danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Confining User Space
danwalsh
My SELinux goal in Fedora 9 is to begin confining user space.  Confinement of user space has to be optional, to make sure SELinux does not get a Black Eye for breaking some random application.

Confining the Web Browser:

 People interested in SELinux usually have a goal of making the desktop more secure.   "How do we prevent the types of attacks that Microsoft suffers from?"  These types of questions usually come down to securing the Web Browser, since the web browser reads untrusted data all the time, and tends to run random software.

Policy writers have tried to use SELinux to secure the web browser over the years, with little success.  A modern desktop has too many communications paths,  trying to prevent a determined hacker taking advantage of a Web Browser vulnerability is difficult.

Some problems with confining the Browser:

 - If I prevent the browser from uploading files or downloading files, the user has a hard time understanding why?
 - The browser launches  helper apps OpenOffice, Evince, Acroread to look at documents.  If these apps are not able to read/write directories, because of Browser policy, users will get confused and upset.  As an example, if I said Firefox can not write to your home directory, except the .mozilla directory.  Then I open a OpenOffice document in Firefox, OpenOffice would not be allowed to write to the homedir.  But if the user uses the running OpenOffice to edit a different file, it will not work, he will not be able to save this document either. 
 - Finally there is the issue of people downloading software to be run inside of the browser.  Users have been trained over the last few years to download and run apps off of web servers.  What  14 year old boy, when prompted if he wants to see Dancing Bikinis, will not answer YES.  Sadly my 14 year old boys, have moved onto worse then Bikinis.

At the First SELinux Summit a few years ago Colin Walters, did a talk about confining the Firefox Plugins rather then the App.  He said, if we could confining the millions of lines of code, that people download off the WEB, we might be able to protect the web browser without ruining the user experience.   He was talking about things like FlashPlayer, mplayer, sound codec, video codec, other assorted media plugins.  But alas the libraries we integrated directly into a single process, until now.
 
Gwenole Beauchesne developed the nsplugin wrapper.

http://gwenole.beauchesne.info/projects/nspluginwrapper/

"nspluginwrapper is an Open Source compatibility plugin for Netscape 4 (NPAPI) plugins. That is, it enables you to use plugins on platforms they were not built for. For example, you can use the Adobe Flash plugin on Linux/x86_64, NetBSD and FreeBSD platforms."

Fedora has been shipping this for a couple of releases, and I have added policy for it.

When you run Firefox and go to a site that requires a plugin, the npviewer.bin application application starts and communicates back to firefox.

I have added confinement this process.

# ps -eZ | grep nsplugin
staff_u:staff_r:nsplugin_t:s0   30628 ?        00:00:01 npviewer.bin

While Firefox continues to run as unconfined_t.

I have also added a boolean, allow_unconfined_nsplugin_transition (Default off),  that allows you to specify whether you want this confinement when running as the unconfined user.   I have been running with confined plugins for the past couple of weeks.  You might need to fix the labeling on your homedir to make this work.  restorecon -R -v ~/  Should fix it.

The policy for nsplugin allows it to only connect to HTTP ports, macromedia port and ldap ports.  It can only write to the .mozilla, .adobe, .macromedia homedir directories.  It can read some files in /etc and /usr, but not files like /etc/shadow.

You can try this out by updating to the latest Fedora 9 code, and

# setsebool -P allow_unconfined_nsplugin_transition 1

I would like to know of any problems this causes.

Type your cut contents here.

Confining firefox

(Anonymous)

2008-02-04 09:07 pm (UTC)

Dan, is this stuff in rawhide tree only? I am seeing the following on F8 machine (firefox-2.0.0.10-3.fc8, nspluginwrapper-0.9.91.5-15.fc8, selinux-policy-3.0.8-73.fc8):

--------
Summary:

SELinux is preventing /usr/lib/firefox-2.0.0.10/firefox-bin from creating a file with a context of unlabeled_t on a filesystem.
---------------------------------------------------

AVC raw message:

avc: denied { associate } for comm=firefox-bin egid=500 euid=500 exe=/usr/lib/firefox-2.0.0.10/firefox-bin exit=41 fsgid=500 fsuid=500 gid=500 items=0 name=D94F22FEd01 pid=2818 scontext=system_u:object_r:unlabeled_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=filesystem tcontext=system_u:object_r:fs_t:s0 tty=(none) uid=500
----------------------------------------------------------------------

I just did the suggested fix on my ~/ to see how this affects the confinement. I suppose bz is not needed?

