danwalsh (danwalsh) wrote,
danwalsh
danwalsh

SELinux and Chrome

After reading the Google Chrome announcement/comic book, I got to thinking

How could SELinux and Chrome work together?

The comic book says that Chrome can run each tab in a different processes, allowing you to isolate processes from each other.  If a tab processes crashes because of a bug it will only bring down that tab, not the entire web browser.  We have this in Fedora 9, in that we can run most of the plug-ins in a separate processes from Firefox, nsplugin.  If a plug-in causes the process to crash, the nsplugin program crashes not Firefox.  You can use SELinux to lock down the nsplugin process to prevent it from attacking our system.  The nice thing from an SELinux point of view is that we did not need to change Firefox to make this happen.  Since Firefox executed nsplugin (npviewer.bin), we can write policy that says when a user (unconfined_t) execs an executable labeled nsplugin_exec_t, SELinux will transition to process labeled nsplugin_t.

With Chrome we might be able to take this further.  Imagine Chrome could differentiate between external and internal web sites, then the main Chrome processes could create two tabs running under different SELinux contexts.  Say chrome_trusted_t and chrome_untrusted_t,  You could isolate these processes from each other and maybe allow chrome_trusted_t to read and write anywhere on the file system while chrome_untrusted_t could only read/write the ~/untrusted directory, labeled untrusted_content_home_t.   With labeled networking you could set up a proxy server that would only accept connections from processes labeled chrome_untrusted_t.  If a user is reading a Company Confidential web site in one tab, and connected to www.espn.com on another tab, SELinux would prevent the untrusted tab from reading the trusted tabs content.

This would require changes to Chrome code, but the SELinux code to do this is fairly simple. 

Pseudo Code

Depending on how Chrome works.

User enters an external web site:

If chrome just forks a new process it would:

child = fork();
if (Child) {
            if (selinux_is_enabled()) {
                      setcontext("user_u:user_r:chrome_untrusted_t");
                      ... /* Run the tab process */
                      exit()
            }
}

or

if chrome forks and execs a new process.

child = fork();
if (Child) {
            if (selinux_is_enabled()) {
                      setexeccon("user_u:user_r:chrome_untrusted_t");
                      exec()  /* exec the tab process */

                      setexeccon(NULL);  /* This sets that system back to default behaviour, if exec failed */
            }
}

Policy would have to be written to allow a transition from unconfined_t to chrome_untrusted_t, since the kernel will verify all transitions.

Any enterprising grad students looking for a project?

I could imagine similar changes could be done in Apache (mod_*), sshd, Samba.

 


Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

  • 6 comments