Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRe: Tonights rawhide contains a fix to stop xspy.
From: Eamon Walsh <ewalsh_at_tycho.nsa.gov>
Date: Mon, 03 Mar 2008 17:04:18 -0500
>> Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Eamon Walsh wrote: >>>> Daniel J Walsh wrote: >>>> Basically if you turn on xserver_object_manager boolean, no applications >>>> will be allowed to read the x_device. This stops xspy as you said dead >>>> in its tracks, but some other applications start to get AVC's around >>>> querypointer, and eventually I hung the server. You mentioned in >>>> another email, that you were going to change the querypointer to a >>>> getattr rather then a read, I think this is necessary, to make this >>>> work. >>>> >>>>> I have attached a patch that will do this. There is another request, >>>>> XKEYBOARD:GetState, that also requires read and I've noticed that >>>>> gnome-settings-daemon is calling it (see below). If you want to drop >>>>> that down to getattr too, let me know; it doesn't look like it returns >>>>> the whole keyboard like XQueryKeymap does, however both it and >>>>> XQueryPointer return the mouse buttons and the modifier keys (shift, >>>>> alt, ctrl, etc.). Long-term we really need to get applications to stop >>>>> calling these. >>> Is there any way to differentiate the mouse from the keyboard, why are >>> the the same type? >> The idea behind the PAM work is to relabel the devices at login time. >> It's kind of a moot point though because XQueryPointer returns both >> mouse and keyboard state and should technically require read permission >> on both devices. >> > Ok. > >>> Can you get this patch upstream, it is a lot easier >>> to get it into rawhide that way. >> The patch is upstream now, with a big /*XXX*/ on it. Tom London's >> compiz issues are fixed as well. >> >> > I already wrote a reply to this once, but the X Controls hung my > machine. So this is good news. > >>> Open bugzilla's on any you find, is the best way to get it fixed. >>> >> Rest assured I will. >> >>>>> "Manage" permission on devices is another can of worms you may care to >>>>> open at some point. Anyone with that can remap the keys or do other >>>>> things that affect the device globally. >>>>> The other AVC's I'm getting are from interactions between staff_mono >>>>> and >>>>> staff. I believe that this the result of a small application such as >>>>> the clock or load graph being staff_mono_t, running inside gnome-panel >>>>> which is staff_t. This is the type of thing I was trying to solve with >>>>> the 4-argument templates that allowed some permissions among the entire >>>>> "role's" windows (however manage was not one of them). >>> Yes this is one of the reasons that I like the ability to extend >>> contexts so all privs of staff_t are inherited by staff_mono_t plus the >>> exec checks. >>> >>> staff_mono_t == staff_t + execmem execstack; >> This would be more than simple inheritance though. This would be >> implicitly granting staff_mono_t and staff_t permissions on each other >> as well. >> > I am using the staff_usertype attribute for the "isa" type domains. > > And basically writing > > allow staff_usertype staff_usertype:* *; > > So we need to extend this to the X Controls. >>> I think we are going to need an interface that says one domain can play >>> communicate with another domain, sort of the dbus_chat type interfaces. >> This or the inheritance thing will be necessary, yes, until a better >> handle is gotten on the interaction issues. >> > Right this inheritance works for "isa" domains (mono and java) but will > not work if we want to isolate nsplugin_t or staff_firefox_t. So we > will need to figure out the minimal communication needed between the > confined X-Application and the XYZ_usertype. > >> Have you considered starting out by supporting a simpler desktop >> environment, such as XFCE? > > No. I want to get stuff that is useful to the larger community. What > low hanging fruit can I grab to help out unconfined users on a > gnome/gtk/gconf/metacity/compiz platform. I will leave the XFCE to MLS > people who are trying to prevent malicious information flow. > > Can I prevent all apps from sniffing passwords? Not without putting apps into separate domains.
> Can I prevent all nsplugin_t from putting up a login screen? You can prevent nsplugin_t from creating child windows of the root window (as opposed to child windows of the firefox window).
> Can I Yes, by denying permissions on other types of windows.
> Apps in the same domain can listen to keyboard events from each other's windows, fullstop. -- Eamon Walsh <ewalsh@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 3 Mar 2008 - 17:05:07 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |