danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Fedora 17 New Security Feature part VII - thumbnail protection.
danwalsh

John Leyden wrote an interesting article Linux vulnerable to Windows-style autorun exploits, about how security researches had discovered that Linux is potentially vulnerable to a user sticking a USB device or CDRom into a locked machine.  The basic idea was that "Nautilus" would execute thumbnail drive code, to display thumbnails icons in the file browsers based on the content on the removable media, even if the machine was locked.  If the thumbnail executables were vulnerabile, a cracker could use the code used to process the thumbnail images to kill the screensaver/lock. 

Never mind this, just plugging in a USB stick when you a logged in, could allow a cracker to take over your machine.

At that time, I wrote policy for all thumbnail drivers to be locked down with SELinux, but I only turned it on for confined users.
I and other users have been running this confinement thoughout Fedora 16. 

In Fedora 17 I have turned this on for the unconfined user. 

We are confining the following applications.

/usr/bin/evince-thumbnailer
/usr/bin/ffmpegthumbnailer
/usr/bin/gnome-exe-thumbnailer.sh
/usr/bin/gnome-nds-thumbnailer
/usr/bin/gnome-xcf-thumbnailer
/usr/bin/gsf-office-thumbnailer
/usr/bin/raw-thumbnailer
/usr/bin/shotwell-video-thumbnailer
/usr/bin/totem-video-thumbnailer
/usr/bin/whaaw-thumbnailer
/usr/lib(64)?/tumbler-1/tumblerd


I have seen these applications try to "execstack" when running mplayer executable on an thumbnails, kind of scary.

If you know of other thumbnail applications that get launched as thumbnails, please tell me.


Should all the thumbnailers be a "thumb_exec_t" ?

Yes, Although I am not sure all of the updates have made it to release yet.

Here is what I have

ls -lZ /usr/bin/*thumb*
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/evince-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/ffmpegthumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gnome-exe-thumbnailer.sh
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gnome-nds-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gnome-xcf-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gsf-office-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/raw-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/shotwell-video-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/totem-video-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/whaaw-thumbnailer

rpm -q selinux-policy
selinux-policy-3.10.0-99.fc17.noarch

You are viewing danwalsh