Re: Allowing access to session dbus from sandbox

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/13/2012 08:40 AM, Dominick Grift wrote:
> 
> 
> On Mon, 2012-08-13 at 06:33 +0100, Robin Green wrote:
>> I would like to allow chromium within a sandbox to access KWallet running
>> in KDE outside the sandbox, so that
>> 
>> (a) my website passwords cannot be directly read from within a sandbox -
>> access must be mediated by KWallet, which can prompt me for my KWallet
>> password to confirm. So if I am prompted by KWallet while on a web page
>> without a saved password, I will know something is amiss. (b) my website
>> passwords are shared between sandboxes
>> 
>> I say chromium because Firefox does not use an external wallet service.
>> 
>> I've got part-way there. Here is what I've done so far:
>> 
>> I found out that KWallet uses dbus to communicate (specifically, the 
>> session bus, because it's a desktop daemon). Because the dbus session bus
>> is by default a unix socket in /tmp, which would be hidden by seunshare,
>> I created /etc/dbus-1/session-local.conf as follows:
>> 
>> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration
>> 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";> 
>> <busconfig>
>> 
>> <listen>unix:tmpdir=/dev/shm</listen>
>> 
>> </busconfig>
>> 
>> and logged out and logged back in again in order to restart the session
>> bus.
>> 
>> I then passed the dbus socket name into the sandbox at creation time
>> using
>> 
>> env
>> DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0
>>
>> 
xterm
>> 
>> as the command for sandbox to run.
>> 
>> To run chromium I used
>> 
>> chromium-browser --no-sandbox --password-store=kwallet
>> 
>> A couple of iterations of audit2allow and semodule -i later, I had this
>> policy module installed:
>> 
>> allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket
>> connectto; allow sandbox_web_client_t config_usr_t:dir read; allow
>> sandbox_web_client_t unconfined_t:unix_stream_socket connectto;
>> 
>> but chromium is still outputting to the terminal this when it tries to 
>> communicate with KWallet:
>> 
>> ** (exe:9107): WARNING **: 
>> GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy 
>> prevents this sender from sending this message to this recipient, 0 
>> matched rules; type="method_call", sender="(null)" (inactive) 
>> interface="org.freedesktop.DBus" member="Hello" error name="(unset)" 
>> requested_reply="0" destination="org.freedesktop.DBus" (bus)
>> 
>> I can't find relevant entries in /var/log/audit.log at first glance, so
>> maybe these are checks done by the dbus daemon itself, rather than the
>> kernel.
> 
> Also check /var/log/messages, dbus related avc denials go all over the 
> place.
> 
> If you allow this then you probably allow your sandbox to dbus chat to any
> user application running in the user domain
> 
> If you confine kwallet then you should be able to restrict your sandbox to
> only chat to kwallet via dbus.
> 
> 
> 
>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
Yes I would figure this is dbus blocking the communication.  Dbus session bus
would not be allowed to write to /var/log/audit/audit.log, so I believe
messages would end up in /var/log/messages.

This is an interesting use case.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlApNP0ACgkQrlYvE4MpobMTCwCgmnONDGhKqU6/rCXj5NofrcXN
izUAnRTZZOum2m0a5V/2b5jtR//AUJKO
=L/ET
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux