Daniel J Walsh wrote:
> Eamon Walsh wrote:
> > Daniel J Walsh wrote:
> >> I wanted to see if we could prevent nsplugin_t from screen capturing
> >> random parts of the Desktop.
> >>
> >> So I relabeled /usr/bin/gimp as nsplugin_exec_t, then ran it to get
> >> AVC's, when capturing a screen image, sadly no AVC's were generated, so
> >> nsplugin_t can capture screen images.
> >>
> >> I Wanted to see what avc's are created when you screen capture that are
> >> different from running a standard X App, so I labeled /usr/bin/gimp and
> >> put the machine in permissive mode. Ran gimp to the point of capturing
> >> the screen capture, and cleared the log files.
> >>
> >> When capturing the image I got the following allow rules.
> >>
> >> allow gpg_t focus_xevent_t:x_event receive;
> >> allow gpg_t input_xevent_t:x_event receive;
> >> allow gpg_t self:x_cursor destroy;
> >> allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };
> >> allow gpg_t xdm_xserver_t:x_device { freeze force_cursor bell };
> >>
> >>
> >> Is there anything we could eliminate from common X Apps, to prevent
> >> nsplgugin from screen capture.
> > It's "read" permission on the root window. Remember that if you can
> > read a window, you can read all of its children as well. So having read
> > on the root means you can see everything.
>
> > Most apps shouldn't have this, and I don't see it granted in the current
> > policy. Actually I think GIMP launches a helper app to actually do the
> > screencap. I remember seeing its path in the AVC message. So maybe
> > that's why it's not working for you.
>
>
>
> So are you saying.
>
> allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };
>
> If, I don't allow this to apps, it would be blocked?
>
> Or some other
Yes, if you disallow the "read" above then it should bomb out with a
"BadAccess" error when you try to do the screenshot.
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
