On Sat, Dec 17, 2016 at 4:07 AM, Michael Catanzaro <mcatanzaro@xxxxxxxxx> wrote:
I think that for thee short term, until we figure out what's the best way to actually sandbox thumbnailers (if that requires moving thumbnailers to a dbus service it's a lot of work that I simply don't have time for these days), we should use seccomp in all of them, at least the ones we ship by default. I might submit patches for this sometime this week, if I find the time to do that.On Sat, 2016-12-17 at 01:58 +0200, Elad Alfassa wrote:
> Also: perhaps it'll be easier to protect thumbnailers using a SELinux
> policy?
There already is such a policy. Back when WebKit used libsoup's disk
cache, you could visit your cache directory and the totem thumbnailer
would immediately try to load remote resources off the Internet to
thumbnail them. SELinux would block that. The security context of
/usr/bin/totem-video-thumbnailer is system_u:object_r:thumb_exec_ t:s0
so SELinux must be doing something there.
I think nobody ever fixed that.
Probably not doing enough.
Or maybe the policy does allow the thumbnailer to launch subprocesses, but not much more than that, and if the blog author would've tried something more than just launching a calculator SELinux would've stopped them? I don't know.
Or maybe the policy does allow the thumbnailer to launch subprocesses, but not much more than that, and if the blog author would've tried something more than just launching a calculator SELinux would've stopped them? I don't know.
On Sat, 2016-12-17 at 01:58 +0200, Elad Alfassa wrote:
> This should (in theory) be sufficient for most thumbnailers, apart
> from the gdkpixbuf ones which don't run in an external process (it
> should, at least theoretically, be easy to tear them out to an
> external process if needed, though)
Guess what Bastien did that earlier this week! It landed in gdk-pixbuf
2.36.1 so I guess it's coming to F25. Note there are a bundle of more
traditional security fixes that landed just after that release....
Awesome.
This of course wouldn't stop an exploit if the user actually *opens* the file in totem, but I don't think there's much we can do about that other than shipping totem (and all other apps too, of course) in a sandboxed flatpak.
Another thing to consider might be changing the way we package gstreamer plugins, so that obscure one such as the game music emulators will not be installed by default. However, that won't help much because an unsuspecting user might install them via the GNOME Software integration in totem, and would get pwnd anyway...
--
-Elad.
_______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx