?

Log in

No account? Create an account

Previous Entry Share Next Entry
SELinux and Chrome
danwalsh
After reading the Google Chrome announcement/comic book, I got to thinking

How could SELinux and Chrome work together?

The comic book says that Chrome can run each tab in a different processes, allowing you to isolate processes from each other.  If a tab processes crashes because of a bug it will only bring down that tab, not the entire web browser.  We have this in Fedora 9, in that we can run most of the plug-ins in a separate processes from Firefox, nsplugin.  If a plug-in causes the process to crash, the nsplugin program crashes not Firefox.  You can use SELinux to lock down the nsplugin process to prevent it from attacking our system.  The nice thing from an SELinux point of view is that we did not need to change Firefox to make this happen.  Since Firefox executed nsplugin (npviewer.bin), we can write policy that says when a user (unconfined_t) execs an executable labeled nsplugin_exec_t, SELinux will transition to process labeled nsplugin_t.

With Chrome we might be able to take this further.  Imagine Chrome could differentiate between external and internal web sites, then the main Chrome processes could create two tabs running under different SELinux contexts.  Say chrome_trusted_t and chrome_untrusted_t,  You could isolate these processes from each other and maybe allow chrome_trusted_t to read and write anywhere on the file system while chrome_untrusted_t could only read/write the ~/untrusted directory, labeled untrusted_content_home_t.   With labeled networking you could set up a proxy server that would only accept connections from processes labeled chrome_untrusted_t.  If a user is reading a Company Confidential web site in one tab, and connected to www.espn.com on another tab, SELinux would prevent the untrusted tab from reading the trusted tabs content.

This would require changes to Chrome code, but the SELinux code to do this is fairly simple. 

Pseudo Code

Depending on how Chrome works.

User enters an external web site:

If chrome just forks a new process it would:

child = fork();
if (Child) {
            if (selinux_is_enabled()) {
                      setcontext("user_u:user_r:chrome_untrusted_t");
                      ... /* Run the tab process */
                      exit()
            }
}

or

if chrome forks and execs a new process.

child = fork();
if (Child) {
            if (selinux_is_enabled()) {
                      setexeccon("user_u:user_r:chrome_untrusted_t");
                      exec()  /* exec the tab process */

                      setexeccon(NULL);  /* This sets that system back to default behaviour, if exec failed */
            }
}

Policy would have to be written to allow a transition from unconfined_t to chrome_untrusted_t, since the kernel will verify all transitions.

Any enterprising grad students looking for a project?

I could imagine similar changes could be done in Apache (mod_*), sshd, Samba.

 



  • 1
For starters, there needs to be a working linux port of Chrome. Currently that does not exist. See this post for more info:
http://googlemac.blogspot.com/2008/09/platforms-and-priorities.html

Yes I know there is no port currently, I expect there to be one sooner then later.

Yes, the things you could do with SELinux and a browser architecture like Chrome would be phenominal.

Soldiers abroad would love to have NIPRNET and SIPRNET on the same machine. In different tabs using the same browser would be even better.

selinux failed to block , fork

This is the program(myproc.c); in which i am trying to block fork
using selinux.

pid = fork();
if(pid==0)
{
printf("child");
}
else if(pid==-1)
{
printf("error");
}
else
{
printf("parent");
}

// selinux module

type myproc_t;
domain_type(myproc_t)

# Access to shared libraries
libs_use_ld_so(myproc_t)
libs_use_shared_libs(myproc_t)

miscfiles_read_localization(myproc_t)

dev_read_urand(myproc_t)


# Type for the executable
type myproc_exec_t;
files_type(myproc_exec_t)
domain_entry_file(myproc_t, myproc_exec_t)

gen_require(`
type unconfined_t;
')
domain_auto_trans(unconfined_t,myproc_exec_t,myproc_t)


I have defined separate domain for my program, i also verified, myproc runs in myproc_t.
I have not allowed myproc_t to self : process fork;
Moreover i added
neverallow myport_t self : process fork;

Though selinux is not blocking fork.

Please tell how to block fork().

Thanks inadvance

Re: selinux failed to block , fork

The problem is fork is allowed for all domains.

The interface
domain_type(myproc_t)

Adds allow myproc_t self:process { fork sigchld };

If you remove domain_type(myproc_t)

You should see this fail. Although you might have to add other allow rules.

Re: selinux failed to block , fork

Thanks a lot. I realized it latter. I did a search in selinux policy analyser.. it shows same line allow myproc_t self:process { fork sigchld };


Thank you

  • 1