomatically at boot. There are many ways to do this, but a quick hackthat works is to create
config/includes.chroot/etc/rc.local
as anexecutable shell script and add a line like:Here
share
is a tag that must match the tag you passed to QEMU via the-virtfs
option.Be warned that 9p support can exhibit some instabilities. In testingwith Linux 3.18 and QEMU 2.1, passing
-sandbox on
caused writes tofiles over 9p to hang the writing process unrecoverably. Even without-sandbox on
, creation of files over 9p fails with 'Operation notsupported' (but writing to existing files works). This can be workedaround by creating the file on the host before trying to write to itfrom the guest.Unrecoverable hangs on the guest may also arise with 9p followingsuspend/resume. To work around this, unload the 9p kernel modules(
9p
, 9pnet
, 9pnet_virtio
) using modprobe -r
before suspend.Layer 3: Firejail
Firejail canoptionally be used to provide another sandbox layer inside the livesystem. Firejail runs a program inside a 'container' environment thatprovides kernel namespace and filesystem isolation, as well asseccomp system callrestriction. It is easy to use, supports a number of useful featuresand options, and can be used to sandbox any program.
To install Firejail, simply download the
.deb
file from the Firejailproject page (it is not yet available in the Debian repositories) andplace it in config/packages.chroot
.To run Firefox/Iceweasel with Firejail, run a command like:
The
--debug
option causes Firejail to produce verbose messages aboutwhat it's doing. Another useful mode is:The
--private
option starts the program in a clean home directory,preventing access to the user's real home directory. This is a good wayto start a 'known clean' browser instance.Restricting Filesystem Access
Firejail uses a blacklist method for restricting access to parts offilesystem. It achieves this by remounting system directories like
/etc
, /lib
, and /usr
as read-only within the container by default,and fully blocking access to some files and directories by mounting anempty tmpfs filesystem on top of them. (Seccomp filtering preventsthese mounts from being changed within the container with calls tomount(2).)One omission in the defaults is that they leave the
/dev
directoryaccessible. This can be fixed by, for example, creating a file called/etc/firejail/blacklist-dev.inc
with contents like:The
seccomp mknod
line instructs Firejail to prevent the use ofmknod(2) within the container so that new device files can't be created(the default in recent versions). To prevent access to the pre-existingdevice files in /dev
, each file or subdirectory of /dev
must belisted on a separate blacklist
line. It is safe (and recommended) toblacklist nearly all device files (other than e.g. /dev/null
and/dev/urandom
) when running Firefox/Iceweasel.To use this file, add a line like
to
/etc/firejail/firefox.profile
or any other profile in /etc/firejail
.Layer 4: Firefox/Iceweasel Customization
If you are building a Firefox live image, you will want to customizethings like the browser version, preferences, and extensions.
Customizing the Browser Version
If you want to install a version of Iceweasel other than the one in yourtarget live image distribution, you will most likely have to resort toAPT pinning. For instance,you may want to install the latest Firefox release version, which isusually available in Debian
experimental
. You can do this by placinga couple of files in the config/archives
directory.The
experimental.list.chroot
file:The
experimental.pref.chroot
file:This configuration directs APT to install the
iceweasel
package fromexperimental
and to meet dependencies from unstable
when they cannotbe met from the target distribution.Customizing Preferences
Most preferences are customized by placing files in
config/includes.chroot/etc/iceweasel/profile
. When a user firstlaunches Iceweasel, it creates a profile directory in~/.mozilla/firefox
based on the contents of /etc/iceweasel/profile
.Some files and directories that are useful for customization:
prefs.js
is the main browser settings and preferences file.bookmarks.html
is the default bookmarks list.extension-data
is a directory that some extensions use to storelocal data.searchplugins
is the directory where different search engines aredefined. Each has a single.xml
file in this directory.search-metadata.json
contains user preferences related to searchengines.
You can easily customize your live image browser by copying files likethose above from the profile directory of an already-customized Firefoxinstallation into
config/includes.chroot/etc/iceweasel/profile
.Default Preferences for Security and Privacy
Debian Live Manual Section 10.1 Customizing The Live User Portal
Many of the default Firefox settings are suboptimal for security andprivacy. By way of example, this section provides a better set ofdefaults that can be included in your
prefs.js
file. You shouldunderstand what each setting does before using it — see theMozilla documentationfor details.Customizing Extensions
If the extension you want to add to your live image is already packagedfor Debian (for example,
iceweasel-noscript
), you can install it asyou would any other package by including its name in a file inconfig/package-lists
.Otherwise, you will have to place either the packed or unpackedextension in the following directory:
However, the packed extension (
.xpi
) file or unpacked directory musthave a specific name. To find this name, unpack the install.rdf
fileand inspect it:Near the top of this file there will be an
<id>
or <em:id>
tag thatlooks similar toDebian Live Manual Section 10.1 Customizing The Live User List
or
To install an extension as a packed file, place it in the abovedirectory with the name
${XID}.xpi
, where ${XID}
is the content ofthe <id>
or <em:id>
tag in the extension's install.rdf
file.Debian Live Manual Section 10.1 Customizing The Live User Page
To install an extension as an unpacked directory, create a subdirectoryin the above directory whose name is
${XID}
, then place the unzippedcontents of the .xpi
file in that directory.