Why don't we confine Firefox with SELinux?
That is one of the most often asked questions, especially after a new CVE like CVE-2015-4495, shows up. This vulnerability in firefox allows a remote session to grab any files in your home directory. If you can read the file then firefox can read it and send it back to the website that infected your browser.
The big problem with confining desktop applications is the way the desktop has been designed.
I wrote about confining the desktop several years ago.
As I explained then the problem is applications are allowed to communicate with each other in lots of different ways. Here are just a few.
* X Windows. All apps need full access to the X Server. I tried several years ago to block applications access to the keyboard settings, in order to block keystroke logging, (google xspy). I was able to get it to work but a lot of applications started to break. Other access that you would want to block in X would be screen capture, access to the cut/paste buffer. But blocking
these would cause too much breakage on the system. XAce was an attempt to add MAC controls to X and is used in MLS environments but I believe it causes to much breakage.
* File system access. Users expect firefox to be able to upload and download files anywhere they want on the desktop. If I was czar of the OS, I could state that upload files must go into ~/Upload and Download files go into ~/Download, but then users would want to upload photos from ~/Photos. Or to create their own random directories. Blocking access to any particular directory including .ssh would be difficult, since someone probably has a web based ssh session or some other tool that can use ssh public key to authenticate. (This is the biggest weakness in described in CVE-2015-4495
* Dbus communications as well as gnome shell, shared memory, Kernel Keyring, Access to the camera, and microphone ...
Every one expects all of these to just work, so blocking these with MAC tools and SELinux is most likely to lead to "setenforce 0" then actually adding a lot of security.
One of the biggest problems with confining a browser, is helper applications. Lets imagine I ran firefox with SELinux type firefox_t. The user clicks on a .odf file or a .doc file, the browser downloads the file and launches LibreOffice so the user
can view the file. Should LibreOffice run as LibreOffice_t or firefox_t? If it runs as LibreOffice_t then if the LibreOffice_t app was looking at a different document, the content might be able to subvert the process. If I run the LibreOffice as firefox_t, what happens when the user launched a document off of his desktop, it will not launch a new LibreOffice it will just communicate with the running LibreOffice and launch the document, making it accessible to firefox_t.
For several years now we have been confining plugins with SELinux in Firefox and Chrome. This prevents tools like flashplugin
from having much access to the desktop. But we have had to add booleans to turn off the confinement, since certain plugins, end up wanting more access.
mozilla_plugin_bind_unreserved_ports --> off
mozilla_plugin_can_network_connect --> off
mozilla_plugin_use_bluejeans --> off
mozilla_plugin_use_gps --> off
mozilla_plugin_use_spice --> off
unconfined_mozilla_plugin_transition --> on
I did introduce the SELinux Sandbox a few years ago.
The SELinux sandbox would allow you to confine desktop applications using container technologies including SELinux. You could run firefox, LibreOffice, evince ... in their own isolated desktops. It is quite popular, but users must choose to use it. It does not work by default, and it can cause unexpected breakage, for example you are not allowed to cut and paste from one window to another.
Hope on the way.
Alex Larsson is working on a new project to change the way desktop applications run, called Sandboxed Applications.
Alex explains that their are two main goals of his project.
* We want to make it possible for 3rd parties to create and distribute applications that works on multiple distributions.
* We want to run the applications with as little access as possible to the host. (For example user files or network access)
The second goal might allow us to really lock down firefox and friends in a way similar to what Android is able to do on your cell phone (SELinux/SEAndroid blocks lots of access on the web browser.)
Imagine that when a user says he wants upload a file he talks to the desktop rather then directly to firefox, and the desktop
hands the file to firefox. Firefox could then be prevented from touching anything in the homedir. Also if a user wanted to
save a file, firefox would ask the desktop to launch the file browser, which would run in the desktop context. When the user
selected where to save the file, the browser would give a descriptor to firefox to write the file.
Similar controls could isolate firefox from the camera microphone etc.
Wayland which will eventually replace X Windows, also provides for better isolation of applications.
Needless to say, I am anxiously waiting to see what Alex and friends come up with.
The combination of Container Techonolgy including Namespaces and SELinux gives us a chance at controling the desktop
Dan Walsh's Blog
- 'CVE-2015-4495 and SELinux', Or why doesn't SELinux confine Firefox?