[go: up one dir, main page]
|
|
Log in / Subscribe / Register

SELinuxDenyPtrace and security by default

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 6:15 UTC (Thu) by slashdot (guest, #22014)
In reply to: SELinuxDenyPtrace and security by default by dlang
Parent article: SELinuxDenyPtrace and security by default

The copy of LibreOffice has the same permissions of the game: none (i.e. the same as a random uid).

You open files like this:
1. User clicks Open in LibreOffice
2. LibreOffice asks GTK+ to run the Open dialog
3. GTK+ doesn't open the dialog, but instead sends a request via D-Bus to the session file manager
4. The session file manager opens the Open dialog
5. The user selects the file to open
6. The session file manager instructs the kernel LSM to grant access to the user-selected path to LibreOffice
7. The session file manager gives the user-selected path (either as a path, or as an FD over AF_UNIX that becomes /proc/self/fd/#) back to LibreOffice's GTK+ via D-Bus, which then gives it to LibreOffice
8. LibreOffice opens the file

Of course, this also needs a properly designed windows manager that doesn't let random clients simulate keystrokes and other nefarious stuff.

The game can try to do the same, but the user is unlikely to choose his own personal files when asked about which file to open.

Of course, there's a bunch of other scenarios that need to be handled, but it's all fixable with minimal or no changes to applications.

to post comments

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 7:08 UTC (Thu) by hppnq (guest, #14462) [Link] (4 responses)

9. LibreOffice chokes on the malicious input it read from the file.

You can't base your security model on trusting sources that can't be trusted. But maybe you're just taking the mickey.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 9:19 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

So what? If Libreoffice is properly sandboxed then it can't access other files and at most can be used to send out spam (if networking is enabled) until Libreoffice process is killed.

Of course, it leaves the problem of local vulnerabilities. But that's another story.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 9:19 UTC (Thu) by renox (guest, #23785) [Link]

So what? If LibreOffice has no permissions, it cannot do much harm..

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 9:24 UTC (Thu) by slashdot (guest, #22014) [Link] (1 responses)

But it can't do any real damage, because it has no permissions to do so.

Also, with NX and ASLR, it should be next to impossible to actually do anything beyond crashing the application with a single document.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 16:20 UTC (Thu) by hppnq (guest, #14462) [Link]

It's not extremely difficult to see the problem here: if you can't trust your editor if you need to edit your .profile, or if you can't trust it to properly handle its contents -- a program crash is not necessarily involved -- then what good is it to you that you have a secure way of opening it?

Who or what specifies what is or is not permitted?

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 14:23 UTC (Thu) by dgm (subscriber, #49227) [Link]

9. LibreOffice tries to open a second file linked in the document, or via code macro, fails miserably.
10. User swears, disables the broken security measures and goes back to working as usual.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds