From: dominick.grift@gmail.com (Dominick Grift) Date: Mon, 15 Oct 2012 16:52:41 +0200 Subject: [refpolicy] [PATCH] Label ~/\.adobe(/.*)? as mozilla_home_t for flash In-Reply-To: <1350311043.5279.4.camel@d30.localdomain> References: <1350244316-11712-1-git-send-email-debian@mikapflueger.de> <1350245855.9829.8.camel@d30.localdomain> <1350246825.9829.11.camel@d30.localdomain> <1350247483.9829.19.camel@d30.localdomain> <507C184D.6000405@redhat.com> <1350311043.5279.4.camel@d30.localdomain> Message-ID: <1350312761.5279.7.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2012-10-15 at 16:24 +0200, Dominick Grift wrote: > > > > I agree we should start to be moving to more types in homedir for better > > separation. I would love to try to remove mozilla_plugin_t from full access > > to mozilla_home_t also. > > Yes if we can somehow prevent plugin access to passwords that would > already be a win > > another thing that comes to mind is > > .mozilla/plugins > > If we give that a private type of lets say mozilla_plugin_home_t then we > can allow mozilla_t/mozilla_plugin (whatever mmaps flash) mmap access to > only content in there (libflashplayer.so etc) > > Not very important but might be nice to have so that users can download > and run plugins on their own discretion and still have some level of > mandatory protection Concept: > From 3bf2ef145b28d4ad3429fcde0847e8bfc7438b4c Mon, 15 Oct 2012 16:51:08 +0200 > From: Dominick Grift > Date: Mon, 15 Oct 2012 16:50:02 +0200 > Subject: [PATCH] Changes to the mozilla policy module > > > Implement mozilla_plugin userdom user home content type for > ~/.mozilla/plugins so that mozilla domains no longer have to be able to > execute mozilla userdom user home content files > > Signed-off-by: Dominick Grift > diff --git a/mozilla.fc b/mozilla.fc > index e9bd2d6..841b4ce 100644 > --- a/mozilla.fc > +++ b/mozilla.fc > @@ -1,5 +1,6 @@ > HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > +HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > diff --git a/mozilla.if b/mozilla.if > index 12d2481..f5fca86 100644 > --- a/mozilla.if > +++ b/mozilla.if > @@ -19,7 +19,7 @@ > gen_require(` > type mozilla_t, mozilla_exec_t, mozilla_home_t; > type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; > - type mozilla_plugin_tmpfs_t; > + type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; > attribute_role mozilla_roles; > ') > > @@ -48,13 +48,15 @@ > > stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) > > - allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; > - allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; > + allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; > + allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms }; > allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; > userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") > userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") > userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") > userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") > + > + filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") > > allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; > allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; > @@ -219,7 +221,7 @@ > > ######################################## > ## > -## Execute mozilla home directory files. > +## Execute mozilla home directory files. (Deprecated) > ## > ## > ## > @@ -228,12 +230,27 @@ > ## > # > interface(`mozilla_exec_user_home_files',` > + refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.') > + mozilla_exec_user_plugin_home_files($1) > +') > + > +######################################## > +## > +## Execute mozilla plugin home directory files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mozilla_exec_user_plugin_home_files',` > gen_require(` > - type mozilla_home_t; > + type mozilla_home_t, mozilla_plugin_home_t; > ') > > userdom_search_user_home_dirs($1) > - can_exec($1, mozilla_home_t) > + exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) > ') > > ######################################## > @@ -248,11 +265,27 @@ > ## > # > interface(`mozilla_execmod_user_home_files',` > + refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.') > + mozilla_execmod_user_plugin_home_files($1) > +') > + > +######################################## > +## > +## Mozilla plugin home directory file > +## text relocation. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mozilla_execmod_user_plugin_home_files',` > gen_require(` > - type mozilla_home_t; > + type mozilla_plugin_home_t; > ') > > - allow $1 mozilla_home_t:file execmod; > + allow $1 mozilla_plugin_home_t:file execmod; > ') > > ######################################## > diff --git a/mozilla.te b/mozilla.te > index 43236ef..05073e3 100644 > --- a/mozilla.te > +++ b/mozilla.te > @@ -1,4 +1,4 @@ > -policy_module(mozilla, 2.6.6) > +policy_module(mozilla, 2.6.7) > > ######################################## > # > @@ -33,6 +33,9 @@ > type mozilla_plugin_exec_t; > userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) > role mozilla_plugin_roles types mozilla_plugin_t; > + > +type mozilla_plugin_home_t; > +userdom_user_home_content(mozilla_plugin_home_t) > > type mozilla_plugin_tmp_t; > userdom_user_tmp_file(mozilla_plugin_tmp_t) > @@ -72,13 +75,15 @@ > allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; > allow mozilla_t mozilla_plugin_t:fd use; > > -manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) > -manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) > -manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) > +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; > +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; > +allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix") > + > +filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") > > manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > @@ -96,7 +101,7 @@ > > stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) > > -can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t }) > +can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) > > kernel_read_kernel_sysctls(mozilla_t) > kernel_read_network_state(mozilla_t) > @@ -306,13 +311,15 @@ > allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; > allow mozilla_plugin_t mozilla_t:sem create_sem_perms; > > -manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) > -manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) > -manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) > +allow mozilla_plugin_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; > +allow mozilla_plugin_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; > +allow mozilla_plugin_t mozilla_home_t:lnk_file manage_lnk_file_perms; > userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon") > userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla") > userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape") > userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix") > + > +filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") > > manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) > manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) > @@ -327,13 +334,13 @@ > fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) > > allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; > -read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) > -read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) > +allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; > +allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; > > dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) > stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) > > -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_home_t mozilla_plugin_tmp_t }) > +can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) > > kernel_read_all_sysctls(mozilla_plugin_t) > kernel_read_system_state(mozilla_plugin_t) > @@ -561,19 +568,22 @@ > allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; > allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; > > -manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) > -manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) > -manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) > +allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; > +allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; > +allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; > > -manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) > -manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) > -manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) > +allow mozilla_plugin_config_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; > +allow mozilla_plugin_config_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; > +allow mozilla_plugin_config_t mozilla_home_t:lnk_file manage_lnk_file_perms; > + > userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") > userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") > userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") > userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") > > -can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) > +filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") > + > +can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) > > kernel_read_system_state(mozilla_plugin_config_t) > kernel_request_load_module(mozilla_plugin_config_t) Now mozilla_plugin_t and mozilla_plugin_config_t *may* no longer need full access to type mozilla_home_t I still allowed them full access in patch above but i guess we could try and remove it and see where that gets us > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > >