From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 15 Oct 2012 13:34:18 -0400 Subject: [refpolicy] [PATCH] Label ~/\.adobe(/.*)? as mozilla_home_t for flash In-Reply-To: <1350312761.5279.7.camel@d30.localdomain> References: <1350244316-11712-1-git-send-email-debian@mikapflueger.de> <1350245855.9829.8.camel@d30.localdomain> <1350246825.9829.11.camel@d30.localdomain> <1350247483.9829.19.camel@d30.localdomain> <507C184D.6000405@redhat.com> <1350311043.5279.4.camel@d30.localdomain> <1350312761.5279.7.camel@d30.localdomain> Message-ID: <507C491A.1050302@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/15/2012 10:52 AM, Dominick Grift wrote: > > > On Mon, 2012-10-15 at 16:24 +0200, Dominick Grift wrote: >>> >>> I agree we should start to be moving to more types in homedir for >>> better separation. I would love to try to remove mozilla_plugin_t from >>> full access to mozilla_home_t also. >> >> Yes if we can somehow prevent plugin access to passwords that would >> already be a win >> >> another thing that comes to mind is >> >> .mozilla/plugins >> >> If we give that a private type of lets say mozilla_plugin_home_t then we >> can allow mozilla_t/mozilla_plugin (whatever mmaps flash) mmap access to >> only content in there (libflashplayer.so etc) >> >> Not very important but might be nice to have so that users can download >> and run plugins on their own discretion and still have some level of >> mandatory protection > > Concept: > > >> From 3bf2ef145b28d4ad3429fcde0847e8bfc7438b4c Mon, 15 Oct 2012 16:51:08 >> +0200 From: Dominick Grift Date: Mon, 15 Oct >> 2012 16:50:02 +0200 Subject: [PATCH] Changes to the mozilla policy >> module >> >> >> Implement mozilla_plugin userdom user home content type for >> ~/.mozilla/plugins so that mozilla domains no longer have to be able to >> execute mozilla userdom user home content files >> >> Signed-off-by: Dominick Grift diff --git >> a/mozilla.fc b/mozilla.fc index e9bd2d6..841b4ce 100644 --- a/mozilla.fc >> +++ b/mozilla.fc @@ -1,5 +1,6 @@ HOME_DIR/\.galeon(/.*)? >> gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla(/.*)? >> gen_context(system_u:object_r:mozilla_home_t,s0) >> +HOME_DIR/\.mozilla/plugins(/.*)? >> gen_context(system_u:object_r:mozilla_plugin_home_t,s0) >> HOME_DIR/\.netscape(/.*)? >> gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? >> gen_context(system_u:object_r:mozilla_home_t,s0) >> >> diff --git a/mozilla.if b/mozilla.if index 12d2481..f5fca86 100644 --- >> a/mozilla.if +++ b/mozilla.if @@ -19,7 +19,7 @@ gen_require(` type >> mozilla_t, mozilla_exec_t, mozilla_home_t; type mozilla_tmp_t, >> mozilla_tmpfs_t, mozilla_plugin_tmp_t; - type mozilla_plugin_tmpfs_t; + >> type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; attribute_role >> mozilla_roles; ') >> >> @@ -48,13 +48,15 @@ >> >> stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) >> >> - allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; - >> allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; + >> allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms >> relabel_dir_perms }; + allow $2 { mozilla_home_t mozilla_plugin_home_t >> }:file { manage_file_perms relabel_file_perms }; allow $2 >> mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms >> }; userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") >> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") >> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") >> userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") + + >> filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, >> "plugins") >> >> allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms >> relabel_dir_perms }; allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file >> { manage_file_perms relabel_file_perms }; @@ -219,7 +221,7 @@ >> >> ######################################## ## -## Execute mozilla >> home directory files. +## Execute mozilla home directory files. >> (Deprecated) ## ## ## @@ >> -228,12 +230,27 @@ ## # >> interface(`mozilla_exec_user_home_files',` + refpolicywarn(`$0($*) has >> been deprecated, use mozilla_exec_user_plugin_home_files() instead.') + >> mozilla_exec_user_plugin_home_files($1) +') + >> +######################################## +## +## Execute >> mozilla plugin home directory files. +## +## > name="domain"> +## +## Domain allowed access. +## >> +## +# +interface(`mozilla_exec_user_plugin_home_files',` >> gen_require(` - type mozilla_home_t; + type mozilla_home_t, >> mozilla_plugin_home_t; ') >> >> userdom_search_user_home_dirs($1) - can_exec($1, mozilla_home_t) + >> exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, >> mozilla_plugin_home_t) ') >> >> ######################################## @@ -248,11 +265,27 @@ ## >> # interface(`mozilla_execmod_user_home_files',` + >> refpolicywarn(`$0($*) has been deprecated, use >> mozilla_execmod_user_plugin_home_files() instead.') + >> mozilla_execmod_user_plugin_home_files($1) +') + >> +######################################## +## +## Mozilla >> plugin home directory file +## text relocation. +## +## > name="domain"> +## +## Domain allowed access. +## >> +## +# +interface(`mozilla_execmod_user_plugin_home_files',` >> gen_require(` - type mozilla_home_t; + type mozilla_plugin_home_t; ') >> >> - allow $1 mozilla_home_t:file execmod; + allow $1 >> mozilla_plugin_home_t:file execmod; ') >> >> ######################################## diff --git a/mozilla.te >> b/mozilla.te index 43236ef..05073e3 100644 --- a/mozilla.te +++ >> b/mozilla.te @@ -1,4 +1,4 @@ -policy_module(mozilla, 2.6.6) >> +policy_module(mozilla, 2.6.7) >> >> ######################################## # @@ -33,6 +33,9 @@ type >> mozilla_plugin_exec_t; userdom_user_application_domain(mozilla_plugin_t, >> mozilla_plugin_exec_t) role mozilla_plugin_roles types mozilla_plugin_t; >> + +type mozilla_plugin_home_t; >> +userdom_user_home_content(mozilla_plugin_home_t) >> >> type mozilla_plugin_tmp_t; userdom_user_tmp_file(mozilla_plugin_tmp_t) @@ >> -72,13 +75,15 @@ allow mozilla_t mozilla_plugin_t:unix_stream_socket >> rw_socket_perms; allow mozilla_t mozilla_plugin_t:fd use; >> >> -manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) >> -manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) >> -manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) >> +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir >> manage_dir_perms; +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t >> }:file manage_file_perms; +allow mozilla_t mozilla_home_t:lnk_file >> manage_lnk_file_perms; userdom_user_home_dir_filetrans(mozilla_t, >> mozilla_home_t, dir, ".galeon") >> userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, >> ".mozilla") userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, >> dir, ".netscape") userdom_user_home_dir_filetrans(mozilla_t, >> mozilla_home_t, dir, ".phoenix") + +filetrans_pattern(mozilla_t, >> mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") >> >> manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) >> manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) @@ -96,7 >> +101,7 @@ >> >> stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, >> mozilla_plugin_tmpfs_t, mozilla_plugin_t) >> >> -can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t }) >> +can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t >> mozilla_plugin_home_t }) >> >> kernel_read_kernel_sysctls(mozilla_t) >> kernel_read_network_state(mozilla_t) @@ -306,13 +311,15 @@ allow >> mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; allow >> mozilla_plugin_t mozilla_t:sem create_sem_perms; >> >> -manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) >> -manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) >> -manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, >> mozilla_home_t) +allow mozilla_plugin_t { mozilla_home_t >> mozilla_plugin_home_t }:dir manage_dir_perms; +allow mozilla_plugin_t { >> mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; +allow >> mozilla_plugin_t mozilla_home_t:lnk_file manage_lnk_file_perms; >> userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, >> ".galeon") userdom_user_home_dir_filetrans(mozilla_plugin_t, >> mozilla_home_t, dir, ".mozilla") >> userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, >> ".netscape") userdom_user_home_dir_filetrans(mozilla_plugin_t, >> mozilla_home_t, dir, ".phoenix") + +filetrans_pattern(mozilla_plugin_t, >> mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") >> >> manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, >> mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, >> mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -327,13 +334,13 @@ >> fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file >> lnk_file sock_file fifo_file }) >> >> allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; >> -read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, >> mozilla_plugin_rw_t) -read_lnk_files_pattern(mozilla_plugin_t, >> mozilla_plugin_rw_t, mozilla_plugin_rw_t) +allow mozilla_plugin_t >> mozilla_plugin_rw_t:file read_file_perms; +allow mozilla_plugin_t >> mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; >> >> dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, >> mozilla_plugin_tmpfs_t, mozilla_t) >> stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, >> mozilla_plugin_tmpfs_t, mozilla_t) >> >> -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_home_t >> mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, { mozilla_exec_t >> mozilla_plugin_home_t mozilla_plugin_tmp_t }) >> >> kernel_read_all_sysctls(mozilla_plugin_t) >> kernel_read_system_state(mozilla_plugin_t) @@ -561,19 +568,22 @@ allow >> mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; allow >> mozilla_plugin_config_t self:unix_stream_socket >> create_stream_socket_perms; >> >> -manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, >> mozilla_plugin_rw_t) -manage_files_pattern(mozilla_plugin_config_t, >> mozilla_plugin_rw_t, mozilla_plugin_rw_t) >> -manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, >> mozilla_plugin_rw_t) +allow mozilla_plugin_config_t >> mozilla_plugin_rw_t:dir manage_dir_perms; +allow mozilla_plugin_config_t >> mozilla_plugin_rw_t:file manage_file_perms; +allow >> mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file >> manage_lnk_file_perms; >> >> -manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, >> mozilla_home_t) -manage_files_pattern(mozilla_plugin_config_t, >> mozilla_home_t, mozilla_home_t) >> -manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, >> mozilla_home_t) +allow mozilla_plugin_config_t { mozilla_home_t >> mozilla_plugin_home_t }:dir manage_dir_perms; +allow >> mozilla_plugin_config_t { mozilla_home_t mozilla_plugin_home_t }:file >> manage_file_perms; +allow mozilla_plugin_config_t mozilla_home_t:lnk_file >> manage_lnk_file_perms; + >> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, >> dir, ".galeon") userdom_user_home_dir_filetrans(mozilla_plugin_config_t, >> mozilla_home_t, dir, ".mozilla") >> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, >> dir, ".netscape") >> userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, >> dir, ".phoenix") >> >> -can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) >> +filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, >> mozilla_plugin_home_t, dir, "plugins") + >> +can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t >> mozilla_plugin_home_t }) >> >> kernel_read_system_state(mozilla_plugin_config_t) >> kernel_request_load_module(mozilla_plugin_config_t) > > Now mozilla_plugin_t and mozilla_plugin_config_t *may* no longer need full > access to type mozilla_home_t > > I still allowed them full access in patch above but i guess we could try > and remove it and see where that gets us > >> _______________________________________________ >>> refpolicy mailing list refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >> >> > > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > Right seems like a nice experiment with Rawhide/F19. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB8SRoACgkQrlYvE4MpobPDlACeIgAiDT4YX2C74xQ03ToZKdOY OYgAn3Z8MJejruXfJ9alXCrIiHS3Acnw =1bSk -----END PGP SIGNATURE-----