gmane.linux.gentoo.hardened

xattr/acl/cap

Alex Efros — 2012-05-20T21:35:51

Hi!

I'm not sure is this right place to ask…

What is current status for filesystem's xattr, acl and caps?

I'm usually keep all of this disabled in kernel, because I don't use them
and wanna avoid needless complexity. But today consolekit (which I don't
use, but which is installed anyway as someone's dependency) asked me to
enable CONFIG_TMPFS_POSIX_ACL. And I decide to check all this crap once again.

I may be wrong here, but after glance look at it I got this impression:

XATTR
    Needed only if you use ACL or CAPS (or wanna play with custom file
    attributes).
ACL
    Not sure about consolekit requirement above, but otherwise it looks
    useless (if you don't need to use complicated file permissions).
CAPS
    Looks promising, it's always good to remove suid bit, BUT:
    a)looks like only app which uses it now on my workstation is
wireshark, even /bin/ping is still installed suid
    b)pam_cap.so doesn't used by default (not sure why) so you can't change
user's default capabilities using /etc/security/capability.conf

So, until most/all suid apps in portage get CAPS support for me it looks
like it's better to switch off all these things.

Does hardened-sources include the Gentoo patchset?

Grant — 2012-05-20T20:09:35

Does anyone know if hardened-sources includes the Gentoo patchset?

- Grant

systemd and gentoo

Tóth Attila — 2012-05-18T01:01:00

I've recently come across some articles about the hal - dbus - udev -
consolekit - upower udisks - systemd movement. And there's openrc. A
couple of months before I converted the systems to openrc.
What we should prepare for next? When will it happen? Is it already
happening?
Somebody should pull the brakes, please.

Regards:
Dw.

hardened-sources-3.2.11 + i965 + x.org: possible regression

RB — 2012-05-16T16:54:12

I'm planning on submitting a bug, but thought I'd poll the population
first since I'm having trouble putting together a good bug report
(solid lockup).

It's been a while since I updated the kernel on my T61, was at
hardened-sources-3.2.1.  Updating to 3.3.6 this week produced a viable
kernel, but when X starts the system locks hard.  In trying different
kernels I've found that the regression is somewhere between the
3.2.2-r1 and 3.2.11 versions in the mainstream portage tree.  The
following is the only dump I've been able to capture, as about 9/10
the system locks beyond SSH recovery; apologies for the zram/zcache
taint, it was captured before I started debugging and eliminated
those.  It is, however, consistent with all subsequent ones I've seen
(same IP, same call trace).  I do notice that 'make oldconfig' in the
3.2.11 tree with the config from 3.2.2-r1 comes up with a single new
option, CONFIG_KCOPY.  Thoughts?

BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: [<ffffffff81278070>] i915_gem_execbuffer_reserve.clone.10+0x14/0x330
PGD 7660e000
Oops: 0000 [#1] SMP
CPU 1
Modules linked in: af_packet xt_tcpudp nf_conntrack_ipv4
nf_defrag_ipv4 xt_state nf_conntrack iptable_filter ip_tables
ip6table_filter ip6_tables x_tables ipv6 xfs zcache(C) zram(C) loop
fuse fat kvm_intel kvm isofs tun snd_hda_codec_analog pcmcia arc4
sr_mod cdrom sdhci_pci firewire_ohci pcspkr i2c_i801 sdhci
yenta_socket mmc_core firewire_core iwl4965 pcmcia_rsrc pcmcia_core
crc_itu_t iwl_legacy snd_hda_intel mac80211 uhci_hcd ehci_hcd
snd_hda_codec cfg80211 snd_hwdep snd_pcm usbcore snd_page_alloc e1000e
usb_common snd_timer thinkpad_acpi nvram hwmon snd tpm_tis soundcore
wmi tpm rfkill battery ac tpm_bios evdev unix

Pid: 3272, comm: X Tainted: G         C   3.2.11-hardened #2 LENOVO
7659C29/7659C29
RIP: 0010:[<ffffffff81278070>]  [<ffffffff81278070>]
i915_gem_execbuffer_reserve.clone.10+0x14/0x330
RSP: 0018:ffff880075421b58  EFLAGS: 00010292
RAX: ffff88007584c200 RBX: ffff880075421c88 RCX: ffff880075421c88
RDX: ffff880075421c88 RSI: ffff880075421c88 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff88007671b070 R09: ffff8800756c4300
R10: 0000000000000002 R11: 0000000000000000 R12: ffff880075421da8
R13: ffff880074f39000 R14: ffff880075f86960 R15: 0000000000000000
FS:  0000032c1cd63880(0000) GS:ffff88007d500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000018 CR3: 00000000013aa000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process X (pid: 3272, threadinfo ffff8800754b2028, task ffff8800754b1c00)
Stack:
 0000000000000020 ffff880075f869a0 0000007831f934b0 ffffffff81277d71
 ffff88007a29cc00 0000000000000000 0000000000000000 ffff880075421da8
 ffff880074f39000 ffff880075f86960 0000000000000002 ffffffff81278d7c
Call Trace:
 [<ffffffff81277d71>] ? copy_from_user+0xf3/0x134
 [<ffffffff81278d7c>] ? i915_gem_do_execbuffer.clone.12+0x9de/0x1256
 [<ffffffff81279a24>] ? i915_gem_execbuffer2+0xe2/0x256
 [<ffffffff810aebdd>] ? handle_pte_fault+0x61f/0x67f
 [<ffffffff81254463>] ? drm_ioctl+0x39a/0x5c4
 [<ffffffff81279942>] ? i915_gem_execbuffer+0x34e/0x34e
 [<ffffffff810de7a6>] ? do_vfs_ioctl+0x62d/0x6d8
 [<ffffffff8139efa0>] ? page_fault+0x30/0x40
 [<ffffffff8139ed6e>] ? retint_swapgs+0xc/0x12
 [<ffffffff810de88d>] ? sys_ioctl+0x3c/0x5f
 [<ffffffff8139f47b>] ? system_call_fastpath+0x18/0x1d
Code: 48 39 c2 76 09 48 83 c4 08 e9 52 e2 e4 ff 48 83 c4 08 e9 71 1d
e4 ff 41 57 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 28 <48>
8b 47 18 48 8b 80 30 03 00 00 48 8b 40 08 80 38 03 48 8d 44
RIP  [<ffffffff81278070>] i915_gem_execbuffer_reserve.clone.10+0x14/0x330
 RSP <ffff880075421b58>
CR2: 0000000000000018

Paxmarkings on mail-client/thunderbird

Hinnerk van Bruinehsen — 2012-05-16T14:39:39

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

at the moment the thunderbird-ebuild in the tree does a "pax mark m"
on the binary.
At least for me thunderbird works fine if I just disable jit.

What would be the workflow for reporting that. Should I file a bugreport?

With kind regards

Hinnerk

PS: It follows a "proof of concept"-ebuild (just the diff) that works
for me:


- --- /usr/portage/mail-client/thunderbird/thunderbird-12.0.1.ebuild
2012-05-08 11:31:16.000000000 +0200
+++ thunderbird-12.0.1.ebuild2012-05-16 16:34:26.111099366 +0200
< at >< at > -33,7 +33,8 < at >< at >
 KEYWORDS="~alpha ~amd64 ~arm ~ppc ~ppc64 ~x86 ~x86-fbsd ~amd64-linux
~x86-linux"
 SLOT="0"
 LICENSE="|| ( MPL-1.1 GPL-2 LGPL-2.1 )"
- -IUSE="bindist gconf +crashreporter +crypt +ipc +lightning +minimal
mozdom +webm"
+IUSE="bindist gconf +crashreporter +crypt +ipc +lightning +minimal mozdom
+pax_kernel +webm"

 PATCH="thunderbird-10.0-patches-0.1"
 PATCHFF="firefox-12.0-patches-0.1"
< at >< at > -174,6 +175,12 < at >< at >
 mozconfig_use_enable lightning calendar
 mozconfig_use_enable gconf

+if use pax_kernel; then
+   mozconfig_annotate '' --disable-methodjit
+   mozconfig_annotate '' --disable-tracejit
+fi
+
+
 # Bug #72667
 if use mozdom; then
 MEXTENSIONS="${MEXTENSIONS},inspector"
< at >< at > -281,7 +288,6 < at >< at >
 -i "${ED}"/usr/share/applications/${PN}.desktop
 fi

- -pax-mark m "${ED}"/${MOZILLA_FIVE_HOME}/thunderbird-bin

 share_plugins_dir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPs7wqAAoJEJwwOFaNFkYcv3YH/RL+anFbid1yfjOOKcdt0+hz
ovGJ83rPmFS6HQLDZ986LQgmTBDsDcDfAyhdzv+SbYQZNTRe29yGi4h+Z30b87Id
tF5YdPWYF1jp53o5DTiBMFMl//xZQAD/ZUXOkQhHrect5ZCSW69wm9h8vG/SOQrO
vCZ15Oya1ae7OugoSg0vI0Q9tIj9YKlcEYwzQdXh5ZkQZDYI2kcf1vepaMav/EoQ
YSG7+fGoMIz97wrqWjsNcTW2MDJSbFGi62PUlRWhbB6SIlwStWL7hD4grWNnAJad
j6+FzpZ88ZXB8fRKJ4meudTIeY1XFUzCNoIk72vIuD4dDMH9s1p9hH96vBbZUX0=
=AonK
-----END PGP SIGNATURE-----

SELinux base policy rev 9 in hardened-dev

Sven Vermeulen — 2012-05-15T18:06:29

Hi guys,

I've pushed out rev 9 of the base policies to the hardened-dev overlay. It
includes the following changes:

** 2012-05-15 Revision 9

<no bug>        Introduce named file transition support in policies
(backport)
<no bug>        Eliminate "*_except_auth_files" expressions through new
attribute (backport)
<no bug>        Update symbol in clamav_append_log interface (backport)
#411719         Update python scripts to further enhance support #python3
#413065         Allow passwd_t to read default context definitions
#413061         Allow groupadd_t to read default context definitions
#410951         Use /usr/lib and /lib instead of the /usr/lib(64)? and
similar calls

Wkr,
Sven Vermeulen

Gentoo Hardened Meeting 2012-05-16 20:00UTC

Francisco Blas Izquierdo Riera (klondike — 2012-05-13T20:31:39

Hello,

As usual we will be holding our traditional monthly project meeting the
2012-05-16 at 20:00UTC in the #gentoo-hardened channel in the freenode
network.
You are advised to assist since in this meetings the short time goals of
the project are usually defined and we'd appreciate input regarding them
and positive criticism from any interested parties.
In the meeting also the current status of the project is stated by the
developers so if you want to know how is the project doing you may want
to either be there or read the logs although the logs may take a little
more time to be ready.
Finally if you are planning to contribute the meeting is also a good
place too see which are the issues that need handling in the project.

The agenda planned for the meeting is:
1.0 Toolchain
2.0 Kernel
3.0 Selinux
  3.1 Selinux eclass
4.0 Grsec/PaX
5.0 Profile
6.0 Docs
7.0 Bugs
8.0 Media
9.0 Open floor

Also, attached to the e-mail you will find an event invitation may you
want to add the meeting time to your calendar so you don't forget about it.

We look forward to see you in the meeting.
Best regards,
Francisco Blas Izquierdo Riera (klondike)
Gentoo Hardened Project Staffer

Invalid opcode

Stan Sander — 2012-04-30T16:10:20

This isn't really a hardened issue specifically, but since that's the
profile I'm running and this is the list that I'm already subscribed to,
thought I'd go ahead and post here.  See if one of you folks can offer
some suggestions for me. 

I have a old Pentium 4 machine with a fresh stable amd64 hardened
install that I am planning to use as a dedicated Asterisk server. 
Everything seems fine with one exception.  I cannot unmerge any
packages.  Neither --depclean or -C will work.  They both bomb out as
soon as the 5 second countdown starts.  The message said Invalid
instruction and the syslog indicated it was in time.so  

klogd: emerge[28440] trap invalid opcode ip:2612992f7ac sp:3bbcc5cea60
error:0 in time.so[2612992d000+4000]

Then as I was working on asterisk when I got to the point where I was
configuring voicemail and was trying to record the name from a phone
extension, asterisk crashed after starting the recording.  It will limit
the length of the recording to just a few seconds, so the common factor
here seems to be related to counting seconds.  Here is the message from
syslog about Asterisk.

klogd: asterisk[2794] trap invalid opcode ip:1bd2a5e33a sp:2bb49ccdeb0
error:0 in asterisk[1bd29a3000+202000]

I did some poking around with google and so far haven't come up with
anything too useful.  I ran memtest86+ for around 11 hours and it didn't
come up with any errors.  So, I'm thinking I've got something borked in
my USE flags or system config, but I really don't know what it could
be.  The system seems stable and the problem isn't random.  Anyone have
ideas on what I can try to get this resolved?  Here is the cpuinfo in
case that is helpful.....

cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.00GHz
stepping        : 3
microcode       : 0x5
cpu MHz         : 2992.342
cache size      : 2048 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe
syscall nx lm constant_tsc pebs bts nopl pni dtes64 monitor ds_cpl est
cid cx16 xtpr
bogomips        : 5984.68
clflush size    : 64
cache_alignment : 128
address sizes   : 36 bits physical, 48 bits virtual
power management:

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.00GHz
stepping        : 3
microcode       : 0x5
cpu MHz         : 2992.342
cache size      : 2048 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
apicid          : 1
initial apicid  : 1
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe
syscall nx lm constant_tsc pebs bts nopl pni dtes64 monitor ds_cpl est
cid cx16 xtpr
bogomips        : 5984.74
clflush size    : 64
cache_alignment : 128
address sizes   : 36 bits physical, 48 bits virtual
power management:

Eclass update to support user-specific (overlay-driven) policy enhancements

Sven Vermeulen — 2012-04-26T18:58:41

Hi guys,

"""
tl;dr: New eclass supports users providing SELinux module files (the .fc,
.te and .if files) through their ebuilds' files/ directory rather than
through ugly patches.
"""

One of the things I'm hoping to accomplish soon is to better support users
in their quest to update the SELinux policies. Although we continue to
strive towards a working set of policies for most users, we should help
users to update the policies themselves when it matches their requirements,
but not necessarily ours.

A huge part on this is of course documentation, so I'm definitely going to
put much focus there, but another thing would be to support users in
user-specified SELinux policy modules.

Until now, the feedback to the user was to create the module, build it
manually and load it in the system. This works well of course (it is the
de-facto way of handling things) but I was wondering why users wouldn't be
able to provide these modules towards other users in overlays.

Until now, this meant that the user had to setup a development environment,
add in the module files, generate a patch and then include that patch in an
ebuild package. That's not really efficient for most users, so I updated the
eclass (currently only in hardened-dev overlay for testing) to support a
POLICY_FILES="" variable. 

When such an ebuild contains a setting like:
POLICY_FILES="jbossas.te jbossas.fc"
then these files, found in the files/ directory, are automatically build and
loaded just like official modules. No need for patching or creating
development areas just to load the modules: write the code, put it in the
files/ directory and you're done.

The second change is to support interfaces for these modules. In SELinux,
interfaces provide a way for other modules to call privileges specific for
this module. For instance, in the example of jbossas (JBoss Application
Server module), this could be a jbossas_domtrans() interface, allowing one
domain to call JBoss AS and transition to the jbossas_t domain.

Until now, we cannot update interfaces easily since interfaces were only
manageable by the selinux-base package. Every update on interfaces meant an
update on the base policy. With the change currently in the overlay,
user-provided modules can now provide their own .if file as well, which gets
installed. They can't overwrite the interfaces provided by the
selinux-base package (that's still our domain) but can provide interfaces
that other modules can use:
POLICY_FILES="jbossas.te jbossas.fc jbossas.if"

One thing I'm not that happy about is some trick I included in the eclass
for now to decide if a .if file can be installed as well or not. I check if
the file is provided through POLICY_FILES (which means a 3rd party module)
and then place a trigger file in ${S}/strict/ called ".install_interfaces"
because I need this information in a later phase of the ebuild. I use this
because I don't like introducing global variables in ebuilds, but this might
be wrong (QA-wise) from me. I'll check with the QA folks a bit later (after
some more testing).

Wkr,
Sven Vermeulen

Meeting log from 2012-04-18 20:00 meeting.

Magnus Granberg — 2012-04-23T22:49:47

Log from the meeting.

/Magnus

SELinux base policy rev 8 in hardened-dev

Sven Vermeulen — 2012-04-22T08:35:40

Hi guys,

Revision 8 of the 2.20120215 policies are now in the hardened-dev overlay.
It contains the following changes:

<no bug>        Update whitespace in python scripts (support python3)
#411149         Introduce httpd_setrlimit to support setrlimit/sys_resource on apache (for lighttpd)
#411943         Allow unconfined users to start X (or XFCE) from the commandline

Testing is, as always, appreciated. However, the changes are non-intrusive
and I'm going to make a few more intrusive changes now which will need a bit
more testing, so I'm heading out with rev 8 now.

Also, I've moved the repository I use for maintaining the policies from
github to gogo [1]. I didn't use the git magic, just a copy of the sources,
as patching is always done in incremental manners (and not through git
patches)... for now ;-)

I'll have our SELinux development guide also updated to have users base
their patches from this tree instead, that should make development a bit
easier for them.

Wkr,
  Sven Vermeulen

Tips for VMware Workstation with Hardened Profile ?

mRyOuNg — 2012-04-21T23:24:47

Hi,

I've just build vmware-workstation on a hardened box with 3.0.4 hardened
kernel ...
I emerged the vmware product with server flag, to be able to remotely
connect to it ...
vmware init script start, and load modules into kernel perfectly ... but,

When i try to start the vmware-workstation-server init script, i get the
following grsec log:

Apr 22 01:00:23  kernel: grsec: From denied access of range 0 -> 100000
in /dev/mem by
/opt/vmware/lib/vmware/bin/vmware-hostd[vmware-hostd:11737] uid/euid:0/0
gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Apr 22 01:02:21  kernel: grsec: From : Abort occurred at
0000000000002ed3 in
/opt/vmware/lib/vmware/bin/vmware-vim-cmd[vmware-vim-cmd:11987]
uid/euid:0/0 gid/egid:0/0, parent
/opt/vmware/lib/vmware/bin/vmware-vim-cmd[vmware-vim-cmd:11886]
uid/euid:0/0 gid/egid:0/0
Apr 22 01:02:21  kernel: grsec: From  denied resource overstep by
requesting 4096 for RLIMIT_CORE against limit 0 for
/opt/vmware/lib/vmware/bin/vmware-vim-cmd[vmware-vim-cmd:11987]
uid/euid:0/0 gid/egid:0/0, parent
/opt/vmware/lib/vmware/bin/vmware-vim-cmd[vmware-vim-cmd:11886]
uid/euid:0/0 gid/egid:0/0                                    

After some googling (without any success), I decided to post here to get
some advices from people already running this product with the same
configuration (I'm not sure paxctl will change anything here)...

Anyone around can help ?

Thanks in advance for your answer.

Cya

RFC: Removing -unicode from all hardened profiles

Anthony G. Basile — 2012-04-21T11:05:52

Hi everyone,

I'd like to remove USE="-unicode" from make.defaults at the root level 
of all hardened profiles.  The request came from jmbsvicetto because he 
required it for the hardened stages to build, but to be honest, I don't 
know why we have it disabled in hardened and its probably leftover cruft 
from days gone by.

Any reason not to, else its gone.

SBCL working at all with GRsec and PaX?

2012-04-16T22:44:27

Heya folks,

The only version of SBCL I have that actually works is one I compiled
under gentoo-sources with vanilla GCC.

Has anyone managed to compile even a remotely recent version of SBCL
under hardened?

I was using an overlay to attempt to get dev-lisp/sbcl-1.0.55-r1 but
absolutely no version I've found works (even after changing the one in
the overlay because it was using pax-tool or something instead of
paxctl to deal with the sbcl kernel-image-thinger).

This is the last build log I got out of it: 
http://bpaste.net/show/7iYaCGigirPZI6UQFrac/
Sorry it's a huge mess but it seems a lot of the dev-lisp packages like
to ignore some of the common conventions!

It's mainly for a friend who has an account on the machine that I'm
trying to get a relatively recent version of SBCL on the go since the
machine's a bit of a powerhouse and SBCL can output some blazingly fast
programs.

Cheers!
Nay

libroffice's unopkg.bin segfaults without paxmarking on my systems

Tóth Attila — 2012-04-15T23:47:33

While I emerged libroffice-l10n upgrade, I noticed, that unopkg.bin
segfaults multiple times as it gets called. On my systems.
After paxctl -m it worked.

soffice.bin has been already paxmarked by the ebuild.
Wouldn't it be good to add:
pax-mark -m "${EPREFIX}"/usr/$(get_libdir)/libreoffice/program/unopkg.bin
as well?

Should I open a bug for it?

Regards:
Dw.

Meeting 2012-04-18 20:00UTC

Magnus Granberg — 2012-04-15T13:23:30

Hi

Time for a new meeting.
It is on gentoo-hardened at freenode (irc)

Agenda
1.0 Toolchain
2.0 Kernel
3.0 Selinux
4.0 Grsec/PaX
5.0 Profiles
6.0 Docs
7.0 Bugs
8.0 Media
9.0 Open floor

/Magnus

samba 4 MLS --> strict modules

Alain Toussaint — 2012-04-14T14:41:48

In the samba 4 howto, the instructions related to selinux apply to RH and
when I tried to compile this modules, I had an error because I'm running
in strict mode and semodule tell me it's an MLS modules. What do I need to
modify to this module to run it in strict mode?

Thanks
Alain


module samba4 1.0;


   require {
   type ntpd_t;
   type usr_t;
   type initrc_t;
   class sock_file write;
   class unix_stream_socket connectto;
  }

  #============= ntpd_t ==============
  allow ntpd_t usr_t:sock_file write;

  #============= ntpd_t ==============
  allow ntpd_t initrc_t:unix_stream_socket connectto;

emerge via ssh doesn't work

Alain Toussaint — 2012-04-12T19:41:50

Hello,

                I am building a headless server and for the most part, now
that I have labelled everything (selinux), I am not able to continue
emerging software via ssh. I know that it is a security features but is
there something I can change in my setup or else, I’ll need to get a
monitor for the machine?



Alain

SELinux base policy rev 7 in hardened-dev

Sven Vermeulen — 2012-04-11T17:46:45

Hi guys,

I just pushed selinux-base* revision 7 to the hardened-development overlay.
It contains only a few changes, namely:

#401595         Mark .pwd.lock as etc_t
#411193         Support init scripts working with cgroups (manage cgroup_t)
#403293         Support SELinux-aware cronie and have it create cronjob_t keys

Still, since rev 6 is two weeks ago and the init script stuff might be a bit
too blocking for some, and it's raining here, it's a good time to push this
out.

Wkr,
Sven Vermeulen

www-client/chromium SELinux sandbox

Paweł Hajdan, Jr. — 2012-04-10T11:11:36

I'm experimenting with Chromium SELinux sandbox
(<http://code.google.com/p/chromium/wiki/LinuxSandboxing>) and came up
with a working policy module (attached).

Note that for that to be effective one has to compile chromium with
-Dselinux=1 gyp flag, and I've not yet committed such change to CVS
(waiting for 20.x dev channel release, so that it has a lot of testing
before unmasking).

How does the attached policy look to you? (I'm SELinux newbie, although
I probably know Chromium pretty well as its developer and packager)

You can also compare that with policy module written for Chromium by
another Chromium developer in 2010:
<http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/selinux/chromium-browser.te?view=markup>

What are the next steps to add this policy to Gentoo?
policy_module(chromium-browser,1.0.0)

gen_require(`
  type tmp_t;
  type tmpfs_t;
  type unconfined_t;
  type user_tmpfs_t;
  type urandom_device_t;
  type xdg_config_home_t;
  role unconfined_r;
')

type chromium_renderer_t;
domain_base_type(chromium_renderer_t)
role unconfined_r types chromium_renderer_t;

allow unconfined_t chromium_renderer_t:process dyntransition;

allow chromium_renderer_t self:fifo_file { read write };
allow chromium_renderer_t self:process execmem;
allow chromium_renderer_t self:shm { create destroy read write unix_read unix_write };
allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
allow chromium_renderer_t self:unix_stream_socket { create getattr read };

allow chromium_renderer_t tmp_t:dir { read getattr open };
allow chromium_renderer_t tmpfs_t:file { read write };
allow chromium_renderer_t user_tmpfs_t:file { read getattr append };

allow chromium_renderer_t unconfined_t:fd use;
allow chromium_renderer_t unconfined_t:unix_stream_socket { read write };

allow chromium_renderer_t urandom_device_t:chr_file { getattr open read };

allow chromium_renderer_t xdg_config_home_t:file { getattr read };

miscfiles_read_localization(chromium_renderer_t);
miscfiles_read_fonts(chromium_renderer_t);

keyword: amd64 or ~amd64?

Alain Toussaint — 2012-04-09T22:36:00

Hello everyone,

                I’m building from scratch a Samba file server which I may
use samba4 git version (i.e. not a package from Gentoo) but the rest will
be stock Gentoo and for the moment, I’m running stable and the profile is
amd64/no-multilib/selinux. In order to have a good set of policies, should
I run ~amd64 or the default will be fine?



This is for a small workgroup server with 5 clients.



The machine is a dual core AMD Athlon 4600 with 4GB of ram and, for the
moment, 280GB of disk space.



Alain