2016-12-11 15:22:45

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] userdomain: do not execute temporary files

Executing temporary files is unsafe and dangerous and it is
also unneeded on normal systems, therefore this patch
removes such permission from the user_t domain.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/userdomain.if | 1 -
1 file changed, 1 deletion(-)

--- refpolicy-git-07122016-orig/policy/modules/system/userdomain.if 2016-12-07 13:39:08.672449330 +0100
+++ refpolicy-git-07122016/policy/modules/system/userdomain.if 2016-12-11 16:12:19.548933309 +0100
@@ -812,7 +812,6 @@ template(`userdom_login_user_template',
userdom_manage_tmp_role($1_r, $1_t)
userdom_manage_tmpfs_role($1_r, $1_t)

- userdom_exec_user_tmp_files($1_t)
userdom_exec_user_home_content_files($1_t)

userdom_change_password_template($1)


2016-12-11 20:12:56

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] userdomain: do not execute temporary files

On 12/11/16 10:22, Guido Trentalancia via refpolicy wrote:
> Executing temporary files is unsafe and dangerous and it is
> also unneeded on normal systems, therefore this patch
> removes such permission from the user_t domain.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/userdomain.if | 1 -
> 1 file changed, 1 deletion(-)
>
> --- refpolicy-git-07122016-orig/policy/modules/system/userdomain.if 2016-12-07 13:39:08.672449330 +0100
> +++ refpolicy-git-07122016/policy/modules/system/userdomain.if 2016-12-11 16:12:19.548933309 +0100
> @@ -812,7 +812,6 @@ template(`userdom_login_user_template',
> userdom_manage_tmp_role($1_r, $1_t)
> userdom_manage_tmpfs_role($1_r, $1_t)
>
> - userdom_exec_user_tmp_files($1_t)
> userdom_exec_user_home_content_files($1_t)
>
> userdom_change_password_template($1)

NAK. While there is some truth to this, this permission is limited to
only files created by the user domain itself (as long as you have UBAC
too). This wouldn't save someone from downloading, e.g. a trojan and
executing it out of their home dir since they couldn't execute it out of
/tmp.

--
Chris PeBenito

2016-12-11 20:25:53

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] userdomain: do not execute temporary files

On Sun, 11/12/2016 at 15.12 -0500, Chris PeBenito wrote:
> On 12/11/16 10:22, Guido Trentalancia via refpolicy wrote:
> >
> > Executing temporary files is unsafe and dangerous and it is
> > also unneeded on normal systems, therefore this patch
> > removes such permission from the user_t domain.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/system/userdomain.if |????1 -
> > ?1 file changed, 1 deletion(-)
> >
> > --- refpolicy-git-07122016-orig/policy/modules/system/userdomain.if
> > 2016-12-07 13:39:08.672449330 +0100
> > +++ refpolicy-git-07122016/policy/modules/system/userdomain.if
> > 2016-12-11 16:12:19.548933309 +0100
> > @@ -812,7 +812,6 @@ template(`userdom_login_user_template',
> > ? userdom_manage_tmp_role($1_r, $1_t)
> > ? userdom_manage_tmpfs_role($1_r, $1_t)
> >
> > - userdom_exec_user_tmp_files($1_t)
> > ? userdom_exec_user_home_content_files($1_t)
> >
> > ? userdom_change_password_template($1)
>
> NAK.??While there is some truth to this, this permission is limited
> to?
> only files created by the user domain itself (as long as you have
> UBAC?
> too).??This wouldn't save someone from downloading, e.g. a trojan
> and?
> executing it out of their home dir since they couldn't execute it out
> of?
> /tmp.

Of course, it does not prevent intentional execution of a file.

However, it prevents execution of files that have been installed in
/tmp by a malicious process that has no permission to write in the user
home directory. The malicious binary can be executed through techniques
such as, for example, the exploitation of a buffer overflow.

Regards,

Guido

2016-12-11 20:42:44

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] userdomain: do not execute temporary files

On 12/11/16 15:25, Guido Trentalancia via refpolicy wrote:
> On Sun, 11/12/2016 at 15.12 -0500, Chris PeBenito wrote:
>> On 12/11/16 10:22, Guido Trentalancia via refpolicy wrote:
>>>
>>> Executing temporary files is unsafe and dangerous and it is
>>> also unneeded on normal systems, therefore this patch
>>> removes such permission from the user_t domain.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/system/userdomain.if | 1 -
>>> 1 file changed, 1 deletion(-)
>>>
>>> --- refpolicy-git-07122016-orig/policy/modules/system/userdomain.if
>>> 2016-12-07 13:39:08.672449330 +0100
>>> +++ refpolicy-git-07122016/policy/modules/system/userdomain.if
>>> 2016-12-11 16:12:19.548933309 +0100
>>> @@ -812,7 +812,6 @@ template(`userdom_login_user_template',
>>> userdom_manage_tmp_role($1_r, $1_t)
>>> userdom_manage_tmpfs_role($1_r, $1_t)
>>>
>>> - userdom_exec_user_tmp_files($1_t)
>>> userdom_exec_user_home_content_files($1_t)
>>>
>>> userdom_change_password_template($1)
>>
>> NAK. While there is some truth to this, this permission is limited
>> to
>> only files created by the user domain itself (as long as you have
>> UBAC
>> too). This wouldn't save someone from downloading, e.g. a trojan
>> and
>> executing it out of their home dir since they couldn't execute it out
>> of
>> /tmp.
>
> Of course, it does not prevent intentional execution of a file.
>
> However, it prevents execution of files that have been installed in
> /tmp by a malicious process that has no permission to write in the user
> home directory. The malicious binary can be executed through techniques
> such as, for example, the exploitation of a buffer overflow.

Yes, but which domains can create or relabel to user_tmp_t other than
user domains? I'd rather eliminate any that don't make any sense, like
mozilla and thunderbird for example:

allow mozilla_plugin_t user_tmp_t:file { append create getattr ioctl
link lock open read rename setattr unlink write };

allow mozilla_t user_tmp_t:file { append create getattr ioctl link lock
open read rename setattr unlink write };

allow thunderbird_t user_tmp_t:file { append create getattr ioctl link
lock open read rename setattr unlink write };

--
Chris PeBenito