From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 11 Dec 2016 21:25:53 +0100 Subject: [refpolicy] [PATCH] userdomain: do not execute temporary files In-Reply-To: <0f079bc8-1cf3-3b38-5ec2-c195b73530a1@ieee.org> References: <1481469765.600.1.camel@trentalancia.net> <0f079bc8-1cf3-3b38-5ec2-c195b73530a1@ieee.org> Message-ID: <1481487953.2628.18.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 11/12/2016 at 15.12 -0500, Chris PeBenito wrote: > On 12/11/16 10:22, Guido Trentalancia via refpolicy wrote: > > > > Executing temporary files is unsafe and dangerous and it is > > also unneeded on normal systems, therefore this patch > > removes such permission from the user_t domain. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/system/userdomain.if |????1 - > > ?1 file changed, 1 deletion(-) > > > > --- refpolicy-git-07122016-orig/policy/modules/system/userdomain.if > > 2016-12-07 13:39:08.672449330 +0100 > > +++ refpolicy-git-07122016/policy/modules/system/userdomain.if > > 2016-12-11 16:12:19.548933309 +0100 > > @@ -812,7 +812,6 @@ template(`userdom_login_user_template', > > ? userdom_manage_tmp_role($1_r, $1_t) > > ? userdom_manage_tmpfs_role($1_r, $1_t) > > > > - userdom_exec_user_tmp_files($1_t) > > ? userdom_exec_user_home_content_files($1_t) > > > > ? userdom_change_password_template($1) > > NAK.??While there is some truth to this, this permission is limited > to? > only files created by the user domain itself (as long as you have > UBAC? > too).??This wouldn't save someone from downloading, e.g. a trojan > and? > executing it out of their home dir since they couldn't execute it out > of? > /tmp. Of course, it does not prevent intentional execution of a file. However, it prevents execution of files that have been installed in /tmp by a malicious process that has no permission to write in the user home directory. The malicious binary can be executed through techniques such as, for example, the exploitation of a buffer overflow. Regards, Guido