Tomoyo policy for Firefox.

ivandi · 08-16-2015, 03:05 PM

The recent Firefox vulnerability pushed me to finally put some effort into making something usable from the learning mode log and start enforcing the policy.

Here it is:

domain_policy:

Code:

<kernel> /usr/bin/firefox
use_profile 3
use_group 0

file read @FFX_SYSTEM_DIRS
file read @FFX_HOME_RO task.uid=path1.uid
file read/write/append/unlink/rmdir/truncate @FFX_HOME_RW task.uid=path1.uid
file read/write/append/unlink/rmdir/truncate @TMP_DIRS
file symlink @FFX_HOME_RW task.uid=path1.parent.uid
file rename @FFX_HOME_RW @FFX_HOME_RW task.uid=path1.uid task.uid=path2.parent.uid
file rename @TMP_DIRS @TMP_DIRS
file create/mkdir/chmod @FFX_HOME_RW @CREATE_MODES task.uid=path1.parent.uid
file create/mkdir/chmod @TMP_DIRS @CREATE_MODES
file read/write /dev/dri/card\$
file read/write/append /dev/snd/\*
file write /dev/null
file read /dev/urandom
file read proc:/cpuinfo
file ioctl /dev/dri/card\$ 0x00000000-0xFFFFFFFF
file ioctl /dev/snd/\* 0x00000000-0xFFFFFFFF
file ioctl anon_inode:inotify 0x541B
file ioctl socket:[family=2:type=\$:protocol=\$] 0x541B
file execute /usr/lib64/firefox-\*/plugin-container
file execute /usr/lib64/java/jre/bin/java
file execute /usr/libexec/gstreamer-\*/gst-plugin-scanner
file mksock /tmp/jpi-\* 0755
network unix stream bind/connect/listen /tmp/jpi-\*
network unix stream connect \000/tmp/.X11-unix/X\$
network inet dgram send 127.0.0.1 53
network inet stream connect @IPV4_ALLOWED_ADDRESSES @FFX_ALLOWED_PORTS
network inet stream connect @IPV6_ALLOWED_ADDRESSES @FFX_ALLOWED_PORTS
misc env \*

exception_policy:

Code:

initialize_domain /usr/bin/firefox from any
aggregator /usr/lib64/firefox-\*/firefox /usr/bin/firefox
keep_domain any from /usr/bin/firefox
path_group FFX_SYSTEM_DIRS /usr/lib64/\{\*\}/\*
path_group FFX_SYSTEM_DIRS /usr/share/\{\*\}/\*
path_group FFX_SYSTEM_DIRS /etc/\{\*\}/\*
path_group FFX_SYSTEM_DIRS /etc/\*\-shadow\*
path_group FFX_SYSTEM_DIRS /var/cache/fontconfig/\*
path_group FFX_HOME_RW /home/\*/.cache/mozilla/
path_group FFX_HOME_RW /home/\*/.cache/mozilla/\*
path_group FFX_HOME_RW /home/\*/.mozilla/
path_group FFX_HOME_RW /home/\*/.mozilla/\*
path_group FFX_HOME_RW /home/\*/.cache/mozilla/\{\*\}/
path_group FFX_HOME_RW /home/\*/.mozilla/\{\*\}/
path_group FFX_HOME_RW /home/\*/.cache/mozilla/\{\*\}/\*
path_group FFX_HOME_RW /home/\*/.mozilla/\{\*\}/\*
path_group FFX_HOME_RW /home/\*/.config/dconf/user
path_group FFX_HOME_RW /home/\*/.cache/dconf/user
path_group FFX_HOME_RW /home/\*/.config/gtk-\*/gtkfilechooser.ini\*
path_group FFX_HOME_RW /home/\*/.local/share/recently-used.xbel\*
path_group FFX_HOME_RW /home/\*/.cache/gstreamer-\*/
path_group FFX_HOME_RW /home/\*/.cache/gstreamer-\*/\*
path_group FFX_HOME_RW /home/\*/Downloads/
path_group FFX_HOME_RW /home/\*/Downloads/\*
path_group FFX_HOME_RW /home/\*/Downloads/\{\*\}/
path_group FFX_HOME_RW /home/\*/Downloads/\{\*\}/\*
path_group FFX_HOME_RW /home/\*/.macromedia/
path_group FFX_HOME_RW /home/\*/.macromedia/\*
path_group FFX_HOME_RW /home/\*/.macromedia/\{\*\}/
path_group FFX_HOME_RW /home/\*/.macromedia/\{\*\}/\*
path_group FFX_HOME_RW /home/\*/.adobe/
path_group FFX_HOME_RW /home/\*/.adobe/\*
path_group FFX_HOME_RW /home/\*/.adobe/\{\*\}/
path_group FFX_HOME_RW /home/\*/.adobe/\{\*\}/\*
path_group FFX_HOME_RW /home/\*/.java/
path_group FFX_HOME_RW /home/\*/.java/\*
path_group FFX_HOME_RW /home/\*/.java/\{\*\}/
path_group FFX_HOME_RW /home/\*/.java/\{\*\}/\*
path_group FFX_HOME_RO /home/\*/.Xauthority
path_group FFX_HOME_RO /home/\*/.config/mimeapps.list
path_group FFX_HOME_RO /home/\*/.local/share/gvfs-metadata/\*
path_group TMP_DIRS /tmp/\*
path_group TMP_DIRS /tmp/\{\*\}/
path_group TMP_DIRS /tmp/\{\*\}/\*
path_group TMP_DIRS /var/tmp/\*
path_group TMP_DIRS /var/tmp/\{\*\}/
path_group TMP_DIRS /var/tmp/\{\*\}/\*
number_group CREATE_MODES 0600
number_group CREATE_MODES 0644
number_group CREATE_MODES 0664
number_group CREATE_MODES 0666
number_group CREATE_MODES 0700
number_group CREATE_MODES 0755
number_group CREATE_MODES 0775
number_group CREATE_MODES 0777
number_group FFX_ALLOWED_PORTS 80
number_group FFX_ALLOWED_PORTS 443
address_group IPV4_ALLOWED_ADDRESSES 0.0.0.0-255.255.255.255
address_group IPV6_ALLOWED_ADDRESSES 0:0:0:0:0:0:0:0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

unSpawn · 08-16-2015, 08:25 PM

Quote:

Originally Posted by ivandi

Code:

file execute /usr/lib64/java/jre/bin/java

So how about Flash and JAVA?..

ivandi · 08-16-2015, 09:43 PM

Quote:

Originally Posted by unSpawn

So how about Flash and JAVA?..

The "keep_domain any from /usr/bin/firefox" directive is supposed to keep flash java and vlc (I use the vlc plugin) confined in the same domain as firefox. This is the reasonably minimal set of permissions that allows this stuff to run safely (as far as tomoyo can go). You can go file by file for read permissions in /usr/lib64/ /usr/share or /etc/fonts ...., but it doesn't worth it. The policy allows read/write access only to config directories, Downlowads and /tmp /var/tmp. Read access in the home folder is limited to several files in "path_group FFX_HOME_RO". You can't use Ctrl+O to read a file in Firefox outside of allowed folders. Apart from the three allowed, nothing else can be executed. Java can't run /bin/sh for example. You can't run engrampa or xarchive to open a tar.gz file from Firefox. You have to download it to Downloads first. D-Bus is disabled too.

The goal is to run these plugins safely. Not to disable them.

Cheers

PRNG · 02-10-2017, 06:49 AM

I knew that this thread is from 2015. but I want to ask @ivandi how did he setup Tomoyo on Slackware? I know that i need to enable some kernel parameters, but i can't find SlackBuild script for tomoyo-tools.

ivandi · 02-10-2017, 02:11 PM

tomoyo-tools.SlackBuild

I am using AppArmor these days.

Cheers