Regards, Vladimir

Re: Confining firefox

danwalsh

2008-02-05 01:05 pm (UTC)

Rawhide only.

What kind of filesystem do you have? Open a bugzilla if this continues. Might be a file system that SELinux does not know about.

Is this on the F9 feature list?

(Anonymous)

2008-02-05 02:26 pm (UTC)

Nice work.

I looked, but couldn't see this on the F9 feature list here:
http://fedoraproject.org/wiki/Releases/9/FeatureList

Would be nice to add, to help with the marketing team, getting in the release notes etc etc. Talk to poelstra IIRC

Confining the browser

(Anonymous)

2008-02-17 05:26 pm (UTC)

I ran restorecon -R -v ~/ and earlier set the boolean via the SELinux Administration GUI. There are a lot of error messages in the troubleshooter logged. I would rather have undesirable items blocked than have vulnerabilities which could potentially invade my privacy or set me up as some proxy for distributing unknowingly some other bad content around the website. I do want my grandkids to not feel that nothing works in Linux and be compelled to use Windows where their kid oriented websites fail though. I think that the efforts to start securing the desktop are very important. Thanks for the work on getting this to be a reality.
Recently using Windows, one website about took down the system when going to a technically related information website found by a web search engine. The AV programs caught this but should have not allowed such a potential compromise from being possible. I hope SELinux prevents such potential infiltration within the Linux environment.

There is a policy for running mozilla under a different domain. But it really is not as much of a confinement as you might think.


The only domain that is currently using it is xguest_u. This is the only way the xguest user account can use the network. If the xguest user tries to connect out anyother way, it will be denied.

Writing policy to confine mozilla/firefox is very difficult since almost everyone wants it to be able to do everything. People want it to be able to download to any directory and upload from any directory. They want it to be able to execute helper apps like evince and openoffice.

If I confined firefox (firefox_t) to not be able to write to anywhere except ~/Download and only able to read from ~/Upload, that might be a step forward,except when it comes to running openoffice. If I download a file from firefox_t executes openoffice it would stay running in the context of firefox_t

Well if a user went to edit a different file in openoffice he would be supprised when it could not be read or saved in other directories. If he killed openoffice and restarted it from the panel it would run under unconfiened_t or user_t and would be able to do what he wants. Very confusing.

Currently in F9 and F10 we have the ability to confine nsplugin as described in the blog, and this at least allows you to confine random download executables running in firefox.

Hello Dan,

There is no way that I can write a policy confining Firefox to read or rather write to a specific directory. For eg. allowing user to list/read files in the home dir rather than giving him full privileges:

Minimal priviliges:

allow firefox_t admin_home_t:dir { search };
allow firefox_t admin_home_t:file { read };

Full Privileges:

allow firefox_t admin_home_t:dir { write remove_name getattr read add_name };
allow firefox_t admin_home_t:file { rename lock create getattr write ioctl unlink append };

Please clarify.

--Anil

Yes you can, although it looks like you are writing policy for the /root directory? Not a good idea to run firefox as root.

But you can label particular directories like .mozilla as being firefox_home_t and have a rule like

manage_dirs_pattern(firefox_t, firefox_home_t, firefox_home_t)
manage_files_pattern(firefox_t, firefox_home_t, firefox_home_t)

list_dirs_pattern(firefox_t, user_home_dir_t, user_home_dir_t)
list_dirs_pattern(firefox_t, user_home_t, user_home_t)
read_files_pattern(firefox_t, user_home_t, user_home_t)



You are viewing danwalsh