From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 11 Dec 2016 15:42:44 -0500 Subject: [refpolicy] [PATCH] userdomain: do not execute temporary files In-Reply-To: <1481487953.2628.18.camel@trentalancia.net> References: <1481469765.600.1.camel@trentalancia.net> <0f079bc8-1cf3-3b38-5ec2-c195b73530a1@ieee.org> <1481487953.2628.18.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/11/16 15:25, Guido Trentalancia via refpolicy wrote: > On Sun, 11/12/2016 at 15.12 -0500, Chris PeBenito wrote: >> On 12/11/16 10:22, Guido Trentalancia via refpolicy wrote: >>> >>> Executing temporary files is unsafe and dangerous and it is >>> also unneeded on normal systems, therefore this patch >>> removes such permission from the user_t domain. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/system/userdomain.if | 1 - >>> 1 file changed, 1 deletion(-) >>> >>> --- refpolicy-git-07122016-orig/policy/modules/system/userdomain.if >>> 2016-12-07 13:39:08.672449330 +0100 >>> +++ refpolicy-git-07122016/policy/modules/system/userdomain.if >>> 2016-12-11 16:12:19.548933309 +0100 >>> @@ -812,7 +812,6 @@ template(`userdom_login_user_template', >>> userdom_manage_tmp_role($1_r, $1_t) >>> userdom_manage_tmpfs_role($1_r, $1_t) >>> >>> - userdom_exec_user_tmp_files($1_t) >>> userdom_exec_user_home_content_files($1_t) >>> >>> userdom_change_password_template($1) >> >> NAK. While there is some truth to this, this permission is limited >> to >> only files created by the user domain itself (as long as you have >> UBAC >> too). This wouldn't save someone from downloading, e.g. a trojan >> and >> executing it out of their home dir since they couldn't execute it out >> of >> /tmp. > > Of course, it does not prevent intentional execution of a file. > > However, it prevents execution of files that have been installed in > /tmp by a malicious process that has no permission to write in the user > home directory. The malicious binary can be executed through techniques > such as, for example, the exploitation of a buffer overflow. Yes, but which domains can create or relabel to user_tmp_t other than user domains? I'd rather eliminate any that don't make any sense, like mozilla and thunderbird for example: allow mozilla_plugin_t user_tmp_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow mozilla_t user_tmp_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow thunderbird_t user_tmp_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; -- Chris PeBenito