From: Russel Coker <[email protected]>
---
mozilla.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/mozilla.fc b/mozilla.fc
index 3a73e74..271928b 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,3 +1,4 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
--
1.7.10.4
I actually revisited the mozilla plugin and i am thinking about how to
deal with plugins like flash and their userdom user home content.
I am not yet sure if mozilla_home_t is the optimal type for this and if
it is worth having a private type for it
mozilla home type of files are sensitive in a sense. consider your
password stored in mozilla etc.
i am not sure whether flash home content justifies having a private type
and if so if it is a good idea to label it mozilla home t
if we label it mozilla home t and some app needs access to flash then it
automatically has access to mozilla content and i am not sure if this is
desired
We now have the named file transition functionality so we can allow
mozila access to generic user home content without problem and still
have its sensitive content protected with the mozilla home type
I would like the opinion of others on this issue
it is worth to label flash content in home? and if so what would be a
better idea: 1. to classify it mozilla home content or classify it
something else?
On Sun, 2012-10-14 at 21:51 +0200, Mika Pfl?ger wrote:
> From: Russel Coker <[email protected]>
>
> ---
> mozilla.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/mozilla.fc b/mozilla.fc
> index 3a73e74..271928b 100644
> --- a/mozilla.fc
> +++ b/mozilla.fc
> @@ -1,3 +1,4 @@
> +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
On Sun, 2012-10-14 at 22:17 +0200, Dominick Grift wrote:
> I actually revisited the mozilla plugin and i am thinking about how to
> deal with plugins like flash and their userdom user home content.
>
> I am not yet sure if mozilla_home_t is the optimal type for this and if
> it is worth having a private type for it
>
> mozilla home type of files are sensitive in a sense. consider your
> password stored in mozilla etc.
>
> i am not sure whether flash home content justifies having a private type
> and if so if it is a good idea to label it mozilla home t
>
> if we label it mozilla home t and some app needs access to flash then it
> automatically has access to mozilla content and i am not sure if this is
> desired
>
> We now have the named file transition functionality so we can allow
> mozila access to generic user home content without problem and still
> have its sensitive content protected with the mozilla home type
>
> I would like the opinion of others on this issue
>
> it is worth to label flash content in home? and if so what would be a
> better idea: 1. to classify it mozilla home content or classify it
> something else?
also consider the following one has two browsers for example firefox and
chromium, both use flash and both have their content in home with their
own private type
the flash content in home is labeled as per your suggestion
mozilla_home_t, now chromium needs access to mozilla_home_t and as a
consequence can now also edit mozilla content
this seems like a bad idea to me
> On Sun, 2012-10-14 at 21:51 +0200, Mika Pfl?ger wrote:
> > From: Russel Coker <[email protected]>
> >
> > ---
> > mozilla.fc | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/mozilla.fc b/mozilla.fc
> > index 3a73e74..271928b 100644
> > --- a/mozilla.fc
> > +++ b/mozilla.fc
> > @@ -1,3 +1,4 @@
> > +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> > HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> > HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> > HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
>
>
On Sun, 2012-10-14 at 22:33 +0200, Dominick Grift wrote:
>
> On Sun, 2012-10-14 at 22:17 +0200, Dominick Grift wrote:
> > I actually revisited the mozilla plugin and i am thinking about how to
> > deal with plugins like flash and their userdom user home content.
> >
> > I am not yet sure if mozilla_home_t is the optimal type for this and if
> > it is worth having a private type for it
> >
> > mozilla home type of files are sensitive in a sense. consider your
> > password stored in mozilla etc.
> >
> > i am not sure whether flash home content justifies having a private type
> > and if so if it is a good idea to label it mozilla home t
> >
> > if we label it mozilla home t and some app needs access to flash then it
> > automatically has access to mozilla content and i am not sure if this is
> > desired
> >
> > We now have the named file transition functionality so we can allow
> > mozila access to generic user home content without problem and still
> > have its sensitive content protected with the mozilla home type
> >
> > I would like the opinion of others on this issue
> >
> > it is worth to label flash content in home? and if so what would be a
> > better idea: 1. to classify it mozilla home content or classify it
> > something else?
>
> also consider the following one has two browsers for example firefox and
> chromium, both use flash and both have their content in home with their
> own private type
>
> the flash content in home is labeled as per your suggestion
> mozilla_home_t, now chromium needs access to mozilla_home_t and as a
> consequence can now also edit mozilla content
>
> this seems like a bad idea to me
What people need to understand is that now that we have named file
transitions the whole selinux in the desktop enviroment issue has
changed
Previously we desperately tried to avoid confined user agents to generic
home content. This was because we had little fexibility with file type
transitions in /home
This caused issues that basically made us lose focus in the core issues
protect what needs to be protected without losing functionality if
possible
Now we need to go back to focus on what is important.
A browser can have access and create generic user content. Thats ok.
Aslong as content worth protecting gets a private type.
And aslong as confined agents only get the access they need
And that is now possible.
now we can confine the user space in a proper way without pissing of
users (or at least pissing them off more than strictly required)
protect what makes sense to protect and leave anything else generic
> > On Sun, 2012-10-14 at 21:51 +0200, Mika Pfl?ger wrote:
> > > From: Russel Coker <[email protected]>
> > >
> > > ---
> > > mozilla.fc | 1 +
> > > 1 file changed, 1 insertion(+)
> > >
> > > diff --git a/mozilla.fc b/mozilla.fc
> > > index 3a73e74..271928b 100644
> > > --- a/mozilla.fc
> > > +++ b/mozilla.fc
> > > @@ -1,3 +1,4 @@
> > > +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> > > HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> > > HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> > > HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> >
> >
>
>
In gentoo i am using flash_home_t as there are even non-browser apps using
flash. And i don't trust flash.
On Oct 14, 2012 10:44 PM, "Dominick Grift" <[email protected]> wrote:
>
>
> On Sun, 2012-10-14 at 22:33 +0200, Dominick Grift wrote:
> >
> > On Sun, 2012-10-14 at 22:17 +0200, Dominick Grift wrote:
> > > I actually revisited the mozilla plugin and i am thinking about how to
> > > deal with plugins like flash and their userdom user home content.
> > >
> > > I am not yet sure if mozilla_home_t is the optimal type for this and if
> > > it is worth having a private type for it
> > >
> > > mozilla home type of files are sensitive in a sense. consider your
> > > password stored in mozilla etc.
> > >
> > > i am not sure whether flash home content justifies having a private
> type
> > > and if so if it is a good idea to label it mozilla home t
> > >
> > > if we label it mozilla home t and some app needs access to flash then
> it
> > > automatically has access to mozilla content and i am not sure if this
> is
> > > desired
> > >
> > > We now have the named file transition functionality so we can allow
> > > mozila access to generic user home content without problem and still
> > > have its sensitive content protected with the mozilla home type
> > >
> > > I would like the opinion of others on this issue
> > >
> > > it is worth to label flash content in home? and if so what would be a
> > > better idea: 1. to classify it mozilla home content or classify it
> > > something else?
> >
> > also consider the following one has two browsers for example firefox and
> > chromium, both use flash and both have their content in home with their
> > own private type
> >
> > the flash content in home is labeled as per your suggestion
> > mozilla_home_t, now chromium needs access to mozilla_home_t and as a
> > consequence can now also edit mozilla content
> >
> > this seems like a bad idea to me
>
> What people need to understand is that now that we have named file
> transitions the whole selinux in the desktop enviroment issue has
> changed
>
> Previously we desperately tried to avoid confined user agents to generic
> home content. This was because we had little fexibility with file type
> transitions in /home
>
> This caused issues that basically made us lose focus in the core issues
>
> protect what needs to be protected without losing functionality if
> possible
>
> Now we need to go back to focus on what is important.
>
> A browser can have access and create generic user content. Thats ok.
> Aslong as content worth protecting gets a private type.
>
> And aslong as confined agents only get the access they need
>
> And that is now possible.
>
> now we can confine the user space in a proper way without pissing of
> users (or at least pissing them off more than strictly required)
>
> protect what makes sense to protect and leave anything else generic
>
> > > On Sun, 2012-10-14 at 21:51 +0200, Mika Pfl?ger wrote:
> > > > From: Russel Coker <[email protected]>
> > > >
> > > > ---
> > > > mozilla.fc | 1 +
> > > > 1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/mozilla.fc b/mozilla.fc
> > > > index 3a73e74..271928b 100644
> > > > --- a/mozilla.fc
> > > > +++ b/mozilla.fc
> > > > @@ -1,3 +1,4 @@
> > > > +HOME_DIR/\.adobe(/.*)?
> gen_context(system_u:object_r:mozilla_home_t,s0)
> > > > HOME_DIR/\.config/chromium(/.*)?
> gen_context(system_u:object_r:mozilla_home_t,s0)
> > > > HOME_DIR/\.galeon(/.*)?
> gen_context(system_u:object_r:mozilla_home_t,s0)
> > > > HOME_DIR/\.java(/.*)?
> gen_context(system_u:object_r:mozilla_home_t,s0)
> > >
> > >
> >
> >
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20121015/ee5fe2ef/attachment.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/15/2012 05:43 AM, Sven Vermeulen wrote:
> In gentoo i am using flash_home_t as there are even non-browser apps using
> flash. And i don't trust flash.
>
> On Oct 14, 2012 10:44 PM, "Dominick Grift" <[email protected]
> <mailto:[email protected]>> wrote:
>
>
>
> On Sun, 2012-10-14 at 22:33 +0200, Dominick Grift wrote:
>>
>> On Sun, 2012-10-14 at 22:17 +0200, Dominick Grift wrote:
>>> I actually revisited the mozilla plugin and i am thinking about how to
>>> deal with plugins like flash and their userdom user home content.
>>>
>>> I am not yet sure if mozilla_home_t is the optimal type for this and
>>> if it is worth having a private type for it
>>>
>>> mozilla home type of files are sensitive in a sense. consider your
>>> password stored in mozilla etc.
>>>
>>> i am not sure whether flash home content justifies having a private
>>> type and if so if it is a good idea to label it mozilla home t
>>>
>>> if we label it mozilla home t and some app needs access to flash then
>>> it automatically has access to mozilla content and i am not sure if
>>> this is desired
>>>
>>> We now have the named file transition functionality so we can allow
>>> mozila access to generic user home content without problem and still
>>> have its sensitive content protected with the mozilla home type
>>>
>>> I would like the opinion of others on this issue
>>>
>>> it is worth to label flash content in home? and if so what would be a
>>> better idea: 1. to classify it mozilla home content or classify it
>>> something else?
>>
>> also consider the following one has two browsers for example firefox and
>> chromium, both use flash and both have their content in home with their
>> own private type
>>
>> the flash content in home is labeled as per your suggestion
>> mozilla_home_t, now chromium needs access to mozilla_home_t and as a
>> consequence can now also edit mozilla content
>>
>> this seems like a bad idea to me
>
> What people need to understand is that now that we have named file
> transitions the whole selinux in the desktop enviroment issue has changed
>
> Previously we desperately tried to avoid confined user agents to generic
> home content. This was because we had little fexibility with file type
> transitions in /home
>
> This caused issues that basically made us lose focus in the core issues
>
> protect what needs to be protected without losing functionality if
> possible
>
> Now we need to go back to focus on what is important.
>
> A browser can have access and create generic user content. Thats ok. Aslong
> as content worth protecting gets a private type.
>
> And aslong as confined agents only get the access they need
>
> And that is now possible.
>
> now we can confine the user space in a proper way without pissing of users
> (or at least pissing them off more than strictly required)
>
> protect what makes sense to protect and leave anything else generic
>
>>> On Sun, 2012-10-14 at 21:51 +0200, Mika Pfl?ger wrote:
>>>> From: Russel Coker <[email protected]
>>>> <mailto:[email protected]>>
>>>>
>>>> --- mozilla.fc | 1 + 1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/mozilla.fc b/mozilla.fc index 3a73e74..271928b 100644
>>>> --- a/mozilla.fc +++ b/mozilla.fc @@ -1,3 +1,4 @@
>>>> +HOME_DIR/\.adobe(/.*)?
> gen_context(system_u:object_r:mozilla_home_t,s0)
>>>> HOME_DIR/\.config/chromium(/.*)?
> gen_context(system_u:object_r:mozilla_home_t,s0)
>>>> HOME_DIR/\.galeon(/.*)?
> gen_context(system_u:object_r:mozilla_home_t,s0)
>>>> HOME_DIR/\.java(/.*)?
> gen_context(system_u:object_r:mozilla_home_t,s0)
>>>
>>>
>>
>>
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com <mailto:[email protected]>
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
I agree we should start to be moving to more types in homedir for better
separation. I would love to try to remove mozilla_plugin_t from full access
to mozilla_home_t also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlB8GEwACgkQrlYvE4MpobPQnACgljfX88IB3zL8Ty+0S5DsLxMl
n3wAnjOhEyzEQlRb7VSKZJZLnL7rQtl7
=BuXw
-----END PGP SIGNATURE-----
>
> I agree we should start to be moving to more types in homedir for better
> separation. I would love to try to remove mozilla_plugin_t from full access
> to mozilla_home_t also.
Yes if we can somehow prevent plugin access to passwords that would
already be a win
another thing that comes to mind is
.mozilla/plugins
If we give that a private type of lets say mozilla_plugin_home_t then we
can allow mozilla_t/mozilla_plugin (whatever mmaps flash) mmap access to
only content in there (libflashplayer.so etc)
Not very important but might be nice to have so that users can download
and run plugins on their own discretion and still have some level of
mandatory protection
_______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Mon, 2012-10-15 at 16:24 +0200, Dominick Grift wrote:
> >
> > I agree we should start to be moving to more types in homedir for better
> > separation. I would love to try to remove mozilla_plugin_t from full access
> > to mozilla_home_t also.
>
> Yes if we can somehow prevent plugin access to passwords that would
> already be a win
>
> another thing that comes to mind is
>
> .mozilla/plugins
>
> If we give that a private type of lets say mozilla_plugin_home_t then we
> can allow mozilla_t/mozilla_plugin (whatever mmaps flash) mmap access to
> only content in there (libflashplayer.so etc)
>
> Not very important but might be nice to have so that users can download
> and run plugins on their own discretion and still have some level of
> mandatory protection
Concept:
> From 3bf2ef145b28d4ad3429fcde0847e8bfc7438b4c Mon, 15 Oct 2012 16:51:08 +0200
> From: Dominick Grift <[email protected]>
> Date: Mon, 15 Oct 2012 16:50:02 +0200
> Subject: [PATCH] Changes to the mozilla policy module
>
>
> Implement mozilla_plugin userdom user home content type for
> ~/.mozilla/plugins so that mozilla domains no longer have to be able to
> execute mozilla userdom user home content files
>
> Signed-off-by: Dominick Grift <[email protected]>
> diff --git a/mozilla.fc b/mozilla.fc
> index e9bd2d6..841b4ce 100644
> --- a/mozilla.fc
> +++ b/mozilla.fc
> @@ -1,5 +1,6 @@
> HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> +HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
> HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
> HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
>
> diff --git a/mozilla.if b/mozilla.if
> index 12d2481..f5fca86 100644
> --- a/mozilla.if
> +++ b/mozilla.if
> @@ -19,7 +19,7 @@
> gen_require(`
> type mozilla_t, mozilla_exec_t, mozilla_home_t;
> type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
> - type mozilla_plugin_tmpfs_t;
> + type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
> attribute_role mozilla_roles;
> ')
>
> @@ -48,13 +48,15 @@
>
> stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
>
> - allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms };
> - allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms };
> + allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
> + allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
> allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
> +
> + filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
>
> allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
> allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
> @@ -219,7 +221,7 @@
>
> ########################################
> ## <summary>
> -## Execute mozilla home directory files.
> +## Execute mozilla home directory files. (Deprecated)
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -228,12 +230,27 @@
> ## </param>
> #
> interface(`mozilla_exec_user_home_files',`
> + refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.')
> + mozilla_exec_user_plugin_home_files($1)
> +')
> +
> +########################################
> +## <summary>
> +## Execute mozilla plugin home directory files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mozilla_exec_user_plugin_home_files',`
> gen_require(`
> - type mozilla_home_t;
> + type mozilla_home_t, mozilla_plugin_home_t;
> ')
>
> userdom_search_user_home_dirs($1)
> - can_exec($1, mozilla_home_t)
> + exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
> ')
>
> ########################################
> @@ -248,11 +265,27 @@
> ## </param>
> #
> interface(`mozilla_execmod_user_home_files',`
> + refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
> + mozilla_execmod_user_plugin_home_files($1)
> +')
> +
> +########################################
> +## <summary>
> +## Mozilla plugin home directory file
> +## text relocation.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mozilla_execmod_user_plugin_home_files',`
> gen_require(`
> - type mozilla_home_t;
> + type mozilla_plugin_home_t;
> ')
>
> - allow $1 mozilla_home_t:file execmod;
> + allow $1 mozilla_plugin_home_t:file execmod;
> ')
>
> ########################################
> diff --git a/mozilla.te b/mozilla.te
> index 43236ef..05073e3 100644
> --- a/mozilla.te
> +++ b/mozilla.te
> @@ -1,4 +1,4 @@
> -policy_module(mozilla, 2.6.6)
> +policy_module(mozilla, 2.6.7)
>
> ########################################
> #
> @@ -33,6 +33,9 @@
> type mozilla_plugin_exec_t;
> userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
> role mozilla_plugin_roles types mozilla_plugin_t;
> +
> +type mozilla_plugin_home_t;
> +userdom_user_home_content(mozilla_plugin_home_t)
>
> type mozilla_plugin_tmp_t;
> userdom_user_tmp_file(mozilla_plugin_tmp_t)
> @@ -72,13 +75,15 @@
> allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
> allow mozilla_t mozilla_plugin_t:fd use;
>
> -manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
> -manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
> -manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
> +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
> +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
> +allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
> userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
> userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
> userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
> userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
> +
> +filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
>
> manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> @@ -96,7 +101,7 @@
>
> stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
>
> -can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t })
> +can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
>
> kernel_read_kernel_sysctls(mozilla_t)
> kernel_read_network_state(mozilla_t)
> @@ -306,13 +311,15 @@
> allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
> allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
>
> -manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
> -manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
> -manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
> +allow mozilla_plugin_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
> +allow mozilla_plugin_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
> +allow mozilla_plugin_t mozilla_home_t:lnk_file manage_lnk_file_perms;
> userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
> userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
> userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape")
> userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix")
> +
> +filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
>
> manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
> manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
> @@ -327,13 +334,13 @@
> fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
>
> allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
> -read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
> -read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
> +allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
> +allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
>
> dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
> stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
>
> -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_home_t mozilla_plugin_tmp_t })
> +can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
>
> kernel_read_all_sysctls(mozilla_plugin_t)
> kernel_read_system_state(mozilla_plugin_t)
> @@ -561,19 +568,22 @@
> allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
> allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
>
> -manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
> -manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
> -manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
> +allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
> +allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
> +allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
>
> -manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
> -manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
> -manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
> +allow mozilla_plugin_config_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
> +allow mozilla_plugin_config_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
> +allow mozilla_plugin_config_t mozilla_home_t:lnk_file manage_lnk_file_perms;
> +
> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
>
> -can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
> +filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
> +
> +can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
>
> kernel_read_system_state(mozilla_plugin_config_t)
> kernel_request_load_module(mozilla_plugin_config_t)
Now mozilla_plugin_t and mozilla_plugin_config_t *may* no longer need
full access to type mozilla_home_t
I still allowed them full access in patch above but i guess we could try
and remove it and see where that gets us
> _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/15/2012 10:52 AM, Dominick Grift wrote:
>
>
> On Mon, 2012-10-15 at 16:24 +0200, Dominick Grift wrote:
>>>
>>> I agree we should start to be moving to more types in homedir for
>>> better separation. I would love to try to remove mozilla_plugin_t from
>>> full access to mozilla_home_t also.
>>
>> Yes if we can somehow prevent plugin access to passwords that would
>> already be a win
>>
>> another thing that comes to mind is
>>
>> .mozilla/plugins
>>
>> If we give that a private type of lets say mozilla_plugin_home_t then we
>> can allow mozilla_t/mozilla_plugin (whatever mmaps flash) mmap access to
>> only content in there (libflashplayer.so etc)
>>
>> Not very important but might be nice to have so that users can download
>> and run plugins on their own discretion and still have some level of
>> mandatory protection
>
> Concept:
>
>
>> From 3bf2ef145b28d4ad3429fcde0847e8bfc7438b4c Mon, 15 Oct 2012 16:51:08
>> +0200 From: Dominick Grift <[email protected]> Date: Mon, 15 Oct
>> 2012 16:50:02 +0200 Subject: [PATCH] Changes to the mozilla policy
>> module
>>
>>
>> Implement mozilla_plugin userdom user home content type for
>> ~/.mozilla/plugins so that mozilla domains no longer have to be able to
>> execute mozilla userdom user home content files
>>
>> Signed-off-by: Dominick Grift <[email protected]> diff --git
>> a/mozilla.fc b/mozilla.fc index e9bd2d6..841b4ce 100644 --- a/mozilla.fc
>> +++ b/mozilla.fc @@ -1,5 +1,6 @@ HOME_DIR/\.galeon(/.*)?
>> gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla(/.*)?
>> gen_context(system_u:object_r:mozilla_home_t,s0)
>> +HOME_DIR/\.mozilla/plugins(/.*)?
>> gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
>> HOME_DIR/\.netscape(/.*)?
>> gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)?
>> gen_context(system_u:object_r:mozilla_home_t,s0)
>>
>> diff --git a/mozilla.if b/mozilla.if index 12d2481..f5fca86 100644 ---
>> a/mozilla.if +++ b/mozilla.if @@ -19,7 +19,7 @@ gen_require(` type
>> mozilla_t, mozilla_exec_t, mozilla_home_t; type mozilla_tmp_t,
>> mozilla_tmpfs_t, mozilla_plugin_tmp_t; - type mozilla_plugin_tmpfs_t; +
>> type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; attribute_role
>> mozilla_roles; ')
>>
>> @@ -48,13 +48,15 @@
>>
>> stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
>>
>> - allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; -
>> allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; +
>> allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms
>> relabel_dir_perms }; + allow $2 { mozilla_home_t mozilla_plugin_home_t
>> }:file { manage_file_perms relabel_file_perms }; allow $2
>> mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms
>> }; userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
>> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
>> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
>> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") + +
>> filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir,
>> "plugins")
>>
>> allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms
>> relabel_dir_perms }; allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file
>> { manage_file_perms relabel_file_perms }; @@ -219,7 +221,7 @@
>>
>> ######################################## ## <summary> -## Execute mozilla
>> home directory files. +## Execute mozilla home directory files.
>> (Deprecated) ## </summary> ## <param name="domain"> ## <summary> @@
>> -228,12 +230,27 @@ ## </param> #
>> interface(`mozilla_exec_user_home_files',` + refpolicywarn(`$0($*) has
>> been deprecated, use mozilla_exec_user_plugin_home_files() instead.') +
>> mozilla_exec_user_plugin_home_files($1) +') +
>> +######################################## +## <summary> +## Execute
>> mozilla plugin home directory files. +## </summary> +## <param
>> name="domain"> +## <summary> +## Domain allowed access. +## </summary>
>> +## </param> +# +interface(`mozilla_exec_user_plugin_home_files',`
>> gen_require(` - type mozilla_home_t; + type mozilla_home_t,
>> mozilla_plugin_home_t; ')
>>
>> userdom_search_user_home_dirs($1) - can_exec($1, mozilla_home_t) +
>> exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t },
>> mozilla_plugin_home_t) ')
>>
>> ######################################## @@ -248,11 +265,27 @@ ##
>> </param> # interface(`mozilla_execmod_user_home_files',` +
>> refpolicywarn(`$0($*) has been deprecated, use
>> mozilla_execmod_user_plugin_home_files() instead.') +
>> mozilla_execmod_user_plugin_home_files($1) +') +
>> +######################################## +## <summary> +## Mozilla
>> plugin home directory file +## text relocation. +## </summary> +## <param
>> name="domain"> +## <summary> +## Domain allowed access. +## </summary>
>> +## </param> +# +interface(`mozilla_execmod_user_plugin_home_files',`
>> gen_require(` - type mozilla_home_t; + type mozilla_plugin_home_t; ')
>>
>> - allow $1 mozilla_home_t:file execmod; + allow $1
>> mozilla_plugin_home_t:file execmod; ')
>>
>> ######################################## diff --git a/mozilla.te
>> b/mozilla.te index 43236ef..05073e3 100644 --- a/mozilla.te +++
>> b/mozilla.te @@ -1,4 +1,4 @@ -policy_module(mozilla, 2.6.6)
>> +policy_module(mozilla, 2.6.7)
>>
>> ######################################## # @@ -33,6 +33,9 @@ type
>> mozilla_plugin_exec_t; userdom_user_application_domain(mozilla_plugin_t,
>> mozilla_plugin_exec_t) role mozilla_plugin_roles types mozilla_plugin_t;
>> + +type mozilla_plugin_home_t;
>> +userdom_user_home_content(mozilla_plugin_home_t)
>>
>> type mozilla_plugin_tmp_t; userdom_user_tmp_file(mozilla_plugin_tmp_t) @@
>> -72,13 +75,15 @@ allow mozilla_t mozilla_plugin_t:unix_stream_socket
>> rw_socket_perms; allow mozilla_t mozilla_plugin_t:fd use;
>>
>> -manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
>> -manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
>> -manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
>> +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir
>> manage_dir_perms; +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t
>> }:file manage_file_perms; +allow mozilla_t mozilla_home_t:lnk_file
>> manage_lnk_file_perms; userdom_user_home_dir_filetrans(mozilla_t,
>> mozilla_home_t, dir, ".galeon")
>> userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir,
>> ".mozilla") userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t,
>> dir, ".netscape") userdom_user_home_dir_filetrans(mozilla_t,
>> mozilla_home_t, dir, ".phoenix") + +filetrans_pattern(mozilla_t,
>> mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
>>
>> manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
>> manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) @@ -96,7
>> +101,7 @@
>>
>> stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t,
>> mozilla_plugin_tmpfs_t, mozilla_plugin_t)
>>
>> -can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t })
>> +can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t
>> mozilla_plugin_home_t })
>>
>> kernel_read_kernel_sysctls(mozilla_t)
>> kernel_read_network_state(mozilla_t) @@ -306,13 +311,15 @@ allow
>> mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; allow
>> mozilla_plugin_t mozilla_t:sem create_sem_perms;
>>
>> -manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
>> -manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
>> -manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t,
>> mozilla_home_t) +allow mozilla_plugin_t { mozilla_home_t
>> mozilla_plugin_home_t }:dir manage_dir_perms; +allow mozilla_plugin_t {
>> mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; +allow
>> mozilla_plugin_t mozilla_home_t:lnk_file manage_lnk_file_perms;
>> userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir,
>> ".galeon") userdom_user_home_dir_filetrans(mozilla_plugin_t,
>> mozilla_home_t, dir, ".mozilla")
>> userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir,
>> ".netscape") userdom_user_home_dir_filetrans(mozilla_plugin_t,
>> mozilla_home_t, dir, ".phoenix") + +filetrans_pattern(mozilla_plugin_t,
>> mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
>>
>> manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t,
>> mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t,
>> mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -327,13 +334,13 @@
>> fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file
>> lnk_file sock_file fifo_file })
>>
>> allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
>> -read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t,
>> mozilla_plugin_rw_t) -read_lnk_files_pattern(mozilla_plugin_t,
>> mozilla_plugin_rw_t, mozilla_plugin_rw_t) +allow mozilla_plugin_t
>> mozilla_plugin_rw_t:file read_file_perms; +allow mozilla_plugin_t
>> mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
>>
>> dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t,
>> mozilla_plugin_tmpfs_t, mozilla_t)
>> stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t,
>> mozilla_plugin_tmpfs_t, mozilla_t)
>>
>> -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_home_t
>> mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, { mozilla_exec_t
>> mozilla_plugin_home_t mozilla_plugin_tmp_t })
>>
>> kernel_read_all_sysctls(mozilla_plugin_t)
>> kernel_read_system_state(mozilla_plugin_t) @@ -561,19 +568,22 @@ allow
>> mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; allow
>> mozilla_plugin_config_t self:unix_stream_socket
>> create_stream_socket_perms;
>>
>> -manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t,
>> mozilla_plugin_rw_t) -manage_files_pattern(mozilla_plugin_config_t,
>> mozilla_plugin_rw_t, mozilla_plugin_rw_t)
>> -manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t,
>> mozilla_plugin_rw_t) +allow mozilla_plugin_config_t
>> mozilla_plugin_rw_t:dir manage_dir_perms; +allow mozilla_plugin_config_t
>> mozilla_plugin_rw_t:file manage_file_perms; +allow
>> mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file
>> manage_lnk_file_perms;
>>
>> -manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t,
>> mozilla_home_t) -manage_files_pattern(mozilla_plugin_config_t,
>> mozilla_home_t, mozilla_home_t)
>> -manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t,
>> mozilla_home_t) +allow mozilla_plugin_config_t { mozilla_home_t
>> mozilla_plugin_home_t }:dir manage_dir_perms; +allow
>> mozilla_plugin_config_t { mozilla_home_t mozilla_plugin_home_t }:file
>> manage_file_perms; +allow mozilla_plugin_config_t mozilla_home_t:lnk_file
>> manage_lnk_file_perms; +
>> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t,
>> dir, ".galeon") userdom_user_home_dir_filetrans(mozilla_plugin_config_t,
>> mozilla_home_t, dir, ".mozilla")
>> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t,
>> dir, ".netscape")
>> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t,
>> dir, ".phoenix")
>>
>> -can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
>> +filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t,
>> mozilla_plugin_home_t, dir, "plugins") +
>> +can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t
>> mozilla_plugin_home_t })
>>
>> kernel_read_system_state(mozilla_plugin_config_t)
>> kernel_request_load_module(mozilla_plugin_config_t)
>
> Now mozilla_plugin_t and mozilla_plugin_config_t *may* no longer need full
> access to type mozilla_home_t
>
> I still allowed them full access in patch above but i guess we could try
> and remove it and see where that gets us
>
>> _______________________________________________
>>> refpolicy mailing list refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>>
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
Right seems like a nice experiment with Rawhide/F19.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlB8SRoACgkQrlYvE4MpobPDlACeIgAiDT4YX2C74xQ03ToZKdOY
OYgAn3Z8MJejruXfJ9alXCrIiHS3Acnw
=1bSk
-----END PGP SIGNATURE-----