Unveil your browser

Browsers pose a rather large attack vector, a full compromise would allow an adversary full access to all your data, from ssh keys to e-mail. Luckily, OpenBSD comes to the rescue! With unveil() you can mitigate such a disaster from happening. Time to put your browser behind bars and put on your tinfoil hat.

Using unveil() allows to set the paths an application has access to. For example, you'll probably want to give Chromium access to your ~/Downloads folder, but preventing it from accessing ~/.ssh. It's actually peanuts to do so, limiting the risk and impact of a browser compromise. As with every security technique, you should always be cautious trusting sole methods.

Chromium

Thanks to Robert Nagy and other OpenBSD developers, Chromium has support for unveil(). Like Roman Zolotarev jokingly notes, the basic job can be achieved by invoking a really simple command:

chrome --enable-unveil

For me, this command threw an error and Chromium refused to launch:

[53518:247704160:1101/210432.436058:ERROR:process_metrics_openbsd.cc(126)] Not implemented reached in bool base::GetSystemMemoryInfo(base::SystemMemoryInfoKB *)
couldn't lock 16384 bytes of memory (secret_value): Function not implemented
gcrypt-Message: 21:04:32.980: no entropy gathering module detected

Abort trap 

I don't know what application or library causes this error, but it's easy to solve by granting read access to a entropy gathering module. Using unveil.main, you can set the paths Chromium is allowed to access.

$ cat /etc/chromium/unveil.main
[...]
# entropy gathering
/dev/urandom r

If you want to set the --enable-unveil as the default Chromium, this is achieved by editing the default launch script:

$ doas vi /usr/local/bin/chrome

Edit the last line to include the argument:

LANG=${_l} exec "/usr/local/chrome/chrome" "--enable-unveil" "${@}"

Iridium

Since Iridium shares the Chromium codebase (although an older version, as the Iridium project has been inactive for quite some months), unveiling Iridium works in exactly the same way as Chromium does. Just replace chrome with iridium in the commands given earlier.

Firefox

Firefox gained support for pledge() recently, though unveil() isn't supported just yet. Chromium is superiour with the security aspect, but comes with a major downside: it is developed by an advertising company.

Errata

It should be noted that the unveil profile of Chromium allows access to, amongst others, ~/.local and ~/.config, where other applications tend to store data as well. You might want to check whether your other applications store sensitive data within these directories, and if so: how to change the storage location, out of reach for your browser